Unpatched OS X Java Vulnerabilities Drawing Attention
Programmer and former Apple engineer Landon Fuller has released a proof-of-concept exploit demonstrating vulnerabilities in Apple's current implementation of Java that allow arbitrary code execution in Java-enabled Web browsers. While the vulnerabilities, first discovered last August, were disclosed and patched by Sun last December, Apple has yet to roll out a fix for its own implementation of Java.
CVE-2008-5353 allows malicious code to escape the Java sandbox and run arbitrary commands with the permissions of the executing user. This may result in untrusted Java applets executing arbitrary code merely by visiting a web page hosting the applet. The issue is trivially exploitable.
Unfortunately, these vulnerabilities remain in Apple's shipping JVMs, as well as Soylatte 1.0.3. As Soylatte does not provide browser plugins, the impact of the vulnerability is reduced. The recent release of OpenJDK6/Mac OS X is not affected by CVE-2008-5353.
With the recent release of OS X 10.5.7 failing to address the vulnerabilities, Fuller decided to create and release his proof-of-concept exploit in order to bring attention to the severity of the issue. The proof-of-concept exploit uses a browser-based Java applet to activate the Unix "say" command on the user's system and recite a statement regarding the exploit initiating an innocuous process.
The only recommended workaround at this time is to disable Java applets in all browsers and to disable the 'Open "safe" files after downloading' option in Safari. Disabling Java applets will cause some websites to behave incorrectly, but no other protection against exploits of the vulnerabilities is available until Apple releases a patch.
Popular Stories
iOS 18.3 was released last month, so the first iOS 18.4 beta should be coming soon. iOS 18.4 is expected to be a more substantial update for the iPhone, with several new features and changes related to Apple Intelligence and beyond.
Apple's website suggests that iOS 18.4 will be released in April, following beta testing. Below, we outline what to expect from the update so far.
Apple...
If you pay for iCloud storage on your iPhone, Apple has a new perk for you, at no additional cost.
iCloud+ is the official name for Apple's paid iCloud storage plans, which range from 50GB for $0.99 per month to 12TB for $59.99 per month in the United States. iCloud+ plans already come with multiple perks for free, such as Hide My Email and HomeKit Secure Video, and now there is another one...
Apple's next-generation iPhone SE could debut as soon as next week with a launch to follow later in February, reports Bloomberg's Mark Gurman. Apple isn't expected to hold an event for the iPhone SE 4, and will instead unveil the device through a press release.
The iPhone SE 4 is expected to have an iPhone 14-style design, with Apple eliminating the thick bezels and Touch ID Home button of...
Apple is internally testing iOS 18.3.1 for iPhones, according to our website's analytics logs, which have been a consistently reliable indicator of upcoming iOS versions. The software update should be released within the next few weeks.
iOS 18.3.1 should be a minor update that addresses software bugs and/or security vulnerabilities. Apple Intelligence notification summaries for news and...
Apple hasn't refreshed the Apple TV since 2022, but rumors suggest that we're finally going to get an update in 2025. We don't have a full picture of what to expect yet, but we have some hints on what's coming.
Subscribe to the MacRumors YouTube channel for more videos.
Updated A-Series Chip
The current Apple TV 4K uses the A15 Bionic chip that was in the iPhone 13 lineup, and it's time for...
The British government has secretly demanded that Apple give it blanket access to all encrypted user content uploaded to the cloud, reports The Washington Post.
The undisclosed order is said to have been issued last month, and requires that Apple creates a back door that allows UK security officials unencumbered access to encrypted user data worldwide – an unprecedented demand not before...
Last year, we reported that Apple sued its former software engineer Andrew Aude for providing journalists with confidential information about the company's future plans, including details about the Journal app, Vision Pro headset, and more.
As reported by 9to5Mac, the Superior Court of Santa Clara County on Thursday dismissed the lawsuit after Apple and Aude reached an agreement to resolve...
In select U.S. states, residents can add their driver's license or state ID to the Wallet app on the iPhone and Apple Watch, providing a convenient and contactless way to display proof of identity or age at select airports and businesses, and in select apps.
Below, we outline which U.S. states and territories offer the feature, and additional states that have committed to rolling it out in...