ZDNet UK / News and Analysis / Security / Security Management

Apple fixes months-old Java bug

By Matthew Broersma, ZDNet.co.uk, 16 June, 2009 15:10

Daily Newsletters

Sign up to ZDNet UK's daily newsletter.

Topics

Java, Mac OS X, Flaw, Apple, Patch

NEWS

Apple has issued a patch for Mac OS X that fixes a serious Java security flaw publicly disclosed six months ago, following criticism from security researchers.

The vulnerability affects a number of platforms running Java, and it was patched weeks earlier by most other operating-system vendors. Apple said its patch, published on Monday, updates Mac OS X's Java to include security fixes delivered by Sun in December.

The flaw is fixed in Mac OS X 10.5.7 and Mac OS X 10.4.11, available from Apple's website or via OS X's built-in software update mechanism.

In May, security researcher Julien Tinnes publicised the vulnerability of OS X to the bug, after he noted that Apple had not included a fix in its most recent patch.

"Unfortunately, it is still not patched in [Apple's] latest security update from just a few days ago," he wrote in a blog post.

Security firm Intego joined in the criticism of Apple at the time. "Apple has been aware of this vulnerability for at least five months, since it was made public, but has neglected to issue a security update to protect against this issue," the company said in an advisory.

Also in May, researcher Landon Fuller published a proof-of-concept exploit demonstrating the danger posed by the bug to Mac systems. "Unfortunately, it seems that many Mac OS X security issues are ignored, if the severity of the issue is not adequately demonstrated," he wrote in an advisory.

The bug (designated CVE-2008-5353 in the Common Vulnerabilities and Exposures database) was first reported to Sun in August of last year, and was patched by Sun in December. It allows a remote attacker to take over a system, and was ranked as 'highly critical' by security vendor Secunia.

Exploits taking advantage of the flaw can be written in pure Java code, meaning they work on multiple platforms, Tinnes said. He recommended that Mac OS X users disable Java in their web browsers.

"This one is a pure Java vulnerability," Tinnes wrote. "This means you can write a 100 percent reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers."

Java is enabled by default in Mac OS X browsers such as Firefox and Safari, and Tinnes said he had successfully exploited the Java bug on both browsers.

Related stories

Sun introduces Java app store

Red Hat's strategy to 'future-proof' Java

Mac OS X vulnerable to critical Java bug

Apple releases Flashback tool for Mac OS X 10.5

IPv6 security: What you need to know

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

Get ZDNet UK's daily newsletter

Enter your email address to sign up

ZDNet UK Live

61253

An OS X perspective Filenames beginning with a dot/period (.) should not be equated with HFS Plus resource forks; misunderstandings around ._ (dot...

23 minutes ago by 61253 on SharePoint deployment: Pitfalls of a pioneer
ians1

There are many legal download sites for music at least that do not charge an arm and a leg like itunes or Napster. The "real" cost of an mp3 file...

2 hours ago by ians1 on The Pirate Bay infringes copyright, High Court decides
Jon Howells

@Crupal.. How does refusing your websites cookies help my privacy? A quick look at your page script reveals four sets of code provided by 3rd...

9 hours ago by Jon Howells via Facebook on Privacy watchdog to chase big companies over cookie law
Paul Carloss

There are hundreds, if not thousands of filesharing torrent sites, The Pirate Bay (TPB) is only one of them, while the TPB is blocked many more...

9 hours ago by Paul Carloss via Facebook on The Pirate Bay infringes copyright, High Court decides
Rebin Simpson

So could users DownGrade if the new OS didn't worked correctly ?

12 hours ago by Rebin Simpson on Sony delivers on Xperia Ice Cream Sandwich promise
duncanjmurray

Hmmm, I thought that with SSDs you could get to the mythical ubuntu 10 sec boot time? Is this not the case?

12 hours ago by duncanjmurray on Netbook Upgrade - SSD IN, Windows OUT
JoshArg

Thanks once again! I have installed Linux Mint 13 (Maya) everything runs well but.. bluetooh is not present, "there is no blueetooth adapter" do...

13 hours ago by JoshArg on Samsung N150 Plus Netbook - Ubuntu Netbook Edition 10.04
zdnetukuser

@JAW-- There’s a better-than-even chance that, had you made another choice of SSD, you would have noticed no improvement in battery life...

1 day ago by zdnetukuser on Netbook Upgrade - SSD IN, Windows OUT
Amb Rose

Please stop connecting the 'ATeam' to the UK Anonymous collective. Anonymous and the ATeam are not connected. The ATeam are not part of, affiliated...

2 days ago by Amb Rose via Facebook on UK Anonymous keeps up DDoS barrage on ICO
cpupal

Hi All I have looked into the cookie law today, there are a few solutions that these websites can use. Just add the widget and update your policy...

2 days ago by cpupal on Privacy watchdog to chase big companies over cookie law
dropz42

I read that many of the governments own websites are not yet compliant...shouldn't they sort that out before chasing others - slightly hypocritical !

2 days ago by dropz42 on Privacy watchdog to chase big companies over cookie law
Charles McLellan

@larrylisser Thanks for the feedback; you're quite right to surmise that the article's main point was to inform about developments in cloud-based...

2 days ago by Charles McLellan on VideoMeet: cloud-based video communication
J.A. Watson

@zdnetukuser - Thanks for pointing this out. I must admit that the relative power consumption of different manufacturers and models was something...

2 days ago by J.A. Watson on Netbook Upgrade - SSD IN, Windows OUT
J.A. Watson

@stevoparsons - You are absolutely right, I do expect a new system that is being connected to the Internet for the first time to pick up updates....

2 days ago by J.A. Watson on Windows Update Never Stops Sucking
zdnetukuser

@JAW-- Ya done good, boy. After two years of sifting and filtering data, it seems that the two lowest-power-consumption SSDs on the market are...

2 days ago by zdnetukuser on Netbook Upgrade - SSD IN, Windows OUT
stevoparsons

what else would you expect from turning on a machine for the first time; and at it has never been connected to the internet, and is loaded with an...

2 days ago by stevoparsons on Windows Update Never Stops Sucking
J.A. Watson

@JoshArg - Yes, you can erase the entire disk without worrying about messing up anything. In fact it can be even easier than that - your idea of...

3 days ago by J.A. Watson on Samsung N150 Plus Netbook - Ubuntu Netbook Edition 10.04
larrylisser

Having been around video for years now - and around companies that have innovated in efforts to push the industry forward - it's great to see...

3 days ago by larrylisser on VideoMeet: cloud-based video communication
Karen Friar

Thanks for your comment. We mainly wanted to mark the fact that the RC is available for those who do not follow the project closely. We will know...

3 days ago by Karen Friar on Linux Mint 13 release candidate arrives
zdnetukuser

All perfectly good information, but nothing new. Surely you have been in contact with M. Lefebvre, researched the matter, and can tell us when the...

3 days ago by zdnetukuser on Linux Mint 13 release candidate arrives

Latest in Security Management

Apple releases Flashback tool for Mac OS X 10.5

IPv6 security: What you need to know

SOCA raids 'e-commerce-style' card data sites

Featured white papers

Eight questions about your intrusion security solution

HP

Eight questions about your intrusion security solution

Are you confused about your intrusion security systems? Separate the intrusion prevention contenders from the pretenders with these essential... Read more

Hacktivism: Threats and reality for IT managers

ZDNet UK

Hacktivism: Threats and reality for IT managers

As high-profile breaches involving consumer data become the norm, this guide looks at where hacking is heading and what individuals can do to protect against possible attacks, from securing data to creating more secure email... Read more

Delivering software security in the cloud

HP

Delivering software security in the cloud

This document describes in detail how HP Fortify on Demand works and what it can accomplish for companies seeking to test the security of their... Read more

Inside ZDNet UK

Ten IT jobs to save up for those rare lulls

Ten IT jobs to save up for those rare lulls

Netbook Upgrade - SSD IN, Windows OUT

Netbook Upgrade - SSD IN, Windows OUT

EonNAS Pro 800

EonNAS Pro 800

PCI compliance on virtual architecture

PCI compliance on virtual architecture

Top travel apps for the iPhone

Top travel apps for the iPhone

SharePoint 2010: A migration odyssey

SharePoint 2010: A migration odyssey

Ubuntu 12.04 LTS: The morning after

Ubuntu 12.04 LTS: The morning after