Java on Mac proof of concept exploit released

Landon Fuller, a security researcher, posted a proof of concept Mac OS X hack for a known Java security exploit to persuade Apple into fixing the exploit.

From The Mac Observer:

“This link will execute code on your system with your current user permissions,” Mr. Fuller published both a Web page that will exploit the vulnerability, and instructions for others to do the same. “CVE-2008-5353 allows malicious code to escape the Java sandbox and run arbitrary commands with the permissions of the executing user. This may result in untrusted Java applets executing arbitrary code merely by visiting a web page hosting the applet. The issue is trivially exploitable.”

Apple has yet to fix the Java security exploit on Mac OS X.

“Unfortunately, it seems that many Mac OS X security issues are ignored [by Apple] if the severity of the issue is not adequately demonstrated,” he wrote. “Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been public knowledge for six months, I have decided to release a my own proof of concept to demonstrate the issue.”

It is recommended to disable Java in your web browser (in Safari: Preferences, Security, uncheck “Enable Java”) to avoid getting infected with this exploit.

Related posts:

1. Java Update for Leopard and Snow Leopard
2. Security Update 2009-001 and Java for Mac OS X 10.5
3. Critical Mac OS X Java Vulnerabilities
4. Java vulnerability in Mac OS X fixed
5. iOS 4.0.2 update fixes PDF exploit