Unpatched OS X Java Vulnerabilities Drawing Attention

MacRumors

macrumors bot
Original poster
Apr 12, 2001
49,641
10,958
https://www.macrumors.com/images/macrumorsthreadlogodarkd.png

Programmer and former Apple engineer Landon Fuller has released a proof-of-concept exploit demonstrating vulnerabilities in Apple's current implementation of Java that allow arbitrary code execution in Java-enabled Web browsers. While the vulnerabilities, first discovered last August, were disclosed and patched by Sun last December, Apple has yet to roll out a fix for its own implementation of Java.
CVE-2008-5353 allows malicious code to escape the Java sandbox and run arbitrary commands with the permissions of the executing user. This may result in untrusted Java applets executing arbitrary code merely by visiting a web page hosting the applet. The issue is trivially exploitable.

Unfortunately, these vulnerabilities remain in Apple's shipping JVMs, as well as Soylatte 1.0.3. As Soylatte does not provide browser plugins, the impact of the vulnerability is reduced. The recent release of OpenJDK6/Mac OS X is not affected by CVE-2008-5353.
With the recent release of OS X 10.5.7 failing to address the vulnerabilities, Fuller decided to create and release his proof-of-concept exploit in order to bring attention to the severity of the issue. The proof-of-concept exploit uses a browser-based Java applet to activate the Unix "say" command on the user's system and recite a statement regarding the exploit initiating an innocuous process.

The only recommended workaround at this time is to disable Java applets in all browsers and to disable the 'Open "safe" files after downloading' option in Safari. Disabling Java applets will cause some websites to behave incorrectly, but no other protection against exploits of the vulnerabilities is available until Apple releases a patch.

Article Link: Unpatched OS X Java Vulnerabilities Drawing Attention
 

themoonisdown09

macrumors 601
Nov 19, 2007
4,319
15
Georgia, USA
I'm not really sure how to rate this news article.

I could rate Positive because Landon Fuller is really trying to bring the issue to everybody's attention. But then I could rate Negative because Apple still hasn't resolved this issue.

Hmm... decisions, decisions.
 

itickings

macrumors 6502a
Apr 14, 2007
928
5
When I read this, I immediately went to Safari's preferences menu to disable Java, only to find that I'd already disabled it. I'most likely have had it disabled since right after I finished installing OS X, along with 'Open "safe" files after downloading' of course...

Never noticed anything missing on the web without it. At all.
 

amac4me

macrumors 65816
Apr 26, 2005
1,303
0
Workaround is to disable Java in your browser

Here's the blog post from Intego:

The best way to protect against this exploit is to deactivate Java in your web browser. In Safari, choose Safari > Preferences, click the Security tab, and uncheck Enable Java if it is checked. It is safe to leave Enable JavaScript activated, since this vulnerability only affects Java applets.

If you use Firefox, this setting is found on the Content tab of the program’s preferences.

http://blog.intego.com/2009/05/20/intego-security-memo-java-vulnerability/

 

SilentPanda

Moderator emeritus
Oct 8, 2002
9,992
30
The Bamboo Forest
Welp...it's been good, guys. but we all knew this day would come.
The day has already been and passed. OS X has vulnerabilities... and they get patched. It's unfortunate that this one is there yes, but there's probably more than just this one right now waiting to be found.

I will however be curious to see how long it takes them to fix this now that it's more widely talked about.
 

Undecided

macrumors 6502a
Mar 4, 2005
696
150
California

ghostface147

macrumors 68040
May 28, 2008
3,182
2,724
For all the good that Apple does, they still can't touch Microsoft's reliability when it comes to fixing vulnerabilities in a timely fashion. Sure there have been times that MS failed to deliver a patch for a very long time, but that seems to be in the past now. We know every month we are getting updates in one form or another for Windows, and yet we just hope that we get an update from Apple in some random timeframe that only they know about. They've been working on 10.5.7 for a few months before they released it and didn't bother fixing Java? What is that? Windows is a security nightmare for many, but at least MS makes an attempt to patch as quick as possible. I know I can disable Java and will probably not miss it, but that's not the point here.
 

roger6106

macrumors regular
Jun 19, 2007
109
0
The day has already been and passed. OS X has vulnerabilities... and they get patched. It's unfortunate that this one is there yes, but there's probably more than just this one right now waiting to be found.

I will however be curious to see how long it takes them to fix this now that it's more widely talked about.
The big problem is that this vulnerability has been known about for a while. Apparently it's been known about for 6 months. Other companies have already patched it, but Apple hasn't done anything about it.
 

sd2009

macrumors 6502
May 30, 2008
333
0
I tried this and nothing happens. I'm using Safari 4.0 beta 2 (build 5528.17). The java app never finishes loading - I just get "This is the applet" and the java logo continuously spinning where the app should appear, I guess. And there's no process called "say" running either. Both Java and Javascript are enabled. <shrug>
Well that's your problem since it runs just fine here.

Yeah because Java exploits is something new...
Yeah man, java has been exploited before, so we're safe. :confused:
 

lukin

macrumors regular
Jul 24, 2008
124
0
This reminds me of how I don't like the fact that Apple has to release java on it's own to begin with...
 

OrganMusic

macrumors 6502
Sep 21, 2008
290
1
Chicago
You'd think that given all the virus-free trash talk in Apple ads lately that it won't be long before someone writes a really good OSX or java virus. Which could turn into a bit of a PR problem...
 

Westside guy

macrumors 603
Oct 15, 2003
5,689
2,844
The soggy side of the Pacific NW
Hopefully this'll get patched soon, now that it's being widely acknowledged. But it did serve as a good reminder for me to turn off Java.

I think it's more important that Mac users learn to stop running as an admin by default! There's no good reason for doing that, since OS X makes it brainless (and transparent) to invoke an admin username/password when necessary. If you're not running as an admin, the worst an exploit like this could do is hose stuff in your own account. That's still very bad; but it's less likely to allow installation of something like a keylogger, trojan or spyware without your knowledge. Besides, you all have current backups don't you? :p
 

SydneyDev

macrumors 6502
Sep 15, 2008
346
0
The first thing I do when I install any browser is disable Java Applets. The thought of having such a powerful programming environment available to all and sundry is scary. Javascript itself is bad enough.

When you browse around the web these days, you are not just viewing this URL and viewing that URL, you are running this program and running that program. Hundreds of programs one after the other and you often know nothing about who wrote them. People are so careful about what they install, but then just browse any old where.
 

o0samotech0o

macrumors regular
Sep 1, 2008
193
0
Sounds sad, but I would do anything to keep the Mac community safe from Viruses. This shouldn't be the time that viruses come in mass for Macs.

If your in Safari 4, go tell Apple about it. I clicked the bug button :)

They probably know, but oh well. Still do it :) :apple::apple::apple:;)
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.