Unpatched OS X Java Vulnerabilities Drawing Attention

[Morod]

I just checked s/w update and got a Java software update for OS X 😀

I knew Apple wouldn't let us down.



Haters can kiss my a....pple 😛

THANKS!

ON EDIT:
Nothing in Software Updater for me. Maybe when I did the Combo Update to 10.5.7 this was included.

 

[sd2009]

Crying shame it take 6+ months to fix a major security flaw.

Except it wasn't major until today and they fixed it within hours. Good luck getting that kind of support from Microsux

 

[mcic1984]

hmm update aint showing for me yet: http://i43.tinypic.com/2gxe3df.png

and can't find the two articles referenced either:
http://support.apple.com/kb/HT3377 and http://support.apple.com/kb/HT1233 gives a "We're sorry. (404)" page.

 

[seashellz]

nothing here either

Since this has been know for a while, maybe this was included in 10.57

was in noted in the documentation?

 

[brop52]

No update for me either. I used the combo 10.5.7 if that has anything to do with it.

 

[mcic1984]

nothing here either

Since this has been know for a while, maybe this was included in 10.57

was in noted in the documentation?

Nope not included in 10.5.7 coz im running 10.5.7 and the vulnerabilities work on both Safari 4 beta and Firefox 3.5 beta 4. (I've now disabled Java).

I suppose the updates are being rolled out but it's odd that the articles linked don't actually work (???).

 

[Undecided]

Well that's your problem since it runs just fine here.

I quit Safari, restarted it and now the exploit works! Whew!

 

[mcic1984]

a search for "Java for Mac OS X 10.5 Update 4" on Google shows that Apple has been working on an update for some time - Developer Preview One was released just under a month ago (http://lists.apple.com/archives/java-dev/2009/Apr/msg00221.html).

 

[BongoBanger]

Except it wasn't major until today and they fixed it within hours. Good luck getting that kind of support from Microsux

Except they do. They have a lot more practice at it than Apple.

Can anyone confirm that the Java update listed above fixes CVE-2008-5353?

 

[Veri]

Apple dislikes Java, and is delaying a fix on purpose to discourage people from using Java on Apple platforms. There is no technical reason to be so slow with simple fixes. Apple is consistently the only firm more Microsoft than Microsoft.

 

[iGod 2.0]

The day has already been and passed. OS X has vulnerabilities... and they get patched. It's unfortunate that this one is there yes, but there's probably more than just this one right now waiting to be found.

I will however be curious to see how long it takes them to fix this now that it's more widely talked about.

Really? I have been using OS X for a while now and I have never had a problem. Didn't know that OS X has exploits like that. Does OS X have as many as Windows does??? LOL

 

[commander.data]

Except it wasn't major until today and they fixed it within hours. Good luck getting that kind of support from Microsux

Apple's problem isn't necessary whether there are vulnerabilities in OS X or how quickly they fix vulnerabilities, it's how they communicate about them.

While it's true that experience may have forced Microsoft's hand to respond, but Microsoft does have a good system in dealing with vulnerabilities. The second Tuesday of every month they release a round of security updates and the week before they announce what vulnerabilities are being fixed so that people can plan ahead. They of course release updates sooner, if the vulnerability is critical. And if a vulnerability doesn't have an immediate fix, they often provide a temporary workaround until a patch is released and don't necessarily try to hide or ignore it. This is in contrast to Apple's arbitrary time length between security updates and that they are released with no warning.

Apple's current procedure may be sufficient now since OS X vulnerabilities are not widely exploited so there is less danger, but if Apple is going to make Microsoft the poster-child for software vulnerabilities than Apple should at least learn from Microsoft's experience. A more timely, regular, and well-communicated security update strategy can only be a good thing regardless of how secure OS X is.

 

[Red-red]

Okay, when you run the test page you get asked to accept incoming connections and then the voice starts.

Now is the voice just in the small piece of Java OR is it running something on your mac?

If it's just in the java then do you need to physically click allow incoming connections for something to happen?

 

[mklos]

Amen to that. Why does Apple release it's own Java updates? Does Sun not provide updates for OS X?

The only thing I can think of is Java is an API layer thats built into the OS. That may have something to do with Apple keeping Java up in OS X, but who knows! I kind of wonder the same thing? Why is it up to Apple to fix issues with a piece of software from another software vendor? No other OS creator is responsible for this, so why Apple? Microsoft doesn't have to patch Java issues. Its up to the end user to download the newest version. It should be the same for OS X users IMO. Even if Apple lets them utilize Software Update to push the updates out.

In a way I think this is part of the problem with Apple and software. Seems like they try to do everything. They sometimes (maybe all the time) develop drivers for the video chips they ships Macs with, now we have Java, possibly some kind of Flash/Shockwave implementation, etc. Apple shouldn't be expected to do everything.

 

[LPZ]

Okay, when you run the test page you get asked to accept incoming connections and then the voice starts.

Now is the voice just in the small piece of Java OR is it running something on your mac?

If it's just in the java then do you need to physically click allow incoming connections for something to happen?

It's running the "say" command, in /usr/bin on your Mac. I assume the applet can be modified to run commands from other directories. Bad news in any case.

 

[dmelgar]

I've seen a nasty Mac trojan in the wild

I think it's more important that Mac users learn to stop running as an admin by default! There's no good reason for doing that, since OS X makes it brainless (and transparent) to invoke an admin username/password when necessary. If you're not running as an admin, the worst an exploit like this could do is hose stuff in your own account. That's still very bad; but it's less likely to allow installation of something like a keylogger, trojan or spyware without your knowledge. Besides, you all have current backups don't you? 😛

I STRONGLY agree. I ran into a very nasty Trojan a few weeks back. It has changed my world. Nasty Mac malware DOES exist. I've seen it. If I had been running as admin I probably would never have noticed. The trojan would have installed some service and sat there listening for instructions.
Complacency is bad. Mac users think they're safe. Even after nasty malware has shown up.

 

[ikramerica]

It's running the "say" command, in /usr/bin on your Mac. I assume the applet can be modified to run commands from other directories. Bad news in any case.

True, but it can't bring down the system unless you are running as root.

The thing about ANY security is that it is geared toward protecting the machine, not the user data. I could honestly care less if my OS is compromised as long as my data is safe.

 

[TheWarIsNotOver]

Soo.. now we all have to download Anti-virus software? 😛

Well, maybe http://www.iantivirus.com/ can protect us against trojans and keyloggers... 😉

 

[Red-red]

It's running the "say" command, in /usr/bin on your Mac. I assume the applet can be modified to run commands from other directories. Bad news in any case.

I wasn't sure if it was actually doing it or pretending to do what would happen if you clicked accept.

Either way, It's turned off now until it's fixed.

 

[dmelgar]

Really? I have been using OS X for a while now and I have never had a problem. Didn't know that OS X has exploits like that. Does OS X have as many as Windows does??? LOL

Ok, leave your door open and your keys in your car. You might be fine for days, weeks even. Give it a try... 🙂

 

[MVApple]

I STRONGLY agree. I ran into a very nasty Trojan a few weeks back. It has changed my world. Nasty Mac malware DOES exist. I've seen it. If I had been running as admin I probably would never have noticed. The trojan would have installed some service and sat there listening for instructions.
Complacency is bad. Mac users think they're safe. Even after nasty malware has shown up.

Well I've been using a Mac for a couple months now, but don't you have to type in your password and tell the OS to install a program? As long as you aren't downloading from shady places *ahem* torrent files* then you should be fine.

 

[hughbp]

MS has lots of Experience

Except they do. They have a lot more practice at it than Apple.

Yes, MS gets a lot of practice, and I'll guess they'll get some more with the below event being reported elsewhere on the web. 😱

Hackers have wasted no time targeting a gaping hole in Microsoft's Internet Information Services webserver, according to administrators at Ball State University, who say servers that used the program were breached on Monday.

Microsoft declined to comment.

 

[spidermitch]

Disgruntled?

Landon Fuller "former Apple employee". Is there some animosity here? I realize he thinks he's doing the right thing, but it smells a little to me. I shouldn't judge, but I couldn't help but wonder why he is a "former" employee. Perhaps he went on to greener pastures, who's to say.

I realize the discussion and battle will wage on, but really, can anyone produce some real world examples of effective Mac malware? Aside from "I got a virus once on my Mac and it changed me forever" crap. I chalk most of the problems on the windows side to stoopid users: they've been trained to click on dialogue after dialogue which is how a lot of crap ends up on their pcs.

What do I know, I just work in their world, play in mine 😀

 

[Blue Fox]

Sorry if that may sound rude, but you have been living under a rock, eh?

Check this out!

I know it's a trojan in pirated software, but the botnet is active, as there are hundreds of people not in the know. Just because the group is not as big as on the Windows side doesn't mean they don't do any harm.

We are on to rough times, and if Apple doesn't fix this stuff in a timely manner, I'm very shocked.

But was that Trojan specifically associated with the JAVA problem? I know Mac's can get virus too, I'm not that thick. 😀 But was that trojan the direct result of the original Java issue?

......and it appears Apple fixed the issue. Problem solved.

 

[stormj]

Java?

I'm reading this right, right—it's Java, not JavaScript, right?

Who cares?