Six Months On, Macs Still Plagued By Critical Java Vuln


Recommended Posts

Six months on, Macs still plagued by critical Java vuln

No Java applets for you!

By Dan Goodin in San Francisco

19th May 2009 18:05 GMT

"More than six months after Sun Microsystems warned that a flaw in its Java virtual machine made it trivial for attackers to execute malware on end users' machines, the vulnerability remains unpatched on Apple's Mac platform.

Most other operating systems, including Windows and major Linux distributions, fixed the bug months ago. That's a good thing given it is actively being exploited in the wild. Penetration testers, including Immunity and VUPEN Security, consider the threat significant enough to offer their customers exploit code that tests against the bug.

"This bug, and others like it, are essentially 'write once, own all' type deals," Immunity researcher Bas Alberts wrote in an email to The Reg. "So yeah, they're fairly interesting to people on the offense side of the fence."

Full article at The Register - http://www.theregister.co.uk/2009/05/19/un..._vulnerability/

Link to post
Share on other sites

If any mac users are worried about this you can either make sure "open safe files after downloading" in safari preferences isn't enabled or uncheck Java enable preference. Or run Firefox with No Script.

As of now this is just a proof of concept there are no Mac exploits in the wild. And if a exploit does hit before Sun issues a patch remember never install a app you didn't download.

Link to post
Share on other sites

oh..

Security researchers say that Mac OS X users are vulnerable to a critical, 6-month-old, remote vulnerability in Java, a component that is enabled by default in Web browsers on this platform. Julien Tinnes notes that this vulnerability differs from typical Java security flaws in that it is 'a pure Java vulnerability' and doesn't involve any native code. It affected not only Sun's Java but other implementations such as OpenJDK, on multiple platforms, including Linux and Windows. 'This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers,' Julien wrote. This bug was demonstrated during the Pwn2own security challenge this year at CanSecWest, but the details were not made public at that time. Tinnes recommends that Mac OS X users disable Java in their browsers until Apple releases a security update."

important part:

on multiple platforms, including Linux and Windows

so all systems

Link to post
Share on other sites
As of now this is just a proof of concept there are no Mac exploits in the wild. And if a exploit does hit before Sun issues a patch remember never install a app you didn't download.

Sun fixed it last year. Apple hasn't rolled the fix into the OS X JRE.

Link to post
Share on other sites

was that not in the big patch just released by apple??

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...