08/23/2007, 2:25pm, EDT
Thursday, August 23rd
Mac users still waiting for security patch
Mac users are still waiting for a fix to a critical Java runtime exploit discovered by Google's security team in October of 2006. The hole, which could allow malicious users to execute code remotely on a victim's Mac, lies within Sun's Java ICC profile parsing code. Sun issued an update in May of this year to plug the hole on Solaris, Linux, and Windows systems but offered no sign of an update for Mac owners. The unfixed security concern leaves millions of Mac OS X users with Java enabled in their Web browsers vulnerable to would-be crackers, who need only coax unsuspecting users into downloading a specially-crafted JPEG or BMP image file to execute code on the target system or cause a JVM crash, according to ZDNet.
IBM's ISS X-Force -- a threat analysis service providing intelligence on a wide array of threats that may affect network security -- issued an alert to detail the danger of leaving the weakness unfixed:
"Integer overflow in the embedded ICC profile image parser in Sun Java Development Kit (JDK) before 1.5.0_11-b03, and 1.6.x before 1.6.0_01-b06, allows remote attackers to execute arbitrary code or cause a denial of service (JVM crash) via a crafted JPEG or BMP file."
The Google engineer who initially discovered the flaw said he dealt only with Sun's security response team to disclose the threat, adding that Sun itself usually coordinates a warning to all affected customers -- which in this case includes Apple -- when a vulnerability surfaces.
Security specialist Landon Fuller, who as a former engineer in Apple's BSD Technology Group helped as one of the main hands in the "Month of Apple Bugs" project, already released his own third-party patch for the breach alongside a proof-of-concept exploit that crashes a fully patched browser.
"It may be difficult to exploit, but it's a fairly long time to be sitting on a public issue," Fuller warned. Mac OS X users concerned about the threat can install the third-party patch (which requires special software to run) or disable Java in the Web browser to reduce the chance of downloading an image file with a payload.
Filed under: troubleshooting
,
, 23
,
,
,
,
,

subscribe to comments
for this article
ZERO!!!
BTW, what incentive do I have to download this image file? Do I get a cupcake or something?
We are?
btw, sun owns java and if anyone remembers sued msft for 'modifing the java code', so someone please explain how apple is supposed to fix java code anyway?
Otherwise many other software coding tools are available these days, some better, some more secure and others I really haven't messed with that much; and because of this I doubt that java will be around too much longer to 'vandalize our mac browsers' and I'm hardly excited at all about faux mac security issues...
ZERO!!!
So you're view of security holes and patches is "Don't bother making a patch for a 'problem' UNTIL its been hacked!"?
And how do you know no one's been affected? Until someone actually realizes they've been hacked, anyone could be on your computer now watching all that you do (or running spam-bots or the like).
However, what's the point of patching the problem if a patched browser can be crashed?
Would you rather have the browser crash or allow a remote exploit running?
Sun has addressed it. Please note the article text. They released a patch in May.
wow, this must be why steve stated at the WWDC that java was a 'old has been-ware', now i completely understand what he ment, even if I'm just paraphrasing.
So its has-been-ware, which is reason enough not to fix the problem?
btw, sun owns java and if anyone remembers sued msft for 'modifing the java code', so someone please explain how apple is supposed to fix java code anyway?
Microsoft was NOT modifying java code, they were writing their own Java interpreter, called it a Java VM, but it did not conform to the Java standard. That's what they were sued for. A comparison would be Apple calling OS 10.3 or 10.4 Unix, when they were not certified as passing Unix certification (they have now, though, for Leopard).
OTOH, Apple has Sun's source code and is responsible for updating it for the Mac platform. Sun couldn't give a crap about making Java work on OS X, so Apple licensed the code to perform the work. And Apple shows how much they care, which you can tell about how far behind Java is on OS X vs. Sun's supported platforms.