05-20-2009, 05:03 PM

I'm typically skeptical of these, but this one seems legit - and if executed has the potential to be very bad:

Quote:

Several Mac security companies, Intego and SecureMac, have issued warnings related to an unpatched Java vulnerability that affects OS X. The flaw could be exploited to allow local code to be executed remotely, leaving the computer open to "drive-by-attacks" which can install malicious software just by loading a website containing a specially crafted Java applet. Hackers could also access or delete files on a system.

Full article here.

If you are concerned (and IMO, you should be), a temporary fix would be to turn Java off in the browser of your choice. Although some sites launch Java applets, they should be relatively few (don't confuse Javascript with Java). So for many of you, there will be little impact to your day-to-day web browsing in turning off Java.

05-20-2009, 05:28 PM

Great advice cwa107. Keep us posted on developments please?

05-20-2009, 06:27 PM

Disable Java in Firefox:

Firefox Menu > Preferences > Content Tab

Picture 1.png

05-20-2009, 09:14 PM

While I do espouse security as an important part of daily use, this exploit doesn't seem to bother me. Disabling Java should work and prevent users from themselves (the cause of most computer problems). I think the part that's bothering me most about this exploit is not the exploit itself but Apple's continued disregard for Java. For a company that want's to be on the edge, they sure don't seem quick to defend and patch the arguably most used programming language in the world (last I heard).

05-20-2009, 09:23 PM

Quote:

Originally Posted by vansmith

While I do espouse security as an important part of daily use, this exploit doesn't seem to bother me. Disabling Java should work and prevent users from themselves (the cause of most computer problems). I think the part that's bothering me most about this exploit is not the exploit itself but Apple's continued disregard for Java. For a company that want's to be on the edge, they sure don't seem quick to defend and patch the arguably most used programming language in the world (last I heard).

Agreed. As much as Apple likes to promote the security of Mac OS X, they do seem slow to address high-profile exploits like this. As I understand it, this one has been in the wild for something like 6 months.

05-20-2009, 09:28 PM

Quote:

Originally Posted by cwa107

Agreed. As much as Apple likes to promote the security of Mac OS X, they do seem slow to address high-profile exploits like this. As I understand it, this one has been in the wild for something like 6 months.

I read nine months. Either way, both times are well too long for such an important program. As much as I like Apple, I do have a few problems with the way they approach things. One of them is that is seems as if the "security through obscurity" myth is their motto in the security department .

05-21-2009, 04:25 PM

Ooooh.... not good:

Unpatched OS X Java Vulnerabilities Drawing Attention - Mac Rumors

05-21-2009, 05:06 PM

Not good in that it illustrates the trivial nature of the exploit but very good for me (at least) in that it will hopefully get Apple moving on this.

This is why I wish Apple hadn't taken control of Java on the Mac. Since it says that OpenJDK isn't affected, the nerd in me is tempted to try and build OpenJDK tonight.

05-21-2009, 05:32 PM

disabled it for Safari 4 as well

05-21-2009, 05:59 PM

I believe the problem is S Jobs has made very negative comments about Java in recent months (do a Google) so I doubt any fixes will come along.

Richard Sprague WebLog : Steve Jobs says Java is history

05-21-2009, 08:15 PM

So for those of us that are non techie - should we be unchecking Enable Java or Enable JavaScript in prefs of Safari 3? Or does Enable plug-ins feature as well?

05-21-2009, 08:26 PM

Quote:

Originally Posted by harryb2448

I believe the problem is S Jobs has made very negative comments about Java in recent months (do a Google) so I doubt any fixes will come along.

Richard Sprague WebLog : Steve Jobs says Java is history

Agreed. As I linked to earlier, Jobs called it a "'Heavyweight' in an Age of Lightweight Computing." I think that's a bit much.

Quote:

Originally Posted by Collin Bl

So for those of us that are non techie - should we be unchecking Enable Java or Enable JavaScript in prefs of Safari 3? Or does Enable plug-ins feature as well?

If you want to be super safe, you should just have to disable Java. Javascript, on the other hand, has nothing to do with Java (despite the name). Otherwise, just be a smart computer user.

05-22-2009, 06:42 AM

FF users, use noscript..

05-23-2009, 07:22 PM

Quote:

Originally Posted by Big Dan

Disable Java in Firefox:

Firefox Menu > Preferences > Content Tab

Attachment 10655

Thanks Big Dan

Simple but effective