Mac OS X Users Vulnerable To Major Java Flaw

FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple. "Security researchers say that Mac OS X users are vulnerable to a critical, 6-month-old, remote vulnerability in Java, a component that is enabled by default in Web browsers on this platform. Julien Tinnes notes that this vulnerability differs from typical Java security flaws in that it is 'a pure Java vulnerability' and doesn't involve any native code. It affected not only Sun's Java but other implementations such as OpenJDK, on multiple platforms, including Linux and Windows. 'This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers,' Julien wrote. This bug was demonstrated during the Pwn2own security challenge this year at CanSecWest, but the details were not made public at that time. Tinnes recommends that Mac OS X users disable Java in their browsers until Apple releases a security update."

Java and not javascript

[GreatDrok]

I've disabled Java in Safari and doubt I'll see any difference since so few sites use Java applets these days. This is of course unrelated to Javascript which is much more disruptive when disabled.

Re:Java and not javascript

[RevRagnarok]

I've had Java disabled for years, and have only ever had to enable it for broadband speed test applets.

Then you are very lucky, and likely don't work for a ginormous company whose only way to not make things in ActiveX is to make them in Java. My timesheet program = Java. My Expense Report software = "Extensity" which seems to only like one version of the JVM. Lucky you!

Re:Java and not javascript

[EthanV2]

Though I'm not sure why this whole discussion is under the title "Mac OS X users vulnerable..." when as the submission says the issue affects everybody. Other than to start yet amother boring FUD/flamebait war, of course.

Maybe it's because everybody else has patched it

FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple.

Re:Java and not javascript

[BrokenHalo]

It looks like OpenJDK now runs on MacOSX:

It does, but only with X11.

Instructions for turning off Java...

In case you don't have OS X but want to pass on the instructions to relatives, etc:

In Safari (version 4 beta):

Safari->Preferences->Security->Web Content: Enable Java (uncheck)

In Firefox (3.5 beta, probably the rest):

Firefox->Preferences->Content->Enable Java (uncheck)

I don't have any other browsers (opera, different versions, etc.) on hand, but it might be nice to add instructions in a reply...

Re:why specify Mac OSX

[Draek]

If you had read the very first paragraph of the summary, you'd know that it's "a vulnerability in Java that has been patched by everyone but Apple."

For all the other platforms, architectures and browsers the fix is "use a version of Java that's less than 6 months old". For OSX users, however, the only solution is to stop using it altogether.

apple letting down java users..

Steve Jobs, JavaOne Keynote 2000:

"We want to bring Java back to the desktop in a really big way. Iâ(TM)m here today to personally tell you we are working hard to make Mac the best Java delivery vehicle on the planet. The biggest thing we are doing is we are going to bundle Java 2 SE into every single copy of Mac OS X that we ship later on this year."

WWDC 2006

When is the next Java coming? We are following Sun's releases of Java SE 6 betas and other Java updates very closely.

Steve Jobs, January 2007 (iPhone related):

"Java's not worth building in. Nobody uses Java anymore. It's this big heavyweight ball and chain..."

2008/05/01

Apple (finally!) releases JDK 6 with 64 bit support only. Most apps won't run due to the lack of cocoa 64 bit libraries. 1 y/old notebooks left in the cold without 64bit support.