Mac OS X Users Vulnerable To Major Java Flaw

FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple. "Security researchers say that Mac OS X users are vulnerable to a critical, 6-month-old, remote vulnerability in Java, a component that is enabled by default in Web browsers on this platform. Julien Tinnes notes that this vulnerability differs from typical Java security flaws in that it is 'a pure Java vulnerability' and doesn't involve any native code. It affected not only Sun's Java but other implementations such as OpenJDK, on multiple platforms, including Linux and Windows. 'This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers,' Julien wrote. This bug was demonstrated during the Pwn2own security challenge this year at CanSecWest, but the details were not made public at that time. Tinnes recommends that Mac OS X users disable Java in their browsers until Apple releases a security update."

Re:Why am I not surprised?

[machine321]

Apple doesn't ignore security. They implemented almost a third of an ASLR solution, and it's obviously a waste of time since it wouldn't help with this vulnerability. They dragged their feet patching the Kaminsky DNS vulnerability since DNS is obsolete and everyone should be using Bonjour by now. They didn't bother with DEP/NX, because Macs are about usability, they don't want to prevent you from executing data.

Re:Why am I not surprised?

[BrokenHalo]

Snow Leopard is mainly a beneath-the-hood architectural upgrade.

Then how are they planning to market it to the Great Unwashed? They're never going to pursuade the fan-base to shell out dollars and cents if they can't see something new and shiny.