United States
Live worldwide spam monitor detects outbreaks as they occur. See what's swarming.
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.
ProductsPartnersSupportAbout UsHow to BuySearchProfile
 
Products  

Security Articles

Video Tutorials

WatchGuard Feeds

WatchGuard Wire

Radio Free Security

White Papers

Case Studies

Network Security Glossary

WatchGuard Wire
Improve Your Security IQ

Old Java vulnerability plagues fully updated OS X computers

29 May 09 -- Last week, the security community was rife with talk about an unpatched security vulnerability in Java on fully patched OS X machine -- and for good reason. If an attacker can lure you to a booby-trapped web site (containing a malicious Java applet), he can exploit this flaw to execute code on your Mac computer with your privileges. To make matters worse, Apple has known about this flaw for over six months, yet they still haven't released a patch to fix it.

Apple's sluggish reaction to this vulnerability aggravated Landon Fuller (a security researcher) enough that he decided to release a Proof-of-Concept (PoC) exploit for it. His PoC exploit is harmless. It essentially forces your Mac to talk to you (using the say command). If you are especially brave, you can test the PoC on you Mac by visiting this link (do so at your own risk) . However, Fuller also posted his PoC source code. A smart attacker could easily modify this code to do something a lot more sinister. I typically don't appreciate researchers that release PoC exploits before vendors release their patches. That said, I do understand Fuller's irritation at Apple's snail-pace reaction to this vulnerability.

So how do your protect yourself in lieu of a patch. According to Fuller, you should disable Java applets in your browser and disable 'Open "safe" files after downloading' in Safari. If you use Firefox, the NoScript extension will also prevent Java applets from running by default. Finally, if you consider yourself a power user, you could even roll your own Java patch. Marc Schoenefeld provides instructions on how to do that here. However, I wouldn't attempt that work around unless you really know what you're doing. -- Corey Nachreiner, CISSP

Copyright© 2009 WatchGuard® Technologies, Inc. You may copy and distribute this article freely in any medium as long as you copy and distribute the entire article without change and preserve this copyright statement and notice.