An old Java vulnerability, already fixed 6 months ago in every Java implementation except Apple’s, allows remote attackers (i.e. malicious web sites) to launch arbitrary code from Safari or Firefox with full user privileges, evading the Java applet sandbox on Mac OS X.

Here’s the Slashdot’s routine Apple+Java bashing with linked source articles.

At this moment, the easiest way to protect your Mac web browser is either turning off Java globally or… you know what ;)

Update Jun 15th

Three weeks later, Apple finally patched..

10 Responses to “Attention Mac Users”

  1. #1 JB says:

    No…but that’s impossible! Macs are supposed to be ultra secure!

    end sarcasm

  2. #2 Web Mirror | hackademix.net » Attention Mac Users says:

    […] An old Java vulnerability, already fixed 6 months ago in every Java implementation except Apple’s, allows remote attackers (i.e. malicious web sites) to launch arbitrary code from Safari or Firefox with full user privileges, … Read the original: hackademix.net » Attention Mac Users […]

  3. #3 GµårÐïåñ says:

    Sarcasm aside, Macs are only as secure as the fact that most people don’t want to waste their time developing anything for it, not that its immune or somehow more secure.

  4. #4 AllSaintsDay says:

    Yawn, how did I know the first comment would go something like that. (Let it go already.) Anyways, I’ve been using the nightly builds (http://build.chromium.org/buildbot/snapshots/sub-rel-mac/) of Google Chrome for OS X. Considering Chrome sandboxes the plugins like javascript and as long as an exploit could not escape the sandbox, I would be safe from a system compromise…Right?

  5. #5 Giorgio says:

    @AllSaintsDay:

    Considering Chrome sandboxes the plugins like javascript and as long as an exploit could not escape the sandbox, I would be safe from a system compromise…Right?

    Wrong, sorry.
    Chrome “sandboxes” tabs and plugins in the sense that they live in a separate process and cannot bring down the whole browser with themselves if they crash (plus, as a bonus, some minor security mitigation due to stricter site-based isolation).

    This vulnerability has nothing to do with Chrome’s sandbox nor with JavaScript. Here we’re talking about Java, which by default can do anything an user can, but in a browser applet context is “sandboxed” by its own security manager. In our case, this security manager gets fooled by a bug and the attacker is left free to do anything, from reading your documents and publishing them on his blog to erasing your profile directory for fun.

  6. #6 AllSaintsDay says:

    Damnit, if I would of visited the link posted, I would of found the POC, been able to test my question for the answer and therefore avoid the question.. Sigh

  7. #7 AllSaintsDay says:

    &5 Wait so I just visited the POC at http://landonf.bikemonkey.org/static/moab-tests/CVE-2008-5353/hello.html in Chrome. /usr/bin/say was not executed but in Safari and other browsers it was. So does this mean that even though /usr/bin/say did not execute and say anything, I’m still at risk?

  8. #8 Giorgio says:

    @AllSaintsDay::
    Does any other Java applet work? I suspect Chromium’s Java support is not complete yet, on Mac at least…

  9. #9 Tom T. says:

    @ JB and AllSaintsDay:

    OK, the punchline was obvious, but if MS had a remotely alert ad agency, they could use this to rip to shreds the "I’m A Mac - I’m A PC" series of ads (US only?). But I doubt their ad agency is any better than their browser, etc.

  10. #10 AllSaintsDay says:

    @ Giorgio

    You’re right, it is not complete. I couldn’teven get any of the example applets found at http://java.sun.com/applets/jdk/1.4/index.html to work.

Bad Behavior has blocked 3610 access attempts in the last 7 days.