5 month old critical Mac OS X Java security hole allow applets execute arbitrary code

adkilleradkiller
Posted:
in macOS edited January 2014
Landon Fuller of SoyLatte fame, has provided a proof of concept that easily exploits this security hole in the Java shipped with Mac OS X. The following link provides a damning disclosure of this exploit and demonstrates Apple lackadaisical attitude towards fixing critical security bugs:

http://landonf.bikemonkey.org/code/m....20090519.html



Until Apple releases a Java update that fixes this problem it would be wise to disable Java applet support in any web browser used under Mac OS X.



-ad

Comments

  • Reply 1 of 3
    spunkmeyerspunkmeyer Posts: 47member
    This means un-checking both Java and Javascript in the browser preferences, or just Java?
  • Reply 2 of 3
    javacowboyjavacowboy Posts: 864member
    First of all, Java and JavaScript are two entirely different things. The first is a runtime and programming and language developed by Sun Microsystems that commonly runs on servers but also on desktop applications and within Applets. It's not part of any browser aside from being included as plugins (Safari includes it automatically). JavaScript is a runtime that's only within browsers, but it's included in all browsers. It's a scripting language used to make web pages more interactive, and doesn't require plugins to work.



    The vulnerability is in Java, not JavaScript.



    Having said that, Sun develops and distributes Java for the following operating systems:



    1) Windows (all versions)

    2) Linux (all distributions)

    3) Solaris and OpenSolaris



    Sun doesn't distribute Java for OS X. They have an agreement with Apple wherein Apple licenses the technology from Sun and Apple develops their own version of Java.



    The vulnerability in question was fixed by Sun 5 months ago, and was deployed to Windows, Linux, and Solaris(OpenSolaris). However, Apple has not yet updated their version of Java, despite the fix being available for several months. This is because Apple doesn't consider Java a priority, and traditionally lag well behind Sun in making changes to Java.



    I normally defend Apple, but this is truly deplorable on their part. It's irresponsible for a major operating system vendor to de-emphasize security to this extent, especially when a full alternative version of Java doesn't exist for OS X. OS X users have little choice but to disable the Java browser plugin altogether until Apple issues a patch.



    The open-source version of Java (OpenJDK 6) is available, but all the graphical functionality outside of X11 hasn't been developed yet, because that source code was written by Apple and is closed source.
  • Reply 3 of 3
    spunkmeyerspunkmeyer Posts: 47member
    So, Java should be unchecked, but JavaScript can remain enabled. Got it. Thanks for the info...
Sign In or Register to comment.