Just in: How Microsoft dodged the Yahoo bullet

Topic: Operating Systems

Apple patches critical Java for Mac, Mac OS X security holes

Summary: Apple has shipped a high-priority Java for Mac update to cover multiple security vulnerabilities that expose Mac OS X users to hacking attacks.

Ryan Naraine

By for Zero Day |

Apple has shipped a high-priority Java for Mac update to cover multiple security vulnerabilities that expose Mac OS X users to hacking attacks.

According to warnings from Apple, the vulnerabilities could allow an untrusted Java applet to execute arbitrary code outside the Java sandbox.

The risks:

Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.

The updates are available for Mac OS X v10.6.6 and Mac OS X v10.5.8.follow Ryan Naraine on twitter

The Java for Mac patches follows the weekend release of a major Mac OS X security update to cover major security holes.

Some of the Mac OS X security holes could lead to remote code execution via rigged fonts or PDF files. The components affected by critical vulnerabilities include ATS, ColorSync, CoreFoundation, CoreGraphics, ImageIO.

Apple also warned about security flaws in MobileMe, MySQL, OpenSSL, QuickLook and QuickTime.

Topics: Operating Systems, Apple, Hardware, Open Source, Security, Software, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

35 comments
Log in or register to join the discussion

  • may lead to arbitrary code execution with the privileges of the current use

    <i>"Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user."</i><br><br>But I have been told by a very knowledgeable commentator on this very site, that OS X always require social engineering for an exploit to work?

    How can this then be? Isn't the magical, secret component and the awesome Unix heritage protecting OS X through the RDF shield?
    honeymonster
    Reply Vote

    • Links are useful when accusing others

      I'd question the knowledge of the commentator if the claim is true.

      Given the few (if any) sites still using Java applets I disable Java in Safari and "open safe files" on all my Macs.

      OK it doesn't solve all problems, but these two attack vectors have been exposed in a large number of documented vulnerabilities in Mac OS X. I'd like to see Apple adopt this as the default.
      Richard Flude
      Reply Vote

      • RE: Apple patches critical Java for Mac, Mac OS X security holes

        @Richard Flude
        Exactly right. Java in the browser offers no benefit* and opens a gaping hole.

        For those who feel compelled to misquote the informed and quote the misinformed, have your jollies. Give it about an hour, maybe two, then double check that your java and .net on Windows are also up to date.

        Because when java is identified as a problem, it is a problem on Windows, Linux, *BSD, and any other platform where a jvm is found.

        .net gets its share of updates as well.

        *Oh yes, $#%%%#%@% GoToMeeting browser-version required me to activate java the last time I used it. The irony was, it was a demonstration of app-building software that now could be used ? Ta Da? for iOS apps. They demonstrated how darn quickly they could build an UGLY app. I asked the marketing textbot about good looking apps, and as I was awaiting my reply (Oh, yeah, you can do it if you want) the presenter commented on how they didn't feel beholden to the gui hegemony of Steve Jobs. Okay, next. But, my big hint to development environment product sellers? The quickness to deliver a good interface is where you have to compete with the free XCode. But I digress while the java update downloads.
        DannyO_0x98
        Reply Vote

      • One right here

        @Richard Flude <br><i>I'd question the knowledge of the commentator if the claim is true.</i><br><br>Look no further. You have several in play right here in this thread. Defend the hive! Defend the hive!<br><br><i>Given the few (if any) sites still using Java applets I disable Java in Safari and "open safe files" on all my Macs.</i><br><br>Two problems:<br><br>Firstly, Java applets are not used much on the "public" Internet, but unfortunately they are being used on private and "partner" nets for things like authentication and advanced access to hardware, e.g. sensors, printers etc. Which means that a lot of users still depend on them in certain situations. <i>And in Safari you cannot switch Java on just for certain sites</i>. It is on or off. In IE at least you can use the zones to switch Java off for anything but specifically trusted sites or the corporate intranet zone. I mainly use Chrome, but this is one thing IE got right.<br><br>Secondly, the two most used browsers on OS X, Safari and Firefox, <u>still don't have sandboxing</u>. Chrome runs in a sandbox. Internet Explorer runs in a sandbox. Firefox doesn't. Safari doesn't. When a browser is exploited through a vulnerability, there nothing stopping the attacker from compromising the user account. With Chrome and IE the attacker still has to break out of the sandbox. Which has proven really hard.
        honeymonster
        Reply Vote

    • RE: Apple patches critical Java for Mac, Mac OS X security holes

      @honeymonster

      How do you get people to visit your "maliciously crafted untrusted Java applet" containing webpage?

      By magic or social engineering?

      The fatal flaw in your failure of a post.
      bannedagain
      Reply Vote

      • The same way you get them to do so with Windows.

        @bannedagain: <i>How do you get people to visit your "maliciously crafted untrusted Java applet" containing webpage?</i><br><br>You're welcome.
        ye
        Reply Vote

      • And how is that, ye?

        Why are Windows users so stupid? Why aren't they as 'smart' as you?

        ;)
        ScorpioBlue
        Reply Vote

      • So drive-by exploits doesn't count!

        @bannedagain
        Right, the user has to visit a page with the applet. So drive-by exploits are not that serious. I guess that we can just forget about browser exploits then, because they all require the user to visit a specially crafted page. All of them.

        But tell me, is it this way <i>only on Apple</i> systems or do you also consider IE vulnerabilities non-existing because they require the user to visit the web page for an exploit to be launched? I'm really interesting in knowing how this looks from inside the RDF.

        BTW, have you ever heard about Google/index/image poisoning? The way attackers can overwhelm certain search terms to point to their <i>maliciously crafted</i> web pages? Or does that also only work on non-Apple systems?
        honeymonster
        Reply Vote

      • RE: Apple patches critical Java for Mac, Mac OS X security holes

        @bannedagain
        I'm starting to think that you are a troll. Was I just had?
        honeymonster
        Reply Vote

      • Stupidity is not limited to Windows users.

        @ScorpioBlue: <i>Why are Windows users so stupid?</i><br><br>Just take a look at your own posts as proof.
        ye
        Reply Vote

      • RE: Apple patches critical Java for Mac, Mac OS X security holes

        @bannedagain XSS exploit to redirect a user from something like Facebook or a blog to your malicious site. Or compromising web forums and blogs across the internet with a PHP worm. This may sound far fetched, but it's really not... That's how many websites end up hosting Windows malware.

        I think I win now because I just explained exactly how to get people to visit a malicious site with no social engineering. Now would you shut up about how social engineering is the only vector for that sort of attack? It's demonstrably false and attacks of this type have occurred in recent memory. I don't know why, in spite of the fact that I've told you how this works multiple times you continue to espouse this.
        snoop0x7b
        Reply Vote

      • RE: Apple patches critical Java for Mac, Mac OS X security holes

        [i]Just take a look at your own posts as proof[/i]

        But I use Linux most of the time so that doesn't apply.

        So answer the question, pal.
        ScorpioBlue
        Reply Vote

      • RE: Apple patches critical Java for Mac, Mac OS X security holes

        @bannedagain As if the social engineering aspect is that difficult. I can post a link in Yahoo chat and have every goober in the chat room eyeballing it in seconds. I don't even have to send a phishing email or mock up a false front end for a popular website. Nope just got to say,"Hey check out this stupid cat." and then post my link and bam instant exploit. The machine can be as safe and secure as can be but, if the person behind it is an idiot what are you going to do? I'll tell you what. You patch the vulnerability so that the idiot on the other side of the keyboard doesn't get nailed by a malicious exploit.

        I think the only difference is if you are targeting a malicious code execution then who do you target? OSX? No because OSX doesn't make up a significant portion of the market. Why bother writing up a malicious page for less than 10% of the installed OS base? If you want to get right down to it that is OSX's strongest security asset, the fact that it isn't heavily used. If the market was split more evenly you can believe that OSX would be just as exploited as Windows. The talent is out there but, the motivation isn't.
        Str0b0
        Reply Vote

  • Just to clarify, this one doesn't count

    Apple didn't write Java so it doesn't count.<br><br>Just to clarify though, all Adobe and Java vulnerabilities on IE (Windows) do count because IE is embedded in the kernel and can't be uninstalled.
    woulddie4apple
    Reply Vote

    • RE: Apple patches critical Java for Mac, Mac OS X security holes

      @woulddie4apple IE is embedded in the kernel? that's news to me. News to the folks at Microsoft and anyone else too.
      Your Non Advocate
      Reply Vote

      • I've heard that a million times on ZDNet

        @facebook@...
        It must be true. There is no way that a lie could be repeated a million times on ZDNet.
        woulddie4apple
        Reply Vote

      • RE: Apple patches critical Java for Mac, Mac OS X security holes

        @woulddie4apple<br><br>I believe that up until IE8, it was embedded in the OS. <br><br>Now that the DoJ is off their backs, I fully expect it will be embedded again.
        ScorpioBlue
        Reply Vote

      • RE: Apple patches critical Java for Mac, Mac OS X security holes

        @ScorpioBlue

        Probably not... It was a poor design decision engineering wise, and they know it. Also they still have European regulators on their back... It simplifies how they manage the branches for Windows 7N and Windows 7 to continue doing it how it is now.
        snoop0x7b
        Reply Vote

    • RE: Apple patches critical Java for Mac, Mac OS X security holes

      @woulddie4apple

      LOL! What a bunch of bull.
      The one and only, Cylon Centurion
      Reply Vote

      • Don't fall for it

        @Cylon Centurion
        you're feeding the troll.
        use_what_works_4_U
        Reply Vote
CNET Join | Log In | Privacy | Cookies Close