updated 02:25 pm EDT, Thu August 23, 2007
Unpatched Java flaw
Mac users are still waiting for a fix to a critical Java runtime exploit discovered by Google's security team in October of 2006. The hole, which could allow malicious users to execute code remotely on a victim's Mac, lies within Sun's Java ICC profile parsing code. Sun issued an update in May of this year to plug the hole on Solaris, Linux, and Windows systems but offered no sign of an update for Mac owners. The unfixed security concern leaves millions of Mac OS X users with Java enabled in their Web browsers vulnerable to would-be crackers, who need only coax unsuspecting users into downloading a specially-crafted JPEG or BMP image file to execute code on the target system or cause a JVM crash, according to ZDNet.
IBM's ISS X-Force -- a threat analysis service providing intelligence on a wide array of threats that may affect network security -- issued an alert to detail the danger of leaving the weakness unfixed:
"Integer overflow in the embedded ICC profile image parser in Sun Java Development Kit (JDK) before 1.5.0_11-b03, and 1.6.x before 1.6.0_01-b06, allows remote attackers to execute arbitrary code or cause a denial of service (JVM crash) via a crafted JPEG or BMP file."
The Google engineer who initially discovered the flaw said he dealt only with Sun's security response team to disclose the threat, adding that Sun itself usually coordinates a warning to all affected customers -- which in this case includes Apple -- when a vulnerability surfaces.
Security specialist Landon Fuller, who as a former engineer in Apple's BSD Technology Group helped as one of the main hands in the "Month of Apple Bugs" project, already released his own third-party patch for the breach alongside a proof-of-concept exploit that crashes a fully patched browser.
"It may be difficult to exploit, but it's a fairly long time to be sitting on a public issue," Fuller warned. Mac OS X users concerned about the threat can install the third-party patch (which requires special software to run) or disable Java in the Web browser to reduce the chance of downloading an image file with a payload.