Landon Fuller posted a proof-of-concept exploit for an unpatched
vulnerability in the Java Runtime Environment currently in use by OS
X. While this particular proof-of-concept is meant to be harmless,
the vulnerability itself currently affects OS X, including OS X
10.5.7, the latest shipping version of OS X. This vulnerability could
be exploited to perform “drive-by-downloads” commonly used as a means
to infect computers with spyware, or any arbitrary command with the
permissions of the executing user. All a user has to do is visit a
web page hosting a malicious java applet to be exploited. Until Apple
patches their implementation of Java, we recommend that users disable
Java applets in their web browser.
Users can disable Java applets in Safari by opening Safari
preferences, clicking the Security tab, and unchecking the “enable
java” checkbox. Users should also disable the ‘open “safe” files
after downloading’ option under the General tab of the Safari
preferences. This vulnerability can also be exploited in the Firefox
web browser, or any browser than can run Java applets. Further
information about this exploit can be found at:
http://landonf.bikemonkey.org/code/Mac OS
X/CVE-2008-5353.20090519.html
SecureMac will keep users updated as more news about this exploit
becomes available. http://www.securemac.com/java.php