14 DAY TRIAL // Apple has reportedly left aside a critical vulnerability in Sun's Java platform, for which it develops its own software updates. The company has released the latest batch of updates for Mac users just last week and is now getting fire from security researchers and the Mac blogosphere for failing to issue a patch. Hackers have reportedly posted the attack code for the bug, showing their discontent towards Apple's superior approach of not patching a known hole in Sun's cross-platform Java.
Macworld takes on the topic, noting that the particular vulnerability is rather technical. In a nutshell, the site sums up what researchers explain in various IT terminology, saying that a Java applet loaded in one's Web browser (Safari) could execute arbitrary code with the user's current permissions. Landon Fuller, a Mac OS X developer, is said to have a proof of concept of the bug on his website. The developer carefully outlines the steps Mac users need to take in order to prevent any negative outcomes because of the unpatched vuln.
Basically, the workaround is to disable the “open ‘safe’ files after downloading” in Safari and turn off Java support in the Web browser. Unfortunately for those who rely on Java for their day-to-day activities, an alternate workaround is not available, meaning an Apple security update is the only solution for them. It is worth noting that the Mac maker has generally lagged behind when it came to issuing Java updates. It has been revealed that Hewlett-Packard, Red Hat, and Suse have already patched the otherwise cross-platform vulnerability.
Security vendor SecureMac also advises Mac users to disable Java in their Web browser until Apple fixes the issue. “This vulnerability could be exploited to perform 'drive-by-downloads' commonly used as a means to infect computers with spyware, or any arbitrary command with the permissions of the executing user,” a company note on the SecureMac site reads. “All a user has to do is visit a web page hosting a malicious Java applet to be exploited.”
An Apple spokeswoman told the press on Wednesday that the company was aware of the issue, and that it was working on a fix. OS X users can expect the update to appear in their Macs' Software Updaters as early as this weekend, although next week seems like a more realistic scenario.