Unpatched OS X Java Vulnerabilities Drawing Attention


macrumors bot
Original poster
Apr 12, 2001

Programmer and former Apple engineer Landon Fuller has released a proof-of-concept exploit demonstrating vulnerabilities in Apple's current implementation of Java that allow arbitrary code execution in Java-enabled Web browsers. While the vulnerabilities, first discovered last August, were disclosed and patched by Sun last December, Apple has yet to roll out a fix for its own implementation of Java.
CVE-2008-5353 allows malicious code to escape the Java sandbox and run arbitrary commands with the permissions of the executing user. This may result in untrusted Java applets executing arbitrary code merely by visiting a web page hosting the applet. The issue is trivially exploitable.

Unfortunately, these vulnerabilities remain in Apple's shipping JVMs, as well as Soylatte 1.0.3. As Soylatte does not provide browser plugins, the impact of the vulnerability is reduced. The recent release of OpenJDK6/Mac OS X is not affected by CVE-2008-5353.
With the recent release of OS X 10.5.7 failing to address the vulnerabilities, Fuller decided to create and release his proof-of-concept exploit in order to bring attention to the severity of the issue. The proof-of-concept exploit uses a browser-based Java applet to activate the Unix "say" command on the user's system and recite a statement regarding the exploit initiating an innocuous process.

The only recommended workaround at this time is to disable Java applets in all browsers and to disable the 'Open "safe" files after downloading' option in Safari. Disabling Java applets will cause some websites to behave incorrectly, but no other protection against exploits of the vulnerabilities is available until Apple releases a patch.

Article Link: Unpatched OS X Java Vulnerabilities Drawing Attention


macrumors 601
Nov 19, 2007
Georgia, USA
I'm not really sure how to rate this news article.

I could rate Positive because Landon Fuller is really trying to bring the issue to everybody's attention. But then I could rate Negative because Apple still hasn't resolved this issue.

Hmm... decisions, decisions.


macrumors 6502a
Apr 14, 2007
When I read this, I immediately went to Safari's preferences menu to disable Java, only to find that I'd already disabled it. I'most likely have had it disabled since right after I finished installing OS X, along with 'Open "safe" files after downloading' of course...

Never noticed anything missing on the web without it. At all.


macrumors 65816
Apr 26, 2005
Workaround is to disable Java in your browser

Here's the blog post from Intego:

The best way to protect against this exploit is to deactivate Java in your web browser. In Safari, choose Safari > Preferences, click the Security tab, and uncheck Enable Java if it is checked. It is safe to leave Enable JavaScript activated, since this vulnerability only affects Java applets.

If you use Firefox, this setting is found on the Content tab of the program’s preferences.




Moderator emeritus
Oct 8, 2002
The Bamboo Forest
Welp...it's been good, guys. but we all knew this day would come.
The day has already been and passed. OS X has vulnerabilities... and they get patched. It's unfortunate that this one is there yes, but there's probably more than just this one right now waiting to be found.

I will however be curious to see how long it takes them to fix this now that it's more widely talked about.


macrumors 6502a
Mar 4, 2005


macrumors 68040
May 28, 2008
For all the good that Apple does, they still can't touch Microsoft's reliability when it comes to fixing vulnerabilities in a timely fashion. Sure there have been times that MS failed to deliver a patch for a very long time, but that seems to be in the past now. We know every month we are getting updates in one form or another for Windows, and yet we just hope that we get an update from Apple in some random timeframe that only they know about. They've been working on 10.5.7 for a few months before they released it and didn't bother fixing Java? What is that? Windows is a security nightmare for many, but at least MS makes an attempt to patch as quick as possible. I know I can disable Java and will probably not miss it, but that's not the point here.


macrumors regular
Jun 19, 2007
The day has already been and passed. OS X has vulnerabilities... and they get patched. It's unfortunate that this one is there yes, but there's probably more than just this one right now waiting to be found.

I will however be curious to see how long it takes them to fix this now that it's more widely talked about.
The big problem is that this vulnerability has been known about for a while. Apparently it's been known about for 6 months. Other companies have already patched it, but Apple hasn't done anything about it.


macrumors 6502
May 30, 2008
I tried this and nothing happens. I'm using Safari 4.0 beta 2 (build 5528.17). The java app never finishes loading - I just get "This is the applet" and the java logo continuously spinning where the app should appear, I guess. And there's no process called "say" running either. Both Java and Javascript are enabled. <shrug>
Well that's your problem since it runs just fine here.

Yeah because Java exploits is something new...
Yeah man, java has been exploited before, so we're safe. :confused:


macrumors regular
Jul 24, 2008
This reminds me of how I don't like the fact that Apple has to release java on it's own to begin with...


macrumors 6502
Sep 21, 2008
You'd think that given all the virus-free trash talk in Apple ads lately that it won't be long before someone writes a really good OSX or java virus. Which could turn into a bit of a PR problem...

Westside guy

macrumors 603
Oct 15, 2003
The soggy side of the Pacific NW
Hopefully this'll get patched soon, now that it's being widely acknowledged. But it did serve as a good reminder for me to turn off Java.

I think it's more important that Mac users learn to stop running as an admin by default! There's no good reason for doing that, since OS X makes it brainless (and transparent) to invoke an admin username/password when necessary. If you're not running as an admin, the worst an exploit like this could do is hose stuff in your own account. That's still very bad; but it's less likely to allow installation of something like a keylogger, trojan or spyware without your knowledge. Besides, you all have current backups don't you? :p


macrumors 6502
Sep 15, 2008
The first thing I do when I install any browser is disable Java Applets. The thought of having such a powerful programming environment available to all and sundry is scary. Javascript itself is bad enough.

When you browse around the web these days, you are not just viewing this URL and viewing that URL, you are running this program and running that program. Hundreds of programs one after the other and you often know nothing about who wrote them. People are so careful about what they install, but then just browse any old where.


macrumors regular
Sep 1, 2008
Sounds sad, but I would do anything to keep the Mac community safe from Viruses. This shouldn't be the time that viruses come in mass for Macs.

If your in Safari 4, go tell Apple about it. I clicked the bug button :)

They probably know, but oh well. Still do it :) :apple::apple::apple:;)
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.