Researcher Posts Proof-of-Concept Hack to Prod Apple Into Fixing Exploit

May 22nd, 2009 at 4:42 PM - News by Bryan Chaffin

Security researcher Landon Fuller has posted a proof-of-concept Mac OS X hack for a known Java security exploit in order to prod Apple into fixing it. Stating plainly that, "This link will execute code on your system with your current user permissions," Mr. Fuller published both a Web page that will exploit the vulnerability, and instructions for others to do the same.

The exploit, known as CVE-2008-5353, is an issue with Sun's Java Virtual Machine (JVM), which is incorporated into Mac OS X. Sun released a patch for the vulnerability in December of 2008.

Mr. Fuller wrote in a blog post, "CVE-2008-5353 allows malicious code to escape the Java sandbox and run arbitrary commands with the permissions of the executing user. This may result in untrusted Java applets executing arbitrary code merely by visiting a web page hosting the applet. The issue is trivially exploitable."

Apple, which maintains and manages the JVM implementation in Mac OS X, hasn't fixed the problem for Mac users, and Mr. Fuller decided to take the matter into his own hands and escalate the potential for trouble relating to this exploit.

"Unfortunately, it seems that many Mac OS X security issues are ignored [by Apple] if the severity of the issue is not adequately demonstrated," he wrote. "Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been public knowledge for six months, I have decided to release a my own proof of concept to demonstrate the issue."

Mr. Landon is a long-time researcher of Mac OS X and iPhone issues, and an open source developer. In addition to the exploit and instructions, he also posted a workaround for the problem, which includes the instruction to disable Java applets in their browser, and to make sure "Open 'safe' files after downloading" is unchecked.

Brian Krebs at the Security Fix desk of The Washington Post wrote that after compiling a chart for when Apple fixes issues in the JVM that Apple averages 166 days to fix issues in the JVM after Sun has already patched those same issues for Windows. That puts this particular exploit just under Apple's average time, though Mr. Fuller appears interested in Apple dramatically shortening these delays.

Related Entries
- CES Expands Apple Area for 2010 Convention
- Happy Memorial Day!

8 Observer Comments

Sir Harry Flashman said on May 22nd, 2009 at 3:57 PM:

Is this for Java or JavaScript? I am thinking that it is for Java and for over a year I have had that turned off in Safari.

Sir Harry Flashman said on May 22nd, 2009 at 4:00 PM:

Doh!

I just read Ted’s blog and I see that the exploit is for Java.

Tiger said on May 22nd, 2009 at 5:04 PM:

Java off.

Never liked it anyway.

hangtown said on May 23rd, 2009 at 1:05 AM:

I don’t like java either, but I think Apple tends to be lazy about patching security vulnerabilities sometimes. So far we’ve been lucky, and I think sometimes they are complacent as a result.

Intruder said on May 23rd, 2009 at 1:21 AM:

C’mon, Apple. Do the patch already.

Mark Thomas said on May 23rd, 2009 at 7:41 AM:

If this jacka** really wanted to be helpful he would leverage this exploit to disable Java on people’s machines.

hangtown said on May 23rd, 2009 at 9:23 AM:

I disagree. Apple has been ignoring this. Right now all he has done is post a proof of concept. If he were to disable java on people’s machines, then that’s actually hacking people’s systems and he could be legally liable, even if it was for good intent.

And Apple clearly needs to get motivated to fix this. He’s providing the motivation. I think it’s wrong when people find a vulnerability and immediately publish. But when the company has been told and does nothing for months, then it’s irresponsible not to let people know there’s a problem and what it is.

Intruder said on May 23rd, 2009 at 6:42 PM:

If I recall correctly, Landon Fuller was the one who was quickly releasing patches for issues found in MOAB a couple of years ago, so he has had the reputation of being a help, not a hindrance.

Page 1 of 1 pages

Commenting is not available in this section entry.

Recent Headlines - Updated March 11th

Thu, 7:00 PM: Product News - Apple Posts Safari Security Update for Mac and Windows
4:43 PM: Games - Namco Unveils UniteSDK For Cross-Platform Online Gaming
4:09 PM: iPad - The iPad’s On-Again, Off-Again Camera
3:22 PM: iPhone - iPhone Sees 97.9% Year-Over-Year Jump in Shipments
2:55 PM: iPhone - iPhone Maintains Number Two Spot in US Smartphone Market
2:41 PM: iPhone - iPhone OS 4.0 Expected to Finally Introduce True Multi-tasking
1:54 PM: News - Apple iPad Pre-orders Kick Off on March 12
1:24 PM: News - Apple, RIM, Others Hit With Cell Phone Patent Suit
12:52 PM: News - Barnes & Noble Planning Nook App for iPad
12:16 PM: Product News - SiteGrinder 3 Offers 300+ New Features for Photoshop Web Dev
11:16 AM: TMO Appearances - Ted Landau Discusses Tethering, Google Voice on MacNotables
10:45 AM: News - Apple Tops Consumer Reports Customer Service Survey

The Mac Observer Reader Specials

TypeStyler For Mac OS X is Now Shipping! Download The Free Fully Functional 60 Day Tryout at www.typestyler.com
Mac Memory and Hard Drives: MacBook Pro Memory 8GB kits $349.99! iMac Memory 4GB DDR Kits for $109.99! Mac Pro Memory 4GB Kits for $135.99! Mac Hard Drives 1.5TB Seagate SATA II for $147.99! Click Here!
CarMD Handheld Device & Mac/PC Software System saves you time and money on car maintenance and repair. Buy at www.CarMD.com! Save $10 with code TMO2.
If you're using a Mac, then you've gotta check out Full Tilt Poker for Mac. This Full Tilt Poker bonus code does the unthinkable, it actually rewards!
For the latest Apple products use Ciao, a price comparison website, to find laptops like MacBook Air. Then find the best prices on MP3 players and use our comparison tool to evaluate mobile phones like the Apple iPhone.