Tired of waiting for a patch from Apple for a Java flaw that was fixed upstream six months ago, Mac developer Landon Fuller (of Month of Apple Bugs/Fixes fame) has released a proof of concept exploit to demonstrate the severity of the issue.
Unfortunately, it seems that many Mac OS X security issues are ignored if the severity of the issue is not adequately demonstrated. Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been public knowledge for six months, I have decided to release a my own proof of concept to demonstrate the issue.
If you visit the following page, "/usr/bin/say" will be executed on your system by a Java applet, with your current user permissions. This link will execute code on your system with your current user permissions. The proof of concept runs on fully-patched PowerPC and Intel Mac OS X systems.
Fuller recommends that Mac OS X users disable Java applets in their browsers (both Firefox and Safari) and disable 'Open "safe" files after downloading' in Safari.
The vulnerability in question is CVE-2008-5353 which was publicly disclosed and fixed by Sun in January this year.
CVE-2008-5353 allows malicious code to escape the Java sandbox and run arbitrary commands with the permissions of the executing user. This may result in untrusted Java applets executing arbitrary code merely by visiting a web page hosting the applet. The issue is trivially exploitable.
Unfortunately, these vulnerabilities remain in Apple's shipping JVMs.
In an interesting twist, security researcher Julien Tinnes actually attempted to use this vulnerability in this year's CanSecWest PWN2OWN contest but, because it was already patched by -- and Apple was aware of it -- the exploit was disqualified.