Javalobby

I've been a zone leader with DZone since 2008, and I'm crazy about community. Every day I get to work with the best that JavaScript, HTML5, Android and iOS has to offer, creating apps that truly make at difference, as principal front-end architect at Avego. James is a DZone Zone Leader and has posted 609 posts at DZone. You can read more from them at their website. View Full User Profile

Critical Java Vulnerability for Mac OS X Users

05.21.2009
| 6739 views |
  • submit to reddit

We Recommend These Resources

Intego Security has reported a critical flaw in the version of Java shipped with Mac OSX. The flaw allows local code on the user's Mac to be executed remotely, typically from malicious applets.

Apple has been aware of this vulnerability for at least five months, since it was made public, but has neglected to issue a security update to protect against this issue. Security researcher Landon Fuller has published, on his web site, a proof-of-concept Java applet that exploits this vulnerability to demonstrate how easy it is to run code remotely.

For now it seems like the best way to protect against the exploit is to switch off Java on your browser. In Safari, choose Safari > Preferences, click the Security tab, and uncheck Enable Java if it is checked. It is safe to leave Enable JavaScript activated, since this vulnerability only affects Java applets.  Soylatte users do have the option to upgrade to an OpenJDK6 release.

Intego

While no applets the exploit this vulnerability have been found yet, it will only be a matter of time given the publicity generated around the web about the flaw. Full details on the flaw are here.
References
Reference: 
Java/Evasion.A Java Vulnerability
Reference: http://www.intego.com/news/ism0905.asp
Tags:

Comments

Bob Smith replied on Thu, 2009/05/21 - 8:45am

Shame on Apple for letting this languish for so long!   As a MacBook Pro owner, I find it deplorable that Apple doesn't walk the walk when it comes to their rhetoric on security.

If they can't update and secure OS X Java in a timely manner, then they should get the hell out of the way and let Sun and the Java community do it for them.

David Salter replied on Thu, 2009/05/21 - 4:59pm in response to: Bob Smith

It's a shame that Apple doesn't seem to take Java seriously anymore. Mac OS X used to be arguably the best Java development environment, but I fear that with Apple's lack of interest in Java over recent years, developers will start moving away from Macs and start using other platforms.

Sergey Surikov replied on Thu, 2009/05/21 - 10:50pm

use Windows. Hehe.

Bora Ertung replied on Fri, 2009/05/22 - 8:02am

Why would they make this exploit public if there are no know applets in the wild using it? Ego of some security experts has been well over heating. Find the exploit and let the responsible party know about it privately instead of screaming out loud. I agree that these must be fixed but this is not the way.

Bob Smith replied on Fri, 2009/05/22 - 9:44am

The exploit was discovered last year, and Sun fixed it in December.   Since Java is open source, it's not something you can really keep a lid on anyway.  Apple has had plenty of time to fix this vulnerability and they haven't.

Alex(JAlexoid) ... replied on Fri, 2009/05/22 - 5:58pm

Apple has lost interest in Java long time ago.
And the Java community is used to more than the secretive ways of Apple.

So really, I do not see Apple having Java on it's path.

José Luis Jaimes replied on Fri, 2009/05/22 - 10:01pm

Do you guys think it's time for an Oracle JVM? ;-)

David Salter replied on Sat, 2009/05/23 - 5:57am in response to: Sergey Surikov

I think a lot of Mac users will probably start doing this, particularly when Windows 7 comes out.

Osvaldo Doederlein replied on Sun, 2009/05/24 - 9:47am

I have little hope for Java on the Mac. Apple started to make Java a low-priority feature, and finally to openly oppose Java ("ball and chain"), as soon as they saw the OSX platform succeeding and the iPhone project taking shape. Apple clearly sees Java as a competitive platform. And now that Sun will use every Java runtime, in desktop and mobile devices, as a channel for a competing App Store, there's zero hope that Apple will ever revert its stance towards Java. In fact we'll be very lucky if Snow Leopard updates the JRE to 6u12 level as rumored.

The only reason why Apple doesn't completely kill Java in OSX now, is that Java is not the complete client-side failure that critics claim - for one thing there's quite a good number of end-user Swing apps in corporate environments, and also popular development tools. But Apple can pull a Microsoft and keep Java as a second-class citizen in the Mac forever, always 6-12 month behind Sun and ignoring security issues... but "forever" is too strong; perhaps, just until the next time the Mac platform flops, because if this happens again Apple will pass the hat, courting again any multiplatform tools that may bring more apps to Macs even if these are non-native apps.

But perhaps I'm just being paranoid over Apple/Java, because the Mac platform is subpar in security (still missing now-basic features like decent address space randomization and data execution prevention), so it Java security holes are not something special.

Dann Stone replied on Wed, 2010/12/08 - 9:36am

I don't think i had been affected by this vulnerability, not yet, thanks to my usual virus detection program, so i will continue to keep it on just in case the threat is still out there. I am starting to get tired by those malicious software programmers though, i wonder if they will ever stop trying to wreck people's computers, steal data or who knows what else... It feels like an endless battle, they always find a new vulnerable spot to use against you!

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
"Starting from scratch" is seductive but disease ridden
-Pithy Advice for Programmers