Researcher Posts Proof-of-Concept Hack to Prod Apple Into Fixing Exploit

Security researcher Landon Fuller has posted a proof-of-concept Mac OS X hack for a known Java security exploit in order to prod Apple into fixing it. Stating plainly that, "This link will execute code on your system with your current user permissions," Mr. Fuller published both a Web page that will exploit the vulnerability, and instructions for others to do the same.

The exploit, known as CVE-2008-5353, is an issue with Sun's Java Virtual Machine (JVM), which is incorporated into Mac OS X. Sun released a patch for the vulnerability in December of 2008.

Mr. Fuller wrote in a blog post, "CVE-2008-5353 allows malicious code to escape the Java sandbox and run arbitrary commands with the permissions of the executing user. This may result in untrusted Java applets executing arbitrary code merely by visiting a web page hosting the applet. The issue is trivially exploitable."

Apple, which maintains and manages the JVM implementation in Mac OS X, hasn't fixed the problem for Mac users, and Mr. Fuller decided to take the matter into his own hands and escalate the potential for trouble relating to this exploit.

"Unfortunately, it seems that many Mac OS X security issues are ignored [by Apple] if the severity of the issue is not adequately demonstrated," he wrote. "Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been public knowledge for six months, I have decided to release a my own proof of concept to demonstrate the issue."

Mr. Landon is a long-time researcher of Mac OS X and iPhone issues, and an open source developer. In addition to the exploit and instructions, he also posted a workaround for the problem, which includes the instruction to disable Java applets in their browser, and to make sure "Open 'safe' files after downloading" is unchecked.

Brian Krebs at the Security Fix desk of The Washington Post wrote that after compiling a chart for when Apple fixes issues in the JVM that Apple averages 166 days to fix issues in the JVM after Sun has already patched those same issues for Windows. That puts this particular exploit just under Apple's average time, though Mr. Fuller appears interested in Apple dramatically shortening these delays.