toggle

AAPL Stock: 97.02 ( -0.17 )

Printed from http://www.macnn.com

Mac users still waiting for security patch

updated 02:25 pm EDT, Thu August 23, 2007

Unpatched Java flaw

Mac users are still waiting for a fix to a critical Java runtime exploit discovered by Google's security team in October of 2006. The hole, which could allow malicious users to execute code remotely on a victim's Mac, lies within Sun's Java ICC profile parsing code. Sun issued an update in May of this year to plug the hole on Solaris, Linux, and Windows systems but offered no sign of an update for Mac owners. The unfixed security concern leaves millions of Mac OS X users with Java enabled in their Web browsers vulnerable to would-be crackers, who need only coax unsuspecting users into downloading a specially-crafted JPEG or BMP image file to execute code on the target system or cause a JVM crash, according to ZDNet.

IBM's ISS X-Force -- a threat analysis service providing intelligence on a wide array of threats that may affect network security -- issued an alert to detail the danger of leaving the weakness unfixed:

"Integer overflow in the embedded ICC profile image parser in Sun Java Development Kit (JDK) before 1.5.0_11-b03, and 1.6.x before 1.6.0_01-b06, allows remote attackers to execute arbitrary code or cause a denial of service (JVM crash) via a crafted JPEG or BMP file."

The Google engineer who initially discovered the flaw said he dealt only with Sun's security response team to disclose the threat, adding that Sun itself usually coordinates a warning to all affected customers -- which in this case includes Apple -- when a vulnerability surfaces.

Security specialist Landon Fuller, who as a former engineer in Apple's BSD Technology Group helped as one of the main hands in the "Month of Apple Bugs" project, already released his own third-party patch for the breach alongside a proof-of-concept exploit that crashes a fully patched browser.

"It may be difficult to exploit, but it's a fairly long time to be sitting on a public issue," Fuller warned. Mac OS X users concerned about the threat can install the third-party patch (which requires special software to run) or disable Java in the Web browser to reduce the chance of downloading an image file with a payload.




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. Guest

    Joined: Dec 1969

    0

    And how many...

    Yes, and exactly how many Mac users have reported being hacked by someone using this exploit?

    ZERO!!!

  1. Johnny Niles

    Joined: Dec 1969

    0

    Bingo

    Not a single occurrence of anybody using this exploit, at all, ever, at least in the wild. So saying "Mac users" are waiting for a fix is really, really, blatantly inaccurate.

  1. jad713

    Joined: Dec 1969

    0

    Does it make a difference

    Ok, I think fixing problems is a good thing. It seems troubling that Apple hasn't fixed this yet. However, what's the point of patching the problem if a patched browser can be crashed?

    BTW, what incentive do I have to download this image file? Do I get a cupcake or something?

  1. nativeNYer

    Joined: Dec 1969

    0

    inaccurate?

    It's not inaccurate to say we're waiting for a fix (because it's not here yet), but it's an exaggeration to make it seem like this is such a critical issue that all us Mac users are cowering under our beds or something waiting for Sun to fix this. No-one seems to be worried, except of course for the uber-paranoid security freaks. Still, it would be nice if Sun allocated a programmer or two to issue a fix for us.

  1. bloggerblog

    Joined: Dec 1969

    0

    ummÖ

    "Mac users still waiting for security patch"

    We are?

  1. ClevelandAdv

    Joined: Dec 1969

    0

    what arbitrary code?

    it would be nice to know what type of code could be run. Is the only possible problem a browser crash? I have been on many sites that seem to hang endlessly, so I am not concerned about that. If this could comprimise my files or other software, then it is an issue that Sun should address.

  1. hokizpokis

    Joined: Dec 1969

    0

    skinny, winney

    wow, this must be why steve stated at the WWDC that java was a 'old has been-ware', now i completely understand what he ment, even if I'm just paraphrasing.

    btw, sun owns java and if anyone remembers sued msft for 'modifing the java code', so someone please explain how apple is supposed to fix java code anyway?

    Otherwise many other software coding tools are available these days, some better, some more secure and others I really haven't messed with that much; and because of this I doubt that java will be around too much longer to 'vandalize our mac browsers' and I'm hardly excited at all about faux mac security issues...

  1. testudo

    Joined: Dec 1969

    0

    Re: how many

    Yes, and exactly how many Mac users have reported being hacked by someone using this exploit?

    ZERO!!!


    So you're view of security holes and patches is "Don't bother making a patch for a 'problem' UNTIL its been hacked!"?

    And how do you know no one's been affected? Until someone actually realizes they've been hacked, anyone could be on your computer now watching all that you do (or running spam-bots or the like).

    However, what's the point of patching the problem if a patched browser can be crashed?

    Would you rather have the browser crash or allow a remote exploit running?

  1. jbruner

    Joined: Dec 1969

    0

    Pseudo?

    OK, first, just because no has reported or seen an exploit doesn't mean it doesn't exist. Smart people who make an exploit don't always advertise it. They use it.

  1. testudo

    Joined: Dec 1969

    0

    sun

    If this could comprimise my files or other software, then it is an issue that Sun should address.

    Sun has addressed it. Please note the article text. They released a patch in May.

    wow, this must be why steve stated at the WWDC that java was a 'old has been-ware', now i completely understand what he ment, even if I'm just paraphrasing.

    So its has-been-ware, which is reason enough not to fix the problem?

    btw, sun owns java and if anyone remembers sued msft for 'modifing the java code', so someone please explain how apple is supposed to fix java code anyway?

    Microsoft was NOT modifying java code, they were writing their own Java interpreter, called it a Java VM, but it did not conform to the Java standard. That's what they were sued for. A comparison would be Apple calling OS 10.3 or 10.4 Unix, when they were not certified as passing Unix certification (they have now, though, for Leopard).

    OTOH, Apple has Sun's source code and is responsible for updating it for the Mac platform. Sun couldn't give a c*** about making Java work on OS X, so Apple licensed the code to perform the work. And Apple shows how much they care, which you can tell about how far behind Java is on OS X vs. Sun's supported platforms.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Cambridge Audio DacMagic XS

Every computer with a microphone or headphone port has one -- a digital to analog converter (DAC). There are nearly as many chipsets a ...

D-Link Wi-Fi Smart Plug

Home automation fans have been getting their fair share of gadgets and accessories in the last few years. Starting with light bulbs, a ...

Razer Kraken Pro headset

Gaming headphones are a challenge to get right, for a long list of reasons that are unique to the consumer buying them. Some shoppers ...

toggle

Most Commented