Security experts: No Java fix in OS X leaves Macs vulnerable

Last week's sizable Mac OS X 10.5.7 update, which included 20 bug fixes as well as a number of security updates, failed to fix a critical Java flaw security experts have warned.

Networkings 50 greatest arguments: Macs vs. PCs

The news comes more than six months after Sun first warned of the flaw in its Java Runtime Environment currently in use by OS X. The flaw was present in OpenJDK, GIJ, IcedTea and Sun's JRE but these have all now been fixed.

Apple has been criticized for its sluggish patching of third-party components, particularly open-source code, that it bundles with Mac OS.

Open-source developer Landon Fuller reported on the venerability on Tuesday, warning that the flaw "allows malicious code to escape the Java sandbox and run arbitrary commands with the permissions of the executing user. This may result in untrusted Java applets executing arbitrary code merely by visiting a Web page hosting the applet. The issue is trivially exploitable."

Users can disable Java applets in Safari by opening Safari preferences, clicking the Security tab, and unchecking the Enable Java checkbox.

Fuller suggests Mac OS X users disable Java applets in their browsers and disable the Open Safe Files after Downloading in Safari option. He also offers a proof of concept to demonstrate the issue with a link that will execute code on your system with your current user permissions.

Julien Tinnes also offers details on his CRO security focused blog on how dangerous the Java flaw might be for Mac users.

"This one is a pure Java vulnerability. This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers! Mine has been tested on Firefox, IE6, IE7, IE8, Safari and on Mac OS X, Windows, Linux and OpenBSD and should work anywhere. This is close to the Holy Grail of client-side vulnerabilities."