First, let me say that I am a Mac user I have 5 Macs and I work as a Systems Security Engineer.

Guest States: "Yes, and exactly how many Mac users have reported being hacked by someone using this exploit?"

I have a better question. How many users would even know if they were hacked? Do you think alarms sound, lights flash, and bells go off? I've used security tools in controlled lab environments. You can get root on UNIX systems without any apparent crash or event. The security savvy might detect this, but most wont.

Johnny Niles States: "Not a single occurrence of anybody using this exploit".

OK Johnny Niles, how do you know this for a fact? Name yours sources.

Here is a FACT! According to SANS "Apple Macs are being targeted for many of the same types of attacks as Windows - this week (08/07/2007) both specially crafted PDFs and malicious web sites have been shown to be able to infect Mac OS-X and Safari and various third-party applications included with OS-X." That came right from SANS @Risk newsletter and SANS would not lie. There are Mac exploits in the wild! Get a clue people!

Nativenyer States: "It’s an exaggeration to make it seem like this is such a critical issue"

OK, maybe remote code execution is not a critical issue to you, but it should be. Hackers love people with that sort of it won't happen to me attitude. Remote code execution is a gold mine for hackers.

Jad713 states: "BTW, what incentive do I have to download this image file? Do I get a cupcake or something?"

You don't have to be enticed to download anything. In recent months, very mainstream websites have had banner ads that were capable of infecting systems if the ad was clicked. Myspace has been used as a vector, PHP forums, etc.

At the moment, Macs are more secure that Windows. Partly due to architecture and partly due to the fact that they are under the radar of organized crime. Make no mistake; some of the exploits in the last 1.5 years could have been used to own your Mac. Macs are NOT invincible bastions of security. As Apple market share grows, the likelihood of becoming a target to organized crime will also grow.

People are happy that no Macs have been attacked? This is basically an admission that Macs are irrelevant. If a remote code execution vulnerability on Windows went unpatched for a year, there would be a 12-month virus outbreak. Remote code execution vulnerabilities are highly critical—it allows you execute code on another person's machine just by visiting a Web site! How is that NOT critical?

So, the only conclusion that can be drawn here are that Macs are not being targeted because nobody cares about the Macs small market share.

Also, to those who say this is Sun's responsibility, you should use Google once in a while. It's very easy to prove that Apple itself, internally, develops the Java Runtime for Mac OS X.

"There are Mac exploits in the wild! Get a clue people! "

mactarian, please give me a link to at least one of those exploits. I'm dying to see one. I mean real exploits, not the kind "please run this file and see what happens" - those are user exploits rather than software exploits.

fubar_this, if Mac is irrelevant to hackers I'm happy. Why shouldn't I be?

...waiting to be fixed "since...", I don't know if any of you ever noticed this one: the principle is if you subtract 10 times 1/10 from 1 you should obtain 0 as a result... Now try to do this in a spreadsheet (Excel or whatever, no matter the OS/platform/processor). Just type 1 in the cell A1; in A2 type this formula "=A1-0.1"; copy this formula to the cells A2 through A11. Now look at what is displayed in A11: shouldn't be 0? The "solution" is to change the format of that cell from Automatic to Number...

Don't know why nobody ever noticed this "bug": it exists since Lotus 1-2-3 r1 (don't know if on Visicalc on the Apple // too..)

You must not have followed the links on the MacNN article. The author of the non-Apple fix has an innocuous demo of the Java exploit that this article refers to. Here is the 3rd Party Fix. http://landonf.bikemonkey.org/code/macosx/CVE-2007-2788.20070814.html

Warning, this can crash your browser!!!!! Change the link to http. nothttp://landonf.bikemonkey.org/static/moab-tests/CESA-2006-004/CESA-2006-004-ICC.html

Warning, venture into the links on these websites at your own risk.

Here are several Apple exploits from Tom Ferris at Security Protocols. If you read through the individual advisories, there are links to working but innocuous examples of the exploit. Again use them at your own risk! http://security-protocols.com/security-protocols-advisories-and-research/

Milw0rm has several Mac exploits available, here is source code for a Quick Time. http://www.milw0rm.com/exploits/3064

There are other sources, but you get the point.

Here is a link to the SANs @risk article that I referenced. Read the very first paragraph. The SANs Institute is a highly reputable security resource.

http://www.sans.org/newsletters/risk/display.php?v=6&i=32&portal=9a353c92f20f28d9fbeb9388d588cc35

From the island of Java.

Thank you for the links, mactarian. I checked them and on the first link browser truly did hang. I had to force quit it. As for other listed vulnerabilities I cannot check them because of outdated versions of software they require to work.

Now, call me careless, but I can't see browser crash as a security vulnerability. Safari do crash, though very rarely for me, and I consider this as a minor inconvenience, not as a threat.

I have no doubt in SANs credibility in doing their job - finding and identifying security threats. What I strongly doubt is the conclusion they draw, that Apple pays little attention to security threats. I measure security level of a platform with only tool that matters - statistics. And statistics is mute on Apple security breaches. If all those bugs could be easily exploited then why there're no mac viruses appearing in my inbox monthly (the ones that get there are for Windows only)? Why no one complains on data theft? In fact, the only people I hear loudly complaining on mac security are hackers, not regular users. For me this does say a lot.

There is no unbreakable system, but there is safest.

Viktorcode: "Now, call me careless, but I can't see browser crash as a security vulnerability. Safari does crash, though very rarely for me, and I consider this as a minor inconvenience, not as a threat. "

To fully understand this, you have to have knowledge of CPU memory architecture and programming. I'm not a guru at either.

Keep in mind the demo that crashed your browser was not intended to be malicious. It was intended to show an overflow that has great potential to be further modified into a working exploit.

Here is a grossly oversimplified explanation. A hacker may be able use the exploit that crashed your browser to push a payload of code of their choosing into a region on the processor and execute it.

There are many different types of exploits, for example a common one is a buffer overflow. With buffer overflow vulnerability, they may be able to overflow a buffer region on the processor with X number of junk bytes as padding payload and X number of bytes of code they want to execute. When they overflow the buffer, the code portion of the payload gets overflowed "pushed" into a buffer region on the processor where it is then executed by the processor. So, with a working exploit, the possibilities can be numerous and quit dangerous.

Some great books to read on the subject are the Hacking Exposed series. They will do a much better job of explaining this than I can here at MacNN.

The typical hacker has changed over the last few years from a teenager, looking for kicks and notoriety to organized crime, looking for vast profits. Organized crime wants computers to use as bot-nets. Bot-nets can be utilized to earn profit by sending spam or to extort money from companies with a DDOS attack. Organized crime is much more interested in targeting corporate data stores that can be used for extortion, wire fraud, or identity theft. For years, the Mac's miniscule 3% market share rendered it as a statistically insignificant target for hackers. Simply stated, hackers are after the money and they are not going to focus their efforts for a platform that is simply insignificant in the corporate world.

Macs do have some superior security features to Windows. However, they have had some vulnerabilities in their subsystems such as the browser or QuickTime that have had the potential to be hit by drive-by methods. This is exactly what the SANs article said was happening with the PDF files in August. If the Mac market share continues to grow, you will be very likely to see more of these sorts of attacks. Again, it’s all about where the easy money is.

That being said, when it comes to computer security, you don’t want to put yourself in a position where ignorance is bliss. Blind faith in any platform is dangerous.

Mactarian:

"Johnny Niles States: "Not a single occurrence of anybody using this exploit".

OK Johnny Niles, how do you know this for a fact? Name yours sources. "

I have a better idea. How about you prove that it exists in the wild. Just show us even one occurance. A single shred of evidence that it exists.

When you can't do it, you'll know why I said there hasn't been a single occurance of this exploit.