There is an easily exploitable vulnerability in the Java implementation in Apple's Mac OS X which could allow an attacker to run arbitrary code on a remote machine. The flaw, which is similar to a vulnerability that has been public for five months and affect other vendors' products, affects even the most recent version of OS X, which was released last week.
The vulnerability allows an attacker to escape the Java sandbox in vulnerable implementations and run code with the same permissions as the user. Julien Tinnes, a researcher who has been working with the vulnerability for several months, said it was "close to the holy grail of client-side vulnerabilities." The best workaround right now is to disable Java in your browser.
"I've been wanting to talk about this for a while. I was holding off, while Apple was working to patch this vulnerability. Unfortunately, it is still not patched in their latest security update from just a few days ago. I believe that since this vulnerability has already been public for almost 6 months, making MacOS X users aware that Java needs to be disabled in their browser is the good thing to do," Tinnes wrote in a blog post on the vulnerability.
While the Java vulnerability also was present in other products, but has been fixed. Tinnes said that while many other client-side flaws are memory corruption vulnerabilities, this Java flaw is not.
"This one is a pure Java vulnerability. This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers! Mine has been tested on Firefox, IE6, IE7, IE8, Safari and on MacOS X, Windows, Linux and OpenBSD and should work anywhere," he wrote in his post.
Tinnes, along with another researcher, used the bug in the Pwn2own contest at CanSecWest earlier this year to compromise both Firefox and Safari on Mac OS X.
There is a proof-of-concept demonstration of the attack that exploits the vulnerability available on Landon Fuller's advisory page on the Java bug.
So the real question is...why didn't Apple include this fix in their recent (10.5.7) update?
I guess CVSS 10.0 isn't high enough to worry about...or even inform their users about?
Apple's "Security Through PR" fails again.
More information here.