No Java fix in Mac OS X 10.5.7

By Stephen Withers
Wednesday, 20 May 2009 08:24

Opinion and Analysis

Mac OS X 10.5.7 failed to deliver a fix for a long-standing and relatively easily exploitable vulnerability in Java.

Apple doesn't have the best reputation for delivering timely security updates. Many months can pass between the arrival of an update for an open-source program used in Mac OS X and the release of an Apple security update that incorporates it.

Even when Apple receives reports of flaws in its own software, the company isn't always quick to respond. For example, a vulnerability disclosed as part of the Month of Apple Bugs (January 2007) wasn't fixed until Security Update 2008-001 arrived in February 2008.

Although Java is a Sun project, Java for Mac OS X is maintained by Apple. This means there's no workaround for Mac users. (If a security fix is released for Apache or one of the other open-source components, affected users have the option of installing the new version without waiting for Apple.)

The first of a class of vulnerabilities in Java that allows applets in web pages to escape the Java sandbox was reported to Sun in August 2008 and fixed in December.

Its discoverer, Sami Koivu, and another security researcher, Julien Tinnes, attacked this vulnerability using an exploit written by Tinnes at this year's Pwn2Own contest. Although they succeeded in subverting Safari and Firefox, the entry was disqualified as the underlying vulnerability had already been reported.

In his blog, Tinnes explains how the vulnerability can be used to to give an applet whatever privileges the attacker wants.

How does it work? See page 2.