Update: TidBITS writes that Apple has released a patched version of Java that fixes this issue. It is available through Software Update.
CVE-2008-5353 is a critical Java vulnerability that was discovered back in August 2008 and patched by Sun Microsystems a few months later. However, Apple has failed to release a patched version of Java, even in the latest 10.5.7 update! CVE-2008-5353 is described as follows:
Unspecified vulnerability in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted applets and applications to gain privileges via unknown vectors related to "deserializing calendar objects."
Since Apple failed fix this vulnerability in the latest update to OS X (10.5.7), Landon Fuller, a programmer and former Apple Engineer, released a proof-of-concept demonstrating the exploit. The demonstration is done by launching a Java applet in your web browser and using the exploit to run the /usr/bin/say command on your Mac to "speak" some words through your speakers. This may not sound very dangerous, but this same exploit could be used to run malicious code on your Mac without your even knowing it!
So, how can I protect myself?
For now, all you can do is entirely disable Java in your browsers to ensure no Java applets are allowed to run. The good news is that chances are you probably don't depend on Java anyway (remember, Java is not JavaScript). And if you find yourself needing to run something that does require Java (the browser will alert you with a message saying the Java plugin isn't installed), you can always re-enable Java in your browser while you're using the applet, and then disable it again when you're done. Inconvenient, yes, but worth it. This is one nasty vulnerability, and with all the publicity it's been getting lately, there's bound to be more malicious code in the wild just waiting to hijack your system.
Disabling Java in Firefox
In Firefox, choose from the menu, Firefox -> Preferences. Then select the Content tab and un-check the Use Java option:
Disabling Java in Safari
(applies to both Safari 3 and Safari 4 Beta)
In Safari, choose from the menu, Safari -> Preferences. Then select the Security tab and un-check the Enable Java option:
Update: TidBITS writes that Apple has released a patched version of Java that fixes this issue. It is available through Software Update.
Good to know. I use firefox with noscript. Am I protected?
It looks like the Firefox NoScript plugin blocks Java too, so you *should* be safe. 🙂
Dumb question du jour: I’ve read everything at Sun and at Wikipedia about Java, Flash, et al., and YET, I’m still feeling vague about why one does or does not need Java if one is not a gamer. What ordinary, everyday, commonplace occasions does it come into play for someone like me — marketing and public relations; heavy-duty researcher (on and off the ‘net); lots of graphic design, professional writing, iPhoto and Keynotes usage; and general business purposes sans spreadsheets.
I’m not usually so dense….
There are a LOT of business-type applications written in Java. One that I use frequently is the ETRADE LiveCaster which shows me live stock quotes and lets me manage my account.
The average user, however, probably doesn’t use Java on the web and that’s why I recommend disabling it.