A critical vulnerability in the version of Java included with Mac OS X currently puts Macs at serious risk. Java, a programming language that can allow applications to run easily on multiple platforms and embedded in web pages, has a serious flaw that can allow local code to be executed remotely. This can lead to “drive-by attacks”, where users are attacked simply by visiting a malicious web site and loading a web page. If a Java applet is loaded in a web browser, and malicious code is run, this flaw can allow hackers to run code and potentially access or delete files on any Mac, and run applications for which the user has permission. In addition, if this flaw is executed together with a privilege escalation vulnerability, hackers could remotely run any system-level process and get total access to any Mac.
Apple has been aware of this vulnerability (CVE-2008-5353) for at least five months, since it was made public, but has neglected to issue a security update to protect against this issue. Security researcher Landon Fuller has published a proof-of-concept Java applet that exploits this vulnerability to demonstrate how easy it is to run code remotely.
Malicious Java applets can also be circulated by other means, for example, as attachments to e-mail messages. A program called Applet Launcher allows users to run Java applets by double-clicking them.
For now, Intego has not found any malicious applets in the wild, but the publicity around this vulnerability will mean that hackers are likely to attempt to exploit it quickly, before Apple issues a security update. VirusBarrier X5 currently blocks this proof-of-concept malware, and will be updated to block any malicious Java applets that are discovered.
The best way to protect against this exploit is to deactivate Java in your web browser. In Safari, choose Safari > Preferences, click the Security tab, and uncheck Enable Java if it is checked. It is safe to leave Enable JavaScript activated, since this vulnerability only affects Java applets.
If you use Firefox, this setting is found on the Content tab of the program’s preferences.
Intego VirusBarrier X5 with virus definitions dated May 20, 2009 or later detects this proof-of-concept applet and will be updated to block any malicious Java applets that are discovered. Intego recommends that users never download and install software from untrusted sources or questionable web sites, and that people use care when opening unexpected attachments to e-mail messages, even from friends and colleagues.
Read the full Intego Security Memo.