No Java fix in Mac OS X 10.5.7

Stephen Withers
Wednesday, 20 May 2009 09:24

Opinion and Analysis

Furthermore, Tinnes advised users of other operating systems to do the same, even if they have updated Java recently: Java has "a huge attack surface and it suffers from many other security vulnerabilities," he asserted.

The lack of a fix in Mac OS X 10.5.7 was also noted by Landon Fuller, one of the developers of SoyLatte (a port of Java 6 to Mac OS X, now part of the OpenJDK BSD-Port project) and the co-ordinator of the community project that provided temporary patches for the flaws revealed by the Month of Apple Bugs until Apple delivered official fixes.

"[T]hese vulnerabilities remain in Apple's shipping JVMs," he observed.

"Unfortunately, it seems that many Mac OS X security issues are ignored if the severity of the issue is not adequately demonstrated.

"Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been public knowledge for six months, I have decided to release a my own proof of concept to demonstrate the issue," he added.

If you're curious (and trusting) enough to try Fuller's proof of concept, you'll find a link to it here.

I've already disabled Java in my browsers. It'll be interesting to see how long it will be before I really do need to turn it back on. I recently tested an MFD that uses a Java applet to enable scanning to a computer without installing any software, but apart from that I can't remember the last time I noticed an Java applet loading.

Better safe than sorry.