OS X Java vulnerability: What it does, how to protect yourself

May 20, 2009
by

Yet another proof of concept for yet another scary exploit, the kind that can leave you “pwnd” with neither your participation nor knowledge. Still, it’s easy to obviate any potential threat and the inconvenience should be minimal.

SecureMac reports that Landon Fuller posted a proof-of-concept exploit for an unpatched vulnerability in the current OS X Java Runtime Environment. While the proof-of-concept is harmless by design, this vulnerability is otherwise “shovel ready” and could be used to take over a fully patched, software up-to-date Mac, including those running OS X 10.5.7. SecureMac reports:

This vulnerability could be exploited to perform “drive-by-downloads” commonly used as a means to infect computers with spyware, or any arbitrary command with the permissions of the executing user. All a user has to do is visit a web page hosting a malicious java applet to be exploited.

See also:
“” How to remove OSX.Trojan.iServices.A, iServices.B
“” MacScan: Is there spyware on my Mac?
“” Free antivirus solutions for the Mac
“” Write once, own everyone, Java deserialization issues

Thereupon, SecureMac recommends that users disable Java applets in their web browser until Apple patches their implementation of Java. You can turn off this functionality by 1.) Opening Safari; 2.) open preferences (⌘ + comma); 3.) click the Security tab; and 4.) uncheck the “enable java” tick box.

Further, users should also disable the “open ‘safe’ files after downloading” option in the Safari’s General preferences tab. You will want to likewise tweak the preferences of any browser (ie Firefox, Camino, iCab, Stainless, etc) you use as this vulnerability affects them, as well.

Be a afraid?

So, is the sky falling? Well, of course, it is””what else would you expect with gatekeepers like SecureMac, Intego, Symantec, etc on duty? Nevertheless, protecting yourself is easy and relatively pain free…

Will you try to gird your virtual loins by applying these simple preference tweaks or even these small measures too much trouble?

Be Sociable, Share!

Related Posts:

Posted in Leopard, Mac software, news, OS X, Security, Tips, Tutorials | 4 Comments » Read more from

4 Responses to “OS X Java vulnerability: What it does, how to protect yourself”

  1. Martin Helbling:
    May 20th, 2009

    Hello

    I want to tell you about an other bug which has not been fixed yet since a long time. Printing on Java 6 on Mac OS X using some fonts such as Skia crashes the virtual machine on Mac OS X.
    To reproduce this bug go to page http://www.reportmill.com/jfx/ and launch the JFXBuilder, create a new document, use the text tool to create a text view and type some text using the skia font, then print it.

  2. Der Dieter:
    May 22nd, 2009

    Hi,

    http://www.illegalaccess.org published a recipe to harden an OSX java implementation against this threat.

    Cheers
    Dieter

  3. Partners in Grime:
    May 23rd, 2009

    Javaficker?

  4. Dennis:
    June 12th, 2009

    These “small measures” certainly are much trouble for users of services like http://wua.la .

Leave a Reply:


Recent stories

Featured stories

RSS Technology news

RSS Windows News

RSS iPhone & Touch

RSS Mobile technology news

RSS Green tech

RSS Buying guides

RSS Gaming news

RSS Photography news

Archives

Copyright © 2013 Blorge.com NS