Feeds

Six months on, Macs still plagued by critical Java vuln

No Java applets for you!

Top 5 reasons to deploy VMware with Tegile

More than six months after Sun Microsystems warned that a flaw in its Java virtual machine made it trivial for attackers to execute malware on end users' machines, the vulnerability remains unpatched on Apple's Mac platform.

Most other operating systems, including Windows and major Linux distributions, fixed the bug months ago. That's a good thing given it is actively being exploited in the wild. Penetration testers, including Immunity and VUPEN Security, consider the threat significant enough to offer their customers exploit code that tests against the bug.

"This bug, and others like it, are essentially 'write once, own all' type deals," Immunity researcher Bas Alberts wrote in an email to The Reg. "So yeah, they're fairly interesting to people on the offense side of the fence."

The company's exploit code targeting the vulnerability is written in Java and works equally well on targets running Windows, Linux or OS X.

And yet Apple has so far taken no action, despite issuing major OS X upgrades just last week.

"In general Apple has been a little slower to apply upstream security updates in Java," said Dino Dai Zovi, an independent security researcher and co-author of The Mac Hacker's Handbook. "Whenever basically they're lagging behind a vulnerability that's out and known, it's pretty significant. Potential hackers don't have to discover anything new; they can use a vulnerability that's already released."

To be fair to Apple, the company's developers are responsible for writing and testing their own Java patches. There's no such requirement on Microsoft developers, since Sun provides Java fixes on that platform. Still, if Hewlett-Packard, Red Hat, and Suse can patch their platforms, you'd think Apple could do to the same. An Apple spokeswoman didn't respond to an email requesting comment.

That means security-conscious Mac users will need to take matters in to their own hands. Security researcher Landon Fuller recommends here that OS X users disable Java applets in their browsers and disable the "Open safe files after downloading" setting in Safari. ®

Remote control for virtualized desktops

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Shellshock over SMTP attacks mean you can now ignore your email
'But boss, the Internet Storm Centre says it's dangerous for me to reply to you'
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.