Feeds

Six months on, Macs still plagued by critical Java vuln

No Java applets for you!

Combat fraud and increase customer satisfaction

More than six months after Sun Microsystems warned that a flaw in its Java virtual machine made it trivial for attackers to execute malware on end users' machines, the vulnerability remains unpatched on Apple's Mac platform.

Most other operating systems, including Windows and major Linux distributions, fixed the bug months ago. That's a good thing given it is actively being exploited in the wild. Penetration testers, including Immunity and VUPEN Security, consider the threat significant enough to offer their customers exploit code that tests against the bug.

"This bug, and others like it, are essentially 'write once, own all' type deals," Immunity researcher Bas Alberts wrote in an email to The Reg. "So yeah, they're fairly interesting to people on the offense side of the fence."

The company's exploit code targeting the vulnerability is written in Java and works equally well on targets running Windows, Linux or OS X.

And yet Apple has so far taken no action, despite issuing major OS X upgrades just last week.

"In general Apple has been a little slower to apply upstream security updates in Java," said Dino Dai Zovi, an independent security researcher and co-author of The Mac Hacker's Handbook. "Whenever basically they're lagging behind a vulnerability that's out and known, it's pretty significant. Potential hackers don't have to discover anything new; they can use a vulnerability that's already released."

To be fair to Apple, the company's developers are responsible for writing and testing their own Java patches. There's no such requirement on Microsoft developers, since Sun provides Java fixes on that platform. Still, if Hewlett-Packard, Red Hat, and Suse can patch their platforms, you'd think Apple could do to the same. An Apple spokeswoman didn't respond to an email requesting comment.

That means security-conscious Mac users will need to take matters in to their own hands. Security researcher Landon Fuller recommends here that OS X users disable Java applets in their browsers and disable the "Open safe files after downloading" setting in Safari. ®

SANS - Survey on application security programs

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.