Threat Center Security News Criticisms stir Apple to finally fix Java flaw
Criticisms stir Apple to finally fix Java flaw Print E-mail
Written by Rebecca Mints   
Saturday, 20 June 2009 22:20

Amid growing criticisms from security researchers on the months-long existence of a bug found on Mac OS X’s Java, Apple has finally issued a security patch on Tuesday.

A serious security flaw on Java was discovered by Sun six months ago. The vulnerability has affected several platforms that run on Java although most operating-system vendors, except Apple, have immediately issued patches.

Last month, security expert Julien Tinnes and Security firm Intego together published criticisms on Apple for neglecting to patch the bug and only issuing a security update months after its discovery.

“Apple has been aware of this vulnerability for at least five months since it was made public, but has neglected to issue a security update to protect against this issue,” said Intego in its security advisory.

Apple has now made the update available from its website. Users may also use OS X’s built-in software update mechanism. The patches are set to fix Mac OS X 10.5.7 and Max OS X 10.4.11.

The said vulnerability which has been designated as CVE-2008-5353 in the Common Vulnerabilities and Exposures database was discovered by Sun as early as August 2008.  This bug can allow an attacker to remotely enter the system and take control of all user privileges. Security firm Secunia has categorized this bug as ‘highly critical’.

However, Tinnes has clarified that the bug only runs on Java and that if users disable Java from their web browsers, the exploit will not work on the system. 

“This one is a pure Java vulnerability. This means you can write a 100 percent reliable exploit in pure Java. This exploit will work on all platforms, all the architectures and all the browsers” Tinnes stated in his blog post.





WTW Threat Level