On mySimon: Doggy Sleeping Bags
BNET Business Network:
BNET
TechRepublic
ZDNet

May 20th, 2009

Mac OS X vulnerable to 6-month old Java flaw

Posted by Ryan Naraine @ 12:46 pm

Categories: Apple, Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Hackers, Java

Tags: Malicious Code, Apple Macintosh, Java Applet, Flaw, Applet, Landon Fuller, CVE-2008-5353, Apple Mac OS X, Apple Mac OS, Java

Attention Mac OS X users:  Turn Java off immediately or you could be at high risk of malicious code execution attacks.

Tired of waiting for a patch from Apple for a Java flaw that was fixed upstream six months ago, Mac developer Landon Fuller (of Month of Apple Bugs/Fixes fame) has released a proof of concept exploit to demonstrate the severity of the issue.

[ SEE: Mac Developer mulling OS X equivalent of ZERT ]

Fuller writes:

Unfortunately, it seems that many Mac OS X security issues are ignored if the severity of the issue is not adequately demonstrated. Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been public knowledge for six months, I have decided to release a my own proof of concept to demonstrate the issue.

If you visit the following page, “/usr/bin/say” will be executed on your system by a Java applet, with your current user permissions. This link will execute code on your system with your current user permissions. The proof of concept runs on fully-patched PowerPC and Intel Mac OS X systems.

Fuller recommends that Mac OS X users disable Java applets in their browsers (both Firefox and Safari) and disable ‘Open “safe” files after downloading’ in Safari.

The vulnerability in question is CVE-2008-5353 which was publicly disclosed and fixed by Sun in January this year.

CVE-2008-5353 allows malicious code to escape the Java sandbox and run arbitrary commands with the permissions of the executing user. This may result in untrusted Java applets executing arbitrary code merely by visiting a web page hosting the applet. The issue is trivially exploitable.

Unfortunately, these vulnerabilities remain in Apple’s shipping JVMs.

In an interesting twist, security researcher Julien Tinnes actually attempted to use this vulnerability in this year’s CanSecWest PWN2OWN contest but, because it was already patched by — and Apple was aware of it — the exploit was disqualified.

See more from Threatpost’s Dennis Fisher.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 118 Talkback(s)
Major updates
Apple usually has free updates till it hits the halfway points. An example is you paid for ver 10.0 then all updates were free till you hit ver 10.5 which you had to pay for then all was free till you hit ver 11.0 and so on. ... (Read the rest)
Posted by: BullDurham0001 Posted on: 05/29/09 You are currently: a Guest | | Terms of Use
Nah.....  daMan25 | 05/20/09
Yet it has twice been the first to be hacked in contests.  DevGuy_z | 05/20/09
Make it fair  rag@... | 05/20/09
Wrong.  ye | 05/20/09
Maybe, Maybe not.....  daMan25 | 05/21/09
Pacifism is not the opposite of Activism  technology@... | 05/21/09
I am curious  BullDurham0001 | 05/28/09
Good points.  AzuMao | 05/28/09
@daMan25  Axsimulate | 05/20/09
Or just  AzuMao | 05/25/09
Can't. Not until Apple has made a patch available. (nt)  honeymonster | 05/26/09
But the flaw has been fixed...  pico_D | 05/28/09
Blah Blah Blah, sky is falling  itguy08 | 05/20/09
How many websites are compromised each *DAY*?  wolf_z | 05/20/09
You just said it yourself;  AzuMao | 05/25/09
The question is...  mdsock@... | 05/25/09
Can't have it both ways  AzuMao | 05/25/09
Except there *is* no patch for Apple...  wolf_z | 05/26/09
Why WOULD the patch come from Apple?  AzuMao | 05/26/09
Because...  pico_D | 05/28/09
No I mean  AzuMao | 05/28/09
You can't  gigabot71 | 05/27/09
If it's a limitation built into Sun's site  AzuMao | 05/27/09
It's not their product  rtk | 05/27/09
The impression I got  AzuMao | 05/27/09
Mac Security Being Highlighted, Not Windows  Rob Oakes | 05/20/09
Vulnerability not tailored for Mac  aeriform | 05/21/09
Is XP patched?  comp_indiana | 05/27/09
Correct...  pico_D | 05/28/09
Wrong.  AzuMao | 05/25/09
Except you can't  wolf_z | 05/26/09
Why would Apple make an update to Java?  AzuMao | 05/26/09
Continually displaying your ignorance. It's Apple Java.  honeymonster | 05/26/09
Oh  AzuMao | 05/26/09
Didn't I just explain?  honeymonster | 05/26/09
That doesn't explain why Sun can't make an update for it and  AzuMao | 05/27/09
Because...  pico_D | 05/28/09
Yes I know Apple distributes a slightly modified version  AzuMao | 05/28/09
How many times does it take?  davidhite | 05/28/09
Blame Sun  BullDurham0001 | 05/28/09
What I don't understand  AzuMao | 05/28/09
Wrong  pico_D | 05/28/09
Well if Apple won't update Java  AzuMao | 05/28/09
Probably...  pico_D | 05/29/09
So they're threatening to sue them if they do?  AzuMao | 05/29/09
LOL - good...just more to purpetuate...nt  US Is ! Europe-ThankGod! | 05/22/09
this M$ paid FUD  Linux Geek | 05/20/09
Not true! On two counts. 1) there are Mac viruses 2) virus not required.  DevGuy_z | 05/20/09
hmmm  john@... | 05/21/09
Uncheck the Enable Java option. Fixed.  deowll | 05/22/09
Awesome  davidhite | 05/28/09
There's your credibility problem right there  UAC nanny screen | 05/21/09
Or instead of wasting money on an AV when it's not even needed  AzuMao | 05/25/09
Hahahaha...how about 5 viruses kid? 4 of them already made it on ZdNet...  Soulstorm | 05/20/09
Kid is right! - he's probably in computer class typing that messge...nt  US Is ! Europe-ThankGod! | 05/22/09
Dilusional much?  NStalnecker | 05/27/09
Fail on 3 counts  AzuMao | 05/27/09
..with your current user permissions...  frgough | 05/20/09
Stop already!  ye | 05/20/09
Mac users  LiquidLearner | 05/20/09
I've read that Time Machine backups are protected...  ye | 05/20/09
Nah  AzuMao | 05/25/09
and yet  john@... | 05/21/09
First: I've never said the Mac is dangerous.  ye | 05/21/09
In the wild  Bob_or_Fred | 05/21/09
LOL! That was good! (nt)  ye | 05/21/09
I'd choose the data every time.  deowll | 05/22/09
PICNIC error above wink  AzuMao | 05/25/09
We can play merry hob with your home directory  honeymonster | 05/22/09
Not good enough Apple  Richard Flude | 05/20/09
RE: Mac OS X vulnerable to 6-month old Java flaw  Telix | 05/20/09
@Telix  Axsimulate | 05/21/09
So... Six months to patch something...  compudog | 05/27/09
That this is much better then the alternative (windows).  AzuMao | 05/27/09
There's nothing to fix.  AzuMao | 05/25/09
RE: Mac OS X vulnerable to 6-month old Java flaw  dave@... | 05/20/09
RE: Mac OS X vulnerable to 6-month old Java flaw  GameOvR | 05/20/09
Apple will keep on handing out the keys to their customers computers  honeymonster | 05/21/09
Not control freaks in this instance.  derbaff | 05/21/09
You sound reasonible.  deowll | 05/22/09
We all know...?  MKleinpaste | 05/21/09
So you are labeling yourself an Ubergeek???  honeymonster | 05/21/09
So what's your point?  UAC nanny screen | 05/22/09
Geek? Yes. Ubergeek, I wish...  MKleinpaste | 05/22/09
Response as requested  MKleinpaste | 05/22/09
Systemic problem explained  honeymonster | 05/22/09
Chicken little, the sky is falling, the sky is falling  UAC nanny screen | 05/22/09
Yes, it is  honeymonster | 05/23/09
It is?  UAC nanny screen | 05/23/09
Not your call  honeymonster | 05/24/09
Sure it is  UAC nanny screen | 05/26/09
Well said!  914four | 05/25/09
Updated my java long ago  davidhite | 05/28/09
Uh...  914four | 05/25/09
So if you actually read the last link provided...  derbaff | 05/21/09
A patch is on the way.  MKleinpaste | 05/22/09
Then perhaps  honeymonster | 05/22/09
Two months late!  phatkat | 05/22/09
RE: Mac OS X vulnerable to 6-month old Java flaw  phatkat | 05/22/09
Apple needs to get serious before they suffer  tech_walker | 05/22/09
RE: Mac OS X vulnerable to 6-month old Java flaw  BullDurham0001 | 05/25/09
Last time you checked?  honeymonster | 05/26/09
The problem isn't how many  AzuMao | 05/26/09
Oh you mean  honeymonster | 05/26/09
I think he means...  UAC nanny screen | 05/26/09
Microsoft 101  BullDurham0001 | 05/28/09
Major updates  BullDurham0001 | 05/29/09
Are you honestly  AzuMao | 05/26/09
Yes we are, because...  wolf_z | 05/28/09
I'm sorry....  lostark98 | 05/27/09
Not to mention  UAC nanny screen | 05/27/09
Based on what?  BullDurham0001 | 05/28/09
To answer your questions  wolf_z | 05/28/09
Reformat to clean?  davidhite | 05/28/09
RE: Mac OS X vulnerable to 6-month old Java flaw  gigabot71 | 05/27/09
Keep freaking, Wintards  comp_indiana | 05/27/09
oh no  davidhite | 05/28/09
No, there is worse.  AzuMao | 05/28/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Essential Topics Click Here

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

Enterprise Applications

  • Check out some of the easiest and most powerful ways to boost productivity while saving money on your application infrastructure. See ZDNet's comprehensive Enterprise Application resource center, now!
  • New Online Dashboard
  • Read about top issues IT decision-makers face every day, plus get cost effective solutions to real life IT problems. Oracle Topline