Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mac OS X Users Vulnerable To Major Java Flaw

Posted by kdawson on from the write-once-own-everyone dept.

FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple. "Security researchers say that Mac OS X users are vulnerable to a critical, 6-month-old, remote vulnerability in Java, a component that is enabled by default in Web browsers on this platform. Julien Tinnes notes that this vulnerability differs from typical Java security flaws in that it is 'a pure Java vulnerability' and doesn't involve any native code. It affected not only Sun's Java but other implementations such as OpenJDK, on multiple platforms, including Linux and Windows. 'This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers,' Julien wrote. This bug was demonstrated during the Pwn2own security challenge this year at CanSecWest, but the details were not made public at that time. Tinnes recommends that Mac OS X users disable Java in their browsers until Apple releases a security update."

3 of 306 comments (clear)

  1. Design or implementation flaw? by pwilli · · Score: 5, Interesting

    I'd really like to know if this was/is a flaw in the structure/design of the JVM or just happened to be some kind of pitfall every major JVM-implementor fell into.

    The articles and bug reports are light on detail, I could only find out it is related to "Deserializing Calendar Objects" and allows the applet to execute stuff with the users rights (or probably more correct, the rights of the webbrowser who started the applet)., which sounds like an implementation problem to me. Was there some reference implementation all JVM-developers used for this specific functionality?

  2. Re:Java and not javascript by kthreadd · · Score: 5, Interesting

    I'm more inclined to let the company that specializes in that stuff deal with it - but then again, maybe it gave them much needed experience for their Rosetta technology

    According to the Sun engineers I've talked to it all has to do with a really old license agreement between Apple and Sun that they can't change for now. Sun is forbidden to directly release Java for Mac OS X until the agreement expire or Apple decides to make a new agreement. The only practical solution they proposed was to use the BSD port of OpenJDK. You won't have the Aqua UI and I think you have to deal with X11, but you will have an overall better Java.

  3. Re:apple letting down java users.. by cshbell · · Score: 5, Interesting

    I don't see the point you're making. You might as well have contrasted nine-year disparate statements about RAM size. Over nine years, Apple's stance towards Java has changed; what's wrong with that? In 2000, Java seemed to have a wider path on the desktops than it does in 2009. Other languages and runtime environments have grown up around Java in the subsequent nine years, and to Apple's thinking, the other languages (such as Objective-C 2.0) allow for building better software than Java allows.

    Apple's stance appears to be, right or wrong, that Java on the desktop and mobile devices is no longer the best way to develop and deploy software, and thus, they've allowed the Java implementation in OS X to grow long in the tooth, and have outright declined to port it to the iPhone/iPod Touch OS.