Security companies warn of unpatched Java exploit on Mac OS X

cwa107 · May 20, 2009

I'm typically skeptical of these, but this one seems legit - and if executed has the potential to be very bad:

Several Mac security companies, Intego and SecureMac, have issued warnings related to an unpatched Java vulnerability that affects OS X. The flaw could be exploited to allow local code to be executed remotely, leaving the computer open to "drive-by-attacks" which can install malicious software just by loading a website containing a specially crafted Java applet. Hackers could also access or delete files on a system.

Full article here.

If you are concerned (and IMO, you should be), a temporary fix would be to turn Java off in the browser of your choice. Although some sites launch Java applets, they should be relatively few (don't confuse Javascript with Java). So for many of you, there will be little impact to your day-to-day web browsing in turning off Java.

harryb2448 · May 20, 2009

Great advice cwa107. Keep us posted on developments please?

Big Dan · May 20, 2009

Disable Java in Firefox:

Firefox Menu > Preferences > Content Tab

vansmith · May 20, 2009

While I do espouse security as an important part of daily use, this exploit doesn't seem to bother me. Disabling Java should work and prevent users from themselves (the cause of most computer problems). I think the part that's bothering me most about this exploit is not the exploit itself but Apple's continued disregard for Java. For a company that want's to be on the edge, they sure don't seem quick to defend and patch the arguably most used programming language in the world (last I heard).

cwa107 · May 20, 2009

vansmith said:
While I do espouse security as an important part of daily use, this exploit doesn't seem to bother me. Disabling Java should work and prevent users from themselves (the cause of most computer problems). I think the part that's bothering me most about this exploit is not the exploit itself but Apple's continued disregard for Java. For a company that want's to be on the edge, they sure don't seem quick to defend and patch the arguably most used programming language in the world (last I heard).

Agreed. As much as Apple likes to promote the security of Mac OS X, they do seem slow to address high-profile exploits like this. As I understand it, this one has been in the wild for something like 6 months.

vansmith · May 20, 2009

cwa107 said:
Agreed. As much as Apple likes to promote the security of Mac OS X, they do seem slow to address high-profile exploits like this. As I understand it, this one has been in the wild for something like 6 months.

I read nine months. Either way, both times are well too long for such an important program. As much as I like Apple, I do have a few problems with the way they approach things. One of them is that is seems as if the "security through obscurity" myth is their motto in the security department

.

cwa107 · May 21, 2009

Ooooh.... not good:

Unpatched OS X Java Vulnerabilities Drawing Attention - Mac Rumors

vansmith · May 21, 2009

Not good in that it illustrates the trivial nature of the exploit but very good for me (at least) in that it will hopefully get Apple moving on this.

This is why I wish Apple hadn't taken control of Java on the Mac. Since it says that OpenJDK isn't affected, the nerd in me is tempted to try and build OpenJDK tonight.

ansarcec · May 21, 2009

disabled it for Safari 4 as well

harryb2448 · May 21, 2009

I believe the problem is S Jobs has made very negative comments about Java in recent months (do a Google) so I doubt any fixes will come along.

Richard Sprague WebLog : Steve Jobs says Java is history

Collin Bl · May 21, 2009

So for those of us that are non techie - should we be unchecking Enable Java or Enable JavaScript in prefs of Safari 3? Or does Enable plug-ins feature as well?

vansmith · May 21, 2009

harryb2448 said:
I believe the problem is S Jobs has made very negative comments about Java in recent months (do a Google) so I doubt any fixes will come along.

Richard Sprague WebLog : Steve Jobs says Java is history

Agreed. As I linked to earlier, Jobs called it a "'Heavyweight' in an Age of Lightweight Computing." I think that's a bit much.

Collin Bl said:
So for those of us that are non techie - should we be unchecking Enable Java or Enable JavaScript in prefs of Safari 3? Or does Enable plug-ins feature as well?

If you want to be super safe, you should just have to disable Java. Javascript, on the other hand, has nothing to do with Java (despite the name). Otherwise, just be a smart computer user.

jram · May 22, 2009

FF users, use noscript..

TattooedMac · May 23, 2009

Big Dan said:
Disable Java in Firefox:

Firefox Menu > Preferences > Content Tab

View attachment 10655

Thanks Big Dan

Simple but effective

Security companies warn of unpatched Java exploit on Mac OS X

cwa107

harryb2448

Big Dan

vansmith

Senior Member

cwa107

vansmith

Senior Member

cwa107

vansmith

Senior Member

ansarcec

harryb2448

Collin Bl

vansmith

Senior Member

jram

TattooedMac

Shop Amazon