Author Topic: OS X Java Security Flaw Still Unfixed...  (Read 1560 times)

Offline gunug

  • TS Addict
  • *****
  • Posts: 6710
  • TS Palindrome
    • View Profile
OS X Java Security Flaw Still Unfixed...
« on: May 20, 2009, 09:54:11 AM »
Everyone but Apple has fixed a JAVA vulnerability that was reported last August (according to this guy):

QUOTE
It is time to talk about my favorite client-side vulnerability ever. Surprisingly (if you know me), this is a Java vulnerability, or rather a class of Java vulnerabilities that allows to completely bypass the Java sandbox and execute arbitrary code remotely in Java enabled web browsers.

This was found by Sami Koivu. He reported the first instance of it (CVE-2008-5353) to Sun on August 1st 2008 and this instance has been fixed by Sun on December 3rd 2008. These vulnerabilities are both technically interesting and have a lot of impact.

Since they share core classes, OpenJDK, GIJ, icedtea and Sun's JRE were all vulnerable at some point. And unfortunately, this vulnerability is still not fixed everywhere yet.

I've been wanting to talk about this for a while. I was holding off, while Apple was working to patch this vulnerability. Unfortunately, it is still not patched in their latest security update from just a few days ago. I believe that since this vulnerability has already been public for almost 6 months, making MacOS X users aware that Java needs to be disabled in their browser is the good thing to do.

http://blog.cr0.org/2009/05/write-once-own-everyone.html
« Last Edit: May 20, 2009, 10:06:33 AM by gunug »
"If there really is no beer in heaven then maybe at least the
computers will work all of the time!"

Offline Mayo

  • TS Addict
  • *****
  • Posts: 3215
    • View Profile
    • http://

Offline kbeartx

  • TS Addict
  • Posts: 6772
    • View Profile
    • http://
OS X Java Security Flaw Still Unfixed...
« Reply #2 on: May 20, 2009, 05:51:53 PM »
Just wondering, is it possible that the alleged risk associated with leaving this 'security flaw' un-patched is perhaps in the realm of paranoia and fear-mongering and that the actual 'risk' is completely theoretical, un-proven, minuscule, or non-existent in the real world?

I'm not asserting that this is the case since I have no evidence to support that assertion, but I am questioning the evidence presented [or lack thereof] to support the position that 'this is a*serious flaw* and now that it's been identified, we need to fix it, ASAP!'.

Kb cool.gif
« Last Edit: May 21, 2009, 12:35:50 PM by kbeartx »

Offline gunug

  • TS Addict
  • *****
  • Posts: 6710
  • TS Palindrome
    • View Profile
OS X Java Security Flaw Still Unfixed...
« Reply #3 on: May 21, 2009, 07:55:40 AM »
I've heard this somewhere before:

http://www.techsurvivors.net/forums/index....showtopic=21137

Maybe it bears repeating! wink.gif
"If there really is no beer in heaven then maybe at least the
computers will work all of the time!"

Offline Mayo

  • TS Addict
  • *****
  • Posts: 3215
    • View Profile
    • http://
OS X Java Security Flaw Still Unfixed...
« Reply #4 on: May 21, 2009, 10:16:57 AM »
I noticed the the earlier thread after I started this one...


 oops.gif

« Last Edit: May 21, 2009, 11:49:08 AM by chriskleeman »