Unpatched Java on Mac

May 22, 2009

There has been renewed publicity lately about a vulnerability in the Java run-time environment, which is used to run Web applets within a browser.  The vulnerability itself (CVE 2008-5353) was fixed by Sun Microsystems, the originators of Java, back in December; however, Apple has still not released a version of the fix for Mac computers.  The vulnerability is easy for a knowledgeable person to exploit, and can be triggered merely by visiting a malicious Web sire.

The problem has become more acute within the last few days, because  “proof of concept”  exploit programs have been circulating on the Internet.  The vulnerability itself is entirely Java based, meaning that it could be exploited in any browser on any platform; however, fixes have been made for Windows and most Linux distributions.  As mentioned above, Apple has not yet released a suitable fix for the Mac; since the Java software is installed on most systems, this is potentially a serious problem.

The recommendation for Mac users is to disable the execution of Java applets in the browser.   You can get more information on the vulnerability from the SANS diary note.

Update 15:46

Brian Krebs at the Washington Post has a good article on this issue in his “Security Fix” blog.   His research indicates that it has taken Apple about 166 days, on average, to fix similar vulnerabilities in the past.


%d bloggers like this: