Mac OS X vulnerable to critical Java bug

Apple's Mac OS X is vulnerable to a security flaw in Java that was originally publically disclosed almost six months ago, a security researcher has warned.

The flaw affects a number of platforms running Java, and has been patched by most other operating-system vendors, noted researcher Julien Tinnes in a blog post on Tuesday.

"Unfortunately, it is still not patched in [Apple's] latest security update from just a few days ago," he wrote.

Exploits can be written purely in Java code, meaning they work on multiple platforms, Tinnes said. He recommended that Mac OS X users disable Java in their web browsers.

"This one is a pure Java vulnerability," Tinnes wrote in the post. "This means you can write a 100 percent reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers."

Java is enabled by default in Mac OS X browsers such as Firefox and Safari, and Tinnes said he had successfully exploited the Java bug on both browsers.

The bug (designated CVE-2008-5353 in the Common Vulnerabilities and Exposures database) was first reported to Sun in August of last year, and was patched by Sun in December.

It allows a remote attacker to take over a system, and was ranked as "highly critical" by security vendor Secunia.

The vulnerability affects multiple implementations of Java, including OpenJDK, GIJ and icedtea, as well as Sun's own implementation, security researchers said.

Tinnes noted that many companies use web applications that rely on a specific Java version, and that Java updates can break those applications. "This may be the reason why Apple's Java updates are so infrequent," he wrote.