IT Jobs
Frustrated researcher posts Mac attack code
Blames tardy Apple.
By Robert McMillan, IDG news service
Published: 10:01 GMT, 21 May 09
A frustrated security researcher has posted the attack code that exploits a long-standing security problem in the Mac OS X operating system, to draw attention to the fact that Apple has yet to ship the update, months after others fixed the flaw.
The software, which could be used by hackers to run an unauthorised system on a Mac, was posted Tuesday by Landon Fuller, a security researcher in San Francisco. It exploits a nasty bug in the Java software that ships with Mac OS X. This bug was fixed by Java's creator, Sun Microsystems, on 3 December, but Apple has still not included the fix in its software updates.
"Unfortunately, it seems that many Mac OS X security issues are ignored if the severity of the issue is not adequately demonstrated," Fuller wrote in a blog posting describing the issue. "Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been public knowledge for six months, I have decided to release my own proof of concept."
Fuller's proof of concept code runs Mac's Say software to make the computer say "I'm executing an innocuous user process", but it could be adapted by criminals to run malicious programs on the computer.
Security vendor SecureMac advises Mac users to disable Java in their web browser until Apple fixes the issue. "This vulnerability could be exploited to perform 'drive-by-downloads' commonly used as a means to infect computers with spyware, or any arbitrary command with the permissions of the executing user," the company said in a note on its website. "All a user has to do is visit a web page hosting a malicious Java applet to be exploited."
Apple would not say when it plans to patch the bug, but a company spokeswoman said Wednesday that Apple is "aware of the issue and we are working on a fix." The company released security updates for its Mac OS software just last week.
.gif)
Add your commentComments
DanTe | Published: 16:11 GMT, 21 May 2009
Will you folks please STOP waking the mac-tards up? Please! Just Stop! A lot of folks depends on these stupid mac-tards for additional funding.
Steve | Published: 13:22 GMT, 21 May 2009
Hmmmm...I wonder which parts of the terms "negligence" and "class action" Apple doesn't understand. There's plenty of law suggesting that exclusionary clauses in contracts (i.e., license agreements) lose more and more of their effectiveness as the degree and nature of negligence grow increasingly severe. Apple mayl find itself unable to rely on its own exclusion clauses if what they've done (or failed to do) has the effect of depriving users of the very thing they bargained for when they bought OS X -- that is, the legendary security of the Apple operating system. This could get interesting.