Mac OS X Users Warned About Java Vulnerability - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Infrastructure // PC & Servers
04:57 PM
Connect Directly

Mac OS X Users Warned About Java Vulnerability

SoyLatte, an X11-based port of the FreeBSD Java 1.6 "patchset" to Mac OS X Intel machines, is also reportedly vulnerable.

Mac OS X users are being warned to disable Java applets in their Web browsers and to disable the "Open 'safe' files after downloading" preference in Safari because of a Java vulnerability.

The Java vulnerability (CVE-2008-5353) was publicly disclosed five months ago by Sun Microsystems and fixed. But Apple, which released Mac OS 10.5.7 with nearly 70 security fixes earlier this month, has not yet dealt with the issue.

"Apple has been aware of this vulnerability for at least five months, since it was made public, but has neglected to issue a security update to protect against this issue," Mac security company Intego said in a security advisory Wednesday.

This isn't the first time Apple has been criticized for failing to respond to security concerns in a timely manner. Last September, someone using the name "Securfrog" published code to crash QuickTime after allegedly being ignored by Apple. And last August, security researchers said Apple didn't move fast enough to fix the DNS flaw identified by Dan Kaminsky.

SoyLatte, an X11-based port of the FreeBSD Java 1.6 "patchset" to Mac OS X Intel machines, is also reportedly vulnerable.

Intego says that it hasn't found any malware in the wild that's attempting to exploit this vulnerability.

But programmer Landon Fuller claims otherwise and on Tuesday released proof-of-concept exploit code to demonstrate that the Java hole needs to be patched.

"Unfortunately, it seems that many Mac OS X security issues are ignored if the severity of the issue is not adequately demonstrated," Fuller said in a blog post. "Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been public knowledge for six months, I have decided to release my own proof of concept to demonstrate the issue."

Were a malicious Java applet that exploited this vulnerability loaded and run in Safari under Mac OS X, it could lead to file access, file deletion, or, in conjunction with a privilege escalation vulnerability, access to system-level processes and complete system control.

Intego predicts just such an applet will appear shortly. "[T]he publicity around this vulnerability will mean that hackers are likely to attempt to exploit it quickly, before Apple issues a security update," the company said in the note that it posted to generate publicity around this vulnerability.

Attend a virtual event on budget-minded security for small and midsize businesses. The event is available on demand. Find out more and register.

Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
Time to Shift Your Job Search Out of Neutral
Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll