Researcher Posts Proof-of-Concept Hack to Prod Apple Into Fixing Exploit

| News

Security researcher Landon Fuller has posted a proof-of-concept Mac OS X hack for a known Java security exploit in order to prod Apple into fixing it. Stating plainly that, "This link will execute code on your system with your current user permissions," Mr. Fuller published both a Web page that will exploit the vulnerability, and instructions for others to do the same.

The exploit, known as CVE-2008-5353, is an issue with Sun's Java Virtual Machine (JVM), which is incorporated into Mac OS X. Sun released a patch for the vulnerability in December of 2008.

Mr. Fuller wrote in a blog post, "CVE-2008-5353 allows malicious code to escape the Java sandbox and run arbitrary commands with the permissions of the executing user. This may result in untrusted Java applets executing arbitrary code merely by visiting a web page hosting the applet. The issue is trivially exploitable."

Apple, which maintains and manages the JVM implementation in Mac OS X, hasn't fixed the problem for Mac users, and Mr. Fuller decided to take the matter into his own hands and escalate the potential for trouble relating to this exploit.

"Unfortunately, it seems that many Mac OS X security issues are ignored [by Apple] if the severity of the issue is not adequately demonstrated," he wrote. "Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been public knowledge for six months, I have decided to release a my own proof of concept to demonstrate the issue."

Mr. Landon is a long-time researcher of Mac OS X and iPhone issues, and an open source developer. In addition to the exploit and instructions, he also posted a workaround for the problem, which includes the instruction to disable Java applets in their browser, and to make sure "Open 'safe' files after downloading" is unchecked.

Brian Krebs at the Security Fix desk of The Washington Post wrote that after compiling a chart for when Apple fixes issues in the JVM that Apple averages 166 days to fix issues in the JVM after Sun has already patched those same issues for Windows. That puts this particular exploit just under Apple's average time, though Mr. Fuller appears interested in Apple dramatically shortening these delays.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

Lee Dronick

Is this for Java or JavaScript? I am thinking that it is for Java and for over a year I have had that turned off in Safari.

Lee Dronick

Doh!

I just read Ted’s blog and I see that the exploit is for Java.

Tiger

Java off.

Never liked it anyway.

hangtown

I don’t like java either, but I think Apple tends to be lazy about patching security vulnerabilities sometimes. So far we’ve been lucky, and I think sometimes they are complacent as a result.

Intruder

C’mon, Apple. Do the patch already.

Mark Thomas

If this jacka** really wanted to be helpful he would leverage this exploit to disable Java on people’s machines.

hangtown

I disagree. Apple has been ignoring this. Right now all he has done is post a proof of concept. If he were to disable java on people’s machines, then that’s actually hacking people’s systems and he could be legally liable, even if it was for good intent.

And Apple clearly needs to get motivated to fix this. He’s providing the motivation. I think it’s wrong when people find a vulnerability and immediately publish. But when the company has been told and does nothing for months, then it’s irresponsible not to let people know there’s a problem and what it is.

Intruder

If I recall correctly, Landon Fuller was the one who was quickly releasing patches for issues found in MOAB a couple of years ago, so he has had the reputation of being a help, not a hindrance.

Log-in to comment