Mac OS X Users Vulnerable To Major Java Flaw
FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple. "Security researchers say that Mac OS X users are vulnerable to a critical, 6-month-old, remote vulnerability in Java, a component that is enabled by default in Web browsers on this platform. Julien Tinnes notes that this vulnerability differs from typical Java security flaws in that it is 'a pure Java vulnerability' and doesn't involve any native code. It affected not only Sun's Java but other implementations such as OpenJDK, on multiple platforms, including Linux and Windows. 'This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers,' Julien wrote. This bug was demonstrated during the Pwn2own security challenge this year at CanSecWest, but the details were not made public at that time. Tinnes recommends that Mac OS X users disable Java in their browsers until Apple releases a security update."
You've kinda just proven the OP's point. Snow Leopard is just prettying up what already exists.
Apple doesn't ignore security. They implemented almost a third of an ASLR solution, and it's obviously a waste of time since it wouldn't help with this vulnerability. They dragged their feet patching the Kaminsky DNS vulnerability since DNS is obsolete and everyone should be using Bonjour by now. They didn't bother with DEP/NX, because Macs are about usability, they don't want to prevent you from executing data.
Snow Leopard is mainly a beneath-the-hood architectural upgrade.
Then how are they planning to market it to the Great Unwashed? They're never going to pursuade the fan-base to shell out dollars and cents if they can't see something new and shiny.
As a Linux user, I was about to ignore the article when I glanced over the sentence "It affected not only Sun's Java but other implementations such as OpenJDK, on multiple platforms, including Linux and Windows. "
If I understand it correctly, all Java implementations have this flaw, so why write that it is a "MacOS vulnerability" and not "Java vulnerability"?
I want to know more how it affects my Ubuntu box!
j.
HAHA Losers.
I think the parent was assuming you use a REAL browser.
SJW: Someone who has run out of real oppression, and has to fake it.
What makes me laugh is that the Mac fanbois are so determined to never hear a bad word about their chosen God^H^H^HOperating System, that they immediately turn the whole discussion thread on it's head and say "well MS invented ActiveX, and it's the suckzorz".
I don't remember MS *ever* touting ActiveX as "secure", and in fact a lot of people were saying it was a terrible idea from day-1. Yes, it sucked - but, so does JAVA.
However, one of JAVA's great selling points was "it's secure because it runs in a sandbox". And over the years we've discovered the sandbox has not one, but several big fucking holes in the bottom.
And now, because every other vendor has patched, and OSX is waiting presumably to fleece their users for another $150 with the next version before patching, the fanbois with the "most secure OS", suddenly find themselves getting pwned.
And of course "we don't need antiviruses, because we run Macs".
Wake up call, perhaps ? Or can you still not see the wood for the (shiny) trees ?
(Expecting to get modded into oblivion with this one, but what the hell, my karma can handle it).