Filed under: Bad Apple, Security
Mac OS X Java security hole exposed
You know, it's fine to make the argument that "Macs are safer than Windows-based PCs," because in real-world usage, this is generally true. Nothing does more to undermine that argument, however, like a five-month old unpatched Java vulnerability.As Landon Fuller has pointed out, a potentially nasty Java exploit remains unpatched in Mac OS X, including last week's OS X 10.5.7 update. Essentially, this exploit can allow malicious code to run outside of the confines of Java, and run arbitrary commands with whatever user permissions the logged in user has. So just by visiting a website, you could be allowing malicious software access to running commands on your system. Not cool. Not cool at all.
Although the exploit was initially discovered and filed back in August of 2008, Sun issued its own fix addressing the exploit back in December.
So, five months, two point OS updates, one Java update in February and stil, Apple hasn't patched the exploit on their end.
Can I just say, "WTF?" I mean, seriously, get on the ball Apple. You only have $20 billion in cash, maybe investing in a bunch of full-time security patchers for your operating system would be a worthwhile investment!
Julien Tinnes has some excellent commentary on the exploit here. As Landon says on his blog, all users are advised to disable Java applets in their browsers and disable "open safe files after downloading" in Safari. You should also consider using a SSB (site-specific browser) for any Java-crucial web work (see below).
Of course, being forced to disable Java applets just so one can ensure safety kind of puts Mac users who, I don't know, use a web-based SSL VPN client to connect to work systems or e-mail in a bind.
And, let the flogging from the Apple-haters commence.
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
