Despite Discovery Six Months Back, Macs Still Inflicted with Java Flaw
It is past six months now when Sun Microsystems warned of a hole within its Java system that enabled attackers to easily run malicious code on end-users' systems. The security flaw is still un-patched on the Mac platform of Apple.
To demonstrate the severity of the flaw, former Apple engineer Landon Fuller has lately released a proof-of-concept for it, as reported by SCMagazine on May 19, 2009.
Fuller says that an end-user with an un-patched system could be easily infected if he visits an Internet site that contains a malevolent Java applet. An applet that is capable of executing an arbitrary code could carry out any activity on the end-user's computer. In fact, the activity would appear as the user is performing it.
According to Bas Alberts, an Immunity Researcher, the flaw and others similar to it are basically a type of deals that allow compromising everything on the systems, as reported by The Register on May 19, 2009. Apple's attack code aiming at the flaw is coded in Java script and proves similarly effective on systems having Linux, Mac OS X or Windows.
Interestingly, a majority of the other operating software like major Linux distributions and Windows patched the flaw a long time back. Security specialists welcomed the response given that it was frequently exploited on the Net. However, Apple was far from taking any action although it released major OS X upgrades recently during the 2nd week of May 2009.
An Independent Security Investigator and one of the authors of The Mac Hacker's Handbook, Dino Dai Zovi, states that Apple in general has been slightly sluggish in using upstream security patches for Java, as reported by The Register on May 19, 2009. Zovi adds, every time Apple is slow to respond to a well-publicized vulnerability, it is quite significant as hackers exploit the vulnerability without any hindrance and without having to make a new discovery.
According to the security researchers, to prevent any exploitation of the flaw, users of OS X must disable their browsers' Java applets and also block the "Open safe files after downloading" feature in Safari.
Related article: Deceptive Grum Worm Lies on IE7 Beta Download
» SPAMfighter News - 25-05-2009