Everyone but Apple has fixed a JAVA vulnerability that was reported last August (according to this guy):
It is time to talk about my favorite client-side vulnerability ever. Surprisingly (if you know me), this is a Java vulnerability, or rather a class of Java vulnerabilities that allows to completely bypass the Java sandbox and execute arbitrary code remotely in Java enabled web browsers.
This was found by
Sami Koivu. He reported
the first instance of it (CVE-2008-5353) to Sun on August 1st 2008 and this instance has been
fixed by Sun on December 3rd 2008. These vulnerabilities are both technically interesting and have a lot of impact.
Since they share core classes, OpenJDK, GIJ, icedtea and Sun's JRE were all vulnerable at some point. And unfortunately, this vulnerability is still not fixed everywhere yet.
I've been wanting to talk about this for a while. I was holding off, while Apple was working to patch this vulnerability. Unfortunately, it is still not patched in
their latest security update from just a few days ago. I believe that since this vulnerability has already been public for almost 6 months, making MacOS X users aware that Java needs to be disabled in their browser is the good thing to do.
http://blog.cr0.org/2009/05/write-once-own-everyone.html
