IBM's ISS X-Force -- a threat analysis service providing intelligence on a wide array of threats that may affect network security -- issued an alert to detail the danger of leaving the weakness unfixed: "Integer overflow in the embedded ICC profile image parser in Sun Java Development Kit (JDK) before 1.5.0_11-b03, and 1.6.x before 1.6.0_01-b06, allows remote attackers to execute arbitrary code or cause a denial of service (JVM crash) via a crafted JPEG or BMP file." The Google engineer who initially discovered the flaw said he dealt only with Sun's security response team to disclose the threat, adding that Sun itself usually coordinates a warning to all affected customers -- which in this case includes Apple -- when a vulnerability surfaces. Security specialist Landon Fuller, who as a former engineer in Apple's BSD Technology Group helped as one of the main hands in the "Month of Apple Bugs" project, already released his own third-party patch for the breach alongside a proof-of-concept exploit that crashes a fully patched browser. "It may be difficult to exploit, but it's a fairly long time to be sitting on a public issue," Fuller warned. Mac OS X users concerned about the threat can install the third-party patch (which requires special software to run) or disable Java in the Web browser to reduce the chance of downloading an image file with a payload.