• On TechRepublic: Five super-secret features in Windows 7
advertisementDrop, charge, and lose the cords
advertisement
Click Here
May 20, 2009 7:47 AM PDT

Unaddressed critical Java vulnerability in OS X

by CNET staff
  • Font size
  • Print
  • Post a comment

Apple has apparently not addressed a relatively long-standing bug in Java that allows for arbitrary code execution as the current user, which can be dangerous if you are running as administrator.

This bug can be exploited by just visiting a web page that loads a malicious java applet, but also can be taken advantage of by standalone java applications. As such, to help safeguard your computer until Apple patches this problem, be sure to only load java applets from trusted websites, or better yet just disable java applets in Safari and other browsers for the time being.

Java applets will usually take a few seconds to start up, and in the mean time show a coffee mug with circular arrows around it. If this is displayed on a web page you do not trust, closing the browser window will kill the process. To disable java in Safari, go to the preferences and uncheck the "Enable Java" option in the "Security" section (keep in mind that "Javascript" is not "Java" and does not need to be disabled).

Apple tech blogger "Landon Fuller" has posted information about this vulnerability, and includes a proof of concept java applet that executes the "/usr/bin/say" (text-to-speech) command as the current user. This vulnerability is also discussed in depth elsewhere (1, 2). In addition to keeping Java off, as per Mr. Fuller's recommendations we also suggest you also disable the option to automatically open "Safe" files after downloading, which is good practice even when there are no known exploitable bugs.

Unfortunately this vulnerability affects all Mac users even if your computer is fully patched, so lets hope Apple tackles this and releases a patch soon.

Luckily relatively few sites use java extensively so most day-to-day workflow should not be inconvenienced by keeping java off, and you can always temporarily turn Java back on for visiting a specific site; however, for standard browsing we recommend you keep it off.

Since Apple has not addressed this bug even though it has been documented for months now, we encourage you to send feedback to Apple's OS X development team to ensure they address this problem soon: http://www.apple.com/feedback/macosx.html

Resources

  • posted
  • applet
  • 1
  • 2
  • http://www.apple.com/feedb...
  • More from Late-Breakers
    • Topics:

    News,

    Troubleshooting

    Tags:

    Late-Breakers

    Share:
    Digg
    Del.icio.us
    Reddit
    Recent posts from MacFixIt
    Pixelated or fuzzy icons in Snow Leopard
    Snow Leopard: iChat restricting minimum chat window width
    Hack enables 10.6.2 on Atom processors
    Weekly Utilities Update: WhatSize, CoolBook, VisualRoute, more...
    Overcoming missing Appletalk printer connectivity in Snow Leopard
    Terminal fun: Options for printing folder and subfolder contents
    Aperture How-To: Add a watermark to your photographs
    Snow Leopard: Finder not opening files when double-clicked

    Navigate MacFixIt

    • Help
    • Archives
    • Utilities
    • Forums
    advertisement
    Click Here

    About MacFixIt

    MacFixIt is CNET's troubleshooting resource for all things Mac. The information here helps you navigate the ins-and-outs of Mac ownership with how-tos, troubleshooting information, news, reviews, and more.

    Add this feed to your online news reader

    MacFixIt topics

    Reviews & advice
    Site map
    Editorial policies
    Meet the editors
    How we test
    Forums
    Internet speed test
    Popular topics
    Apple iPhone
    Apple iPod
    Cell phones
    Dell
    GPS
    LCD TV
    CNET sites
    CNET Site map
    CNET TV
    Downloads
    News
    Reviews
    Shopper.com
    More information
    Newsletters
    CNET Mobile
    Customer Help Center
    RSS
    CNET Widgets
    About CNET
    sponsored