Researcher Posts Proof-of-Concept Hack to Prod Apple Into Fixing Exploit
May 22nd, 2009 at 4:42 PM - News by Bryan Chaffin
Security researcher Landon Fuller has posted a proof-of-concept Mac OS X hack for a known Java security exploit in order to prod Apple into fixing it. Stating plainly that, "This link will execute code on your system with your current user permissions," Mr. Fuller published both a Web page that will exploit the vulnerability, and instructions for others to do the same.
The exploit, known as CVE-2008-5353, is an issue with Sun's Java Virtual Machine (JVM), which is incorporated into Mac OS X. Sun released a patch for the vulnerability in December of 2008.
Mr. Fuller wrote in a blog post, "CVE-2008-5353 allows malicious code to escape the Java sandbox and run arbitrary commands with the permissions of the executing user. This may result in untrusted Java applets executing arbitrary code merely by visiting a web page hosting the applet. The issue is trivially exploitable."
Apple, which maintains and manages the JVM implementation in Mac OS X, hasn't fixed the problem for Mac users, and Mr. Fuller decided to take the matter into his own hands and escalate the potential for trouble relating to this exploit.
"Unfortunately, it seems that many Mac OS X security issues are ignored [by Apple] if the severity of the issue is not adequately demonstrated," he wrote. "Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been public knowledge for six months, I have decided to release a my own proof of concept to demonstrate the issue."
Mr. Landon is a long-time researcher of Mac OS X and iPhone issues, and an open source developer. In addition to the exploit and instructions, he also posted a workaround for the problem, which includes the instruction to disable Java applets in their browser, and to make sure "Open 'safe' files after downloading" is unchecked.
Brian Krebs at the Security Fix desk of The Washington Post wrote that after compiling a chart for when Apple fixes issues in the JVM that Apple averages 166 days to fix issues in the JVM after Sun has already patched those same issues for Windows. That puts this particular exploit just under Apple's average time, though Mr. Fuller appears interested in Apple dramatically shortening these delays.
8 Observer Comments
Is this for Java or JavaScript? I am thinking that it is for Java and for over a year I have had that turned off in Safari.
Doh!
I just read Ted’s blog and I see that the exploit is for Java.
Java off.
Never liked it anyway.
I don’t like java either, but I think Apple tends to be lazy about patching security vulnerabilities sometimes. So far we’ve been lucky, and I think sometimes they are complacent as a result.
C’mon, Apple. Do the patch already.
If this jacka** really wanted to be helpful he would leverage this exploit to disable Java on people’s machines.
I disagree. Apple has been ignoring this. Right now all he has done is post a proof of concept. If he were to disable java on people’s machines, then that’s actually hacking people’s systems and he could be legally liable, even if it was for good intent.
And Apple clearly needs to get motivated to fix this. He’s providing the motivation. I think it’s wrong when people find a vulnerability and immediately publish. But when the company has been told and does nothing for months, then it’s irresponsible not to let people know there’s a problem and what it is.
If I recall correctly, Landon Fuller was the one who was quickly releasing patches for issues found in MOAB a couple of years ago, so he has had the reputation of being a help, not a hindrance.
Recent Headlines - Updated November 10th
- Mon, 7:20 PM
- Rumor - Apple May Update iPod touch in December
- 6:45 PM
- Product News - MacUpdate Desktop Updated to 5.0.1 with New Features, Bug Fixes
- 5:16 PM
- Apple Releases Mac OS X 10.6.2 - Guest Account Bug Fixed, Much More
- 4:12 PM
- Games - New For iPhone: Star Rangers, Air Force Supremacy, Blood Beach, More
- 2:51 PM
- Apple Stock Watch - Radio Shack Jumps 14% on iPhone Deal, Apple Up 3%
- 2:25 PM
- Games - EA Scoops Up Social Games Publisher Playfish
- 1:51 PM
- Deal Brothers - Western Digital 1TB SATA Intellipower Hard Drive: $84.99
- 10:58 AM
- News - StarHub Signs Singapore iPhone Deal
- 10:36 AM
- Hot Forum Topic - Reader Speculation: What’s in Apple’s Tablet?
- 10:08 AM
- News - Apple Kicks Off New Credit Program
- 9:26 AM
- News - Apple Launches Reserve and Pick Up Program
- 8:49 AM
- News - ikee Worm Rickrolls Jailbroken iPhones
The Mac Observer Reader Specials
- TypeStyler For Mac OS X is Now Shipping! Download The Free Fully Functional 60 Day Tryout at www.typestyler.com
RamJet Memory: Mac Pro 8-core 8GB Kit $199.99, 4GB Kits $109.99! Sale on MacBook and MacBook Pro 8GB kits $549.99! New MacBook DDR3 2GB for $49.99. iMac and Mac mini 4GB Kits for $79.99! 1TB SATA Hard Drives for $109.99! Click here
OWC: Mercury On-The-Go FW800+USB2 up to 1.0TB. Bus Powered, no external power supply needed. Macworld Editors Choice, CNET Very Good Starting from $99.97, 500GB $159.99. Click here
If you're using a Mac, then you've gotta check out Full Tilt Poker for Mac. This Full Tilt Poker bonus code does the unthinkable, it actually rewards!For the latest Apple products use Ciao, a price comparison website, to find laptops like MacBook Air. Then find the best prices on MP3 players and use our comparison tool to evaluate mobile phones like the Apple iPhone.
Laptop Hardware Provided by TechRestore - Overnight Mac & iPod Repairs.
J&R ComputerWorld’s Weekend Sale - Sitewide Unbelievable Deals
OWC’s Garage Sale - Lots of New Goodies
Refurbished 13” MacBook Air 1.86GHz Intel Core 2 Duo $1249.00 Delivered
Refurbished iMac 24-inch 3.06GHz Intel Core 2 Duo: $1149.00 Delivered
Apple Refurbished 24” LED Cinema Display: $599.00 Delivered
