A serious Java vulnerability in the Apple universe is being talked about on the Interwebs today. The startling part is that this is not a new vulnerability. It has been around for months and will allow an attacker to bypass the Java sandbox (which keeps Java applets from interacting with the operating system) and execute code at will in Java enabled web browsers. The crO blog has details of this issue and Apple’s failure to patch it:
This was found by Sami Koivu. He reported the first instance of it (CVE-2008-5353) to Sun on August 1st 2008 and this instance has been fixed by Sun on December 3rd 2008. These vulnerabilities are both technically interesting and have a lot of impact.
And:
I’ve been wanting to talk about this for a while. I was holding off, while Apple was working to patch this vulnerability. Unfortunately, it is still not patched in their latest security update from just a few days ago. I believe that since this vulnerability has already been public for almost 6 months, making MacOS X users aware that Java needs to be disabled in their browser is the good thing to do.
Oh to top it all off, there’s this:
As a side note, Sami Koivu and I paired at latest Pwn2own (his vulnerability, my exploit) and owned both Firefox and Safari on MacOS X on day one (Java is there and enabled by default on MacOS X). Unfortunately it fell out of the challenge criterions because the vulnerability had already been reported to Sun and I had already pinged Apple in January about it.
Lovely. So these are the guys that I wrote about a few months ago.
In any case, if you want to disable Java in Firefox and/or Safari, here’s how you do it:
In Safari:
Safari menu -> Preferences ->Security -> uncheck “Enable Java”
In Firefox:
Firefox menu -> Preferences-> Content-> Uncheck “Enable Java”
The assumption that Macs are just invulnerable to anything bad happening to them is clearly false based on this and other examples that have been floating around for a while. You’d think with all of the advertising that Apple has that bash Microsoft for their security issues, they’d be the first to patch this. But they’re the last to do so and that’s just downright pathetic. Apple really needs to get it’s head in the security game, otherwise Microsoft will be coming out with ads saying that they’re not only more expensive than PCs, but they’re more insecure as well.
In the meantime, Apple should get to work on fixing this ASAP now that this is out in the public domain.