Mac OS X vulnerable to 6-month old Java flaw
Summary: Attention Mac OS X users: Turn Java off immediately or you could be at high risk of malicious code execution attacks.Tired of waiting for a patch from Apple for a Java flaw that was fixed upstream six months ago, Mac developer Landon Fuller (of Month of Apple Bugs/Fixes fame) has released a proof of concept exploit to demonstrate the severity of the issue.
Attention Mac OS X users: Turn Java off immediately or you could be at high risk of malicious code execution attacks.
Tired of waiting for a patch from Apple for a Java flaw that was fixed upstream six months ago, Mac developer Landon Fuller (of Month of Apple Bugs/Fixes fame) has released a proof of concept exploit to demonstrate the severity of the issue.
[ SEE: Mac Developer mulling OS X equivalent of ZERT ]
Unfortunately, it seems that many Mac OS X security issues are ignored if the severity of the issue is not adequately demonstrated. Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been public knowledge for six months, I have decided to release a my own proof of concept to demonstrate the issue.
If you visit the following page, "/usr/bin/say" will be executed on your system by a Java applet, with your current user permissions. This link will execute code on your system with your current user permissions. The proof of concept runs on fully-patched PowerPC and Intel Mac OS X systems.
Fuller recommends that Mac OS X users disable Java applets in their browsers (both Firefox and Safari) and disable 'Open "safe" files after downloading' in Safari.
The vulnerability in question is CVE-2008-5353 which was publicly disclosed and fixed by Sun in January this year.
CVE-2008-5353 allows malicious code to escape the Java sandbox and run arbitrary commands with the permissions of the executing user. This may result in untrusted Java applets executing arbitrary code merely by visiting a web page hosting the applet. The issue is trivially exploitable.
Unfortunately, these vulnerabilities remain in Apple's shipping JVMs.
In an interesting twist, security researcher Julien Tinnes actually attempted to use this vulnerability in this year's CanSecWest PWN2OWN contest but, because it was already patched by -- and Apple was aware of it -- the exploit was disqualified.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Nah.....
Yet it has twice been the first to be hacked in contests.
2nd year it fell twice on two different vulnerabilities. The hacker said they are easy to hack.
Make it fair
Wrong.
special rights, or social engineering.[/i]
I suggest you do some research into the exploits before commenting.
Maybe, Maybe not.....
Pacifism is not the opposite of Activism
"Pacifism" is not the opposite of "activism", and I don't think we have ever really tried pacifism. The words "passive" and "pacific" are not related.
As for the article. It could be argued that aggressive anti-malware protection is a pacifist stance because it prevents invasion without committing violence against the publisher of the bad code. Mac users are currently quite [i]passive[/i] about malware threats. At some point there will be a widespread attack from the wilds of cyberspace, but until then, most of us prefer the risk over loading down our CPUs with anti-malware. I will humbly accept an "I told you so" when the time comes. Until then, I browse with care and download only from known and trusted software sources.
I am curious
Good points.
@daMan25
Or just
Can't. Not until Apple has made a patch available. (nt)
But the flaw has been fixed...
And I am an OS X user, I just happen to also develop Java apps, so it is frustrating that newer and fixed versions are unavailable on OS X :(
Blah Blah Blah, sky is falling
wild.
I'll not worry about it, thanks.
Then again you do work for a Virus software vendor and
hyping up threats is what gets you guys business....
How many websites are compromised each *DAY*?
With user privileges you can do an awful lot. Ransomware, for example.
It runs on *Java*. Macs are vulnerable. Surprizingly enough, Windows isn't since MS lets Sun deal with Java now. :)
Linux distros aren't either. Only Mac the smug. Looks like Mac's just been knifed. Without any user interaction. :)
And yes, that's a bit of Schadenfreude.
You just said it yourself;
Java.
You can fix this problem by updating Java. There.
Was that so hard?
The question is...
While the malware may only have the permissions of the user, that could be enough to acquire and transmit personal information, like passwords and credit card numbers (with the verification code). Or perhaps set up spambots and bots for DoS attacks.
What many people on this forum seem to forget is that most users in this day and age aren't geeks. What's simple for us is often almost inconceivable for them. I have no wish for Mac users to suffer for the platform they use (unlike others I have seen here), but this [i][b]is[/i][/b] a problem with OS X, if it affects computers running OS X.
As the security on Windows has improved, malware authors have targeted applications that run in Windows. That still makes it a problem for Windows users. So it goes for Macs. If something affects you, it's your problem, no matter who is to blame. If you're crossing the street in a crosswalk and get hit by a car because the driver ran a red light, it's his fault. [i]You're[/i] still the one who gets hurt.
Can't have it both ways
everyone screams bloody murder
Apple doesn't make their apps auto-update..
everyone screams bloody murder
Anyone questions Microsoft.. everyone screams
bloody murder
Looks like no matter what happens, everyone on
ZDNet freaks out about it =/
Except there *is* no patch for Apple...
Anybody want Apple flambe? :)
Why WOULD the patch come from Apple?
Because...
Therefore, OS X users are at the whim of Apple and when they finally get around to implementing the fixes that Sun feed Apple...