CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
May 20th, 2009

High Risk Of Malicious Code Execution Attacks Due To Mac OS X 6-month Old Java Flaw

Tired of waiting for a patch from Apple for a Java flaw that was fixed upstream six months ago, Mac developer Landon Fuller (of Month of Apple Bugs/Fixes fame) has released a proof of concept exploit to demonstrate the severity of the issue. The vulnerability in question is CVE-2008-5353 which was publicly disclosed and fixed by Sun in January this year.

CVE-2008-5353 allows malicious code to escape the Java sandbox and run arbitrary commands with the permissions of the executing user. This may result in untrusted Java applets executing arbitrary code merely by visiting a web page hosting the applet. The issue is trivially exploitable.

Fuller writes:

Unfortunately, it seems that many Mac OS X security issues are ignored if the severity of the issue is not adequately demonstrated. Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been public knowledge for six months, I have decided to release a my own proof of concept to demonstrate the issue.

If you visit the following page, “/usr/bin/say” will be executed on your system by a Java applet, with your current user permissions. This link will execute code on your system with your current user permissions. The proof of concept runs on fully-patched PowerPC and Intel Mac OS X systems.

Fuller recommends that Mac OS X users disable Java applets in their browsers (both Firefox and Safari) and disable ‘Open “safe” files after downloading’ in Safari.

Credit: ZDNet.com Security Blogs

Share this item with others:

More on CyberInsecure:
  • Mac OS X And Safari Vulnerabilities Patched By Apple In Security Update 2009-001
  • New Firefox 3.0 Is Vulnerable To High-Severity Code Execution
  • Opera Software Fixes Two Security Vulnerabilities In Opera 9.60
  • 68 Fixes In Apple Update 10.5.3 and Apple Security Update 2008-003
  • QuickTime Crashing Zero-day Attack Code Published, Malicious Code Execution Possible

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: High Risk Of Malicious Code Execution Attacks Due To Mac OS X 6-month Old Java Flaw

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.