Posted: May 19th, 2009
Security Risk: Critical
Today, Landon Fuller posted a proof-of-concept exploit for an unpatched vulnerability in the Java Runtime Environment currently in use by OS X. While this particular proof-of-concept is meant to be harmless, the vulnerability itself currently affects OS X, including OS X 10.5.7, the latest shipping version of OS X. This vulnerability could be exploited to perform “drive-by-downloads” commonly used as a means to infect computers with spyware, or any arbitrary command with the permissions of the executing user. All a user has to do is visit a web page hosting a malicious java applet to be exploited. Until Apple patches their implementation of Java, we recommend that users disable Java applets in their web browser.
Users can disable Java applets in Safari by opening Safari preferences, clicking the Security tab, and unchecking the “enable java” checkbox. Users should also disable the ‘open “safe” files after downloading’ option under the General tab of the Safari preferences. This vulnerability can also be exploited in the Firefox web browser, or any browser than can run Java applets. Further information about this exploit can be found at: http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html
SecureMac will keep users updated as more news about this exploit becomes available.