So, this was thrown up a few days ago:
http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html
There's 2 things about this that bug me:
1) It actually works. Take the "say" command, replace it with your favorite "rm" command, and stick it on a popular site. One password entry later, your hard drive's gone.
2) No fix for it yet. His demonstration has been up for a little over a day now, why hasn't Apple posted a Java security update that actually addresses it? He even mentions in this blog that Sun found and patched this out of it's own Java five months ago.
Either way, if you're using Mac OS X right now and haven't done so already, disable Java on your Web browsers. If you're using Safari, Disable "Open safe files after downloading" (durr).
Posts
I've heard Sun's replacement will be released alongside v10.6. No clue about back-porting.
That's something I'd like to hear come out of a predicament like this. Well that, and a very rapid bug fix, be it from Sun or from Apple.
Apple just plain screwed up with Java on OS X. They spent way too much time bringing Java 6 over and when it got here it was 64bit intel only. WTF? Still users are stuck with Java 5 browser plugin. A version that's three releases old. Java 5 is going ESOL in October.
I just disabled Java in all my browsers. Safest thing to do until Apple finally gets around to finally releasing java update 4.
Probably not.
Unlike on a PC, where they just get shoved under a rug.
Did you miss the part where this same exploit hit PCs and Macs, but the PC side had it fixed first? Sure, it was up to Sun, not Microsoft, but we don't want to get into Apple vs Microsoft's patching schedule. Besides, Apple doesn't even have a patching schedule, doesn't offer hot fixes, and sometimes, like this time, leaves exploits unfixed long after everyone else has taken care of them. They haven't needed to be as security-minded in the past but they should really get on this stuff.
Seems to be working; applet just gives a bootstrap failure now. Isn't this more of an immediate security fix than a stability update bundle sort of thing, though?
That's quite the power you have, to redirect your poop out your mouth and onto the interwebs.
Because it's an open-palmed full-force slap to the face of the Macs never get exploits hurr durr crowd?
Can trade TF2 items or whatever else you're interested in. PM me.
Interesting.
"Was cursing, in broken english at his team, and at our team. made fun of dead family members and mentioned he had sex with a dog."
"Hope he dies tbh but a ban would do."
lol
If there are people who actually think like this, then I'm baffled. Macs always get exploits, I read about them online and in Apple's security patch release notes. They just never seem to get widespread, malicious worms/viruses based on said exploits. I don't know why, you'd think the perceived smugness (which isn't a legitimate representation of most Mac users) would be enough to drive some malware developers to kick over a sandcastle or two.
Yeah, but in this case, it "just works."
Really though, let me rephrase: it's the severity of the exploit which bugs me. We've seen OS X exploits publicized in the past, sure, but I don't think any of them have been quite as serious as this one. Would it be an issue if Sun were releasing Java for OS X? Apparently not, since they found this exact same exploit and fixed it nearly half a year ago.
As Epyon said, Apple screwed up with Java on OS X. It might not be likely, but I'll still hope that rumor Zack mentioned is accurate.
I think the reason most people hate mac owners is Obs and his ilk. Highly visible minorities will fuck up anyone's image. Obs for continuing to stick to his guns though.
In any case, I can see Apple not releasing a patch for six months bothering you, but Apple doesn't exactly have control over the severity of exploits found.
Botnets are serious fucking business. Big companies keep talking about having a cluster of computers that can be hired out for distributed computing - I say, "Hi, welcome to the bot industry." They'd rather grab the big market for maximum ROI - ergo, the Macs get ignored at large.
It would truly have to be a "kick sand in their face" attitude that would fuel a Mac Attack. So I guess they're left alone mostly because they're not important enough to target. :P
Can trade TF2 items or whatever else you're interested in. PM me.
Really? Huh, I didn't realize advisories had been posted a week before the patch, I only heard about it after.
And yes, Apple doesn't have control over exploits found, that is true. I suppose it's more the focus of the situation than anything else. I'm not happy with how Java is on OS X, and I doubt anyone else is either. I can only hope Apple thinks hard about reconsidering their deal with Sun when their own apathy towards Java begins to compromise one of their Operating System's most coveted features.
Doing it wrong.