An old Java vulnerability, already fixed 6 months ago in every Java implementation except Apple's, allows remote attackers (i.e. malicious web sites) to launch arbitrary code from Safari or Firefox with full user privileges, evading the Java applet sandbox on Mac OS X.
Here's the Slashdot's routine Apple+Java bashing with linked source articles.
At this moment, the easiest way to protect your Mac web browser is either turning off Java globally or... you know what ;)
Update Jun 15th
Three weeks later, Apple finally patched..
May 20th, 2009 at 7:38 pm
No...but that's impossible! Macs are supposed to be ultra secure!
end sarcasm
May 21st, 2009 at 5:11 pm
[...] An old Java vulnerability, already fixed 6 months ago in every Java implementation except Apple’s, allows remote attackers (i.e. malicious web sites) to launch arbitrary code from Safari or Firefox with full user privileges, … Read the original: hackademix.net » Attention Mac Users [...]
May 22nd, 2009 at 12:26 am
Sarcasm aside, Macs are only as secure as the fact that most people don't want to waste their time developing anything for it, not that its immune or somehow more secure.
May 22nd, 2009 at 1:33 am
Yawn, how did I know the first comment would go something like that. (Let it go already.) Anyways, I've been using the nightly builds (http://build.chromium.org/buildbot/snapshots/sub-rel-mac/) of Google Chrome for OS X. Considering Chrome sandboxes the plugins like javascript and as long as an exploit could not escape the sandbox, I would be safe from a system compromise...Right?
May 22nd, 2009 at 1:42 am
@AllSaintsDay:
Wrong, sorry.
Chrome "sandboxes" tabs and plugins in the sense that they live in a separate process and cannot bring down the whole browser with themselves if they crash (plus, as a bonus, some minor security mitigation due to stricter site-based isolation).
This vulnerability has nothing to do with Chrome's sandbox nor with JavaScript. Here we're talking about Java, which by default can do anything an user can, but in a browser applet context is "sandboxed" by its own security manager. In our case, this security manager gets fooled by a bug and the attacker is left free to do anything, from reading your documents and publishing them on his blog to erasing your profile directory for fun.
May 22nd, 2009 at 1:43 am
Damnit, if I would of visited the link posted, I would of found the POC, been able to test my question for the answer and therefore avoid the question.. Sigh
May 22nd, 2009 at 1:48 am
&5 Wait so I just visited the POC at http://landonf.bikemonkey.org/static/moab-tests/CVE-2008-5353/hello.html in Chrome. /usr/bin/say was not executed but in Safari and other browsers it was. So does this mean that even though /usr/bin/say did not execute and say anything, I'm still at risk?
May 22nd, 2009 at 1:33 pm
@AllSaintsDay::
Does any other Java applet work? I suspect Chromium's Java support is not complete yet, on Mac at least...
May 23rd, 2009 at 8:22 am
@ JB and AllSaintsDay:
OK, the punchline was obvious, but if MS had a remotely alert ad agency, they could use this to rip to shreds the "I'm A Mac - I'm A PC" series of ads (US only?). But I doubt their ad agency is any better than their browser, etc.
May 29th, 2009 at 9:48 am
@ Giorgio
You're right, it is not complete. I couldn'teven get any of the example applets found at http://java.sun.com/applets/jdk/1.4/index.html to work.