Frustrated researcher posts Mac attack code

A frustrated security researcher has posted the attack code that exploits a long-standing security problem in the Mac OS X operating system, to draw attention to the fact that Apple has yet to ship the update, months after others fixed the flaw.

The software, which could be used by hackers to run an unauthorised system on a Mac, was posted Tuesday by Landon Fuller, a security researcher in San Francisco. It exploits a nasty bug in the Java software that ships with Mac OS X. This bug was fixed by Java's creator, Sun Microsystems, on 3 December, but Apple has still not included the fix in its software updates.

"Unfortunately, it seems that many Mac OS X security issues are ignored if the severity of the issue is not adequately demonstrated," Fuller wrote in a blog posting describing the issue. "Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been public knowledge for six months, I have decided to release my own proof of concept."

Fuller's proof of concept code runs Mac's Say software to make the computer say "I'm executing an innocuous user process", but it could be adapted by criminals to run malicious programs on the computer.

Security vendor SecureMac advises Mac users to disable Java in their web browser until Apple fixes the issue. "This vulnerability could be exploited to perform 'drive-by-downloads' commonly used as a means to infect computers with spyware, or any arbitrary command with the permissions of the executing user," the company said in a note on its website. "All a user has to do is visit a web page hosting a malicious Java applet to be exploited."

Apple would not say when it plans to patch the bug, but a company spokeswoman said Wednesday that Apple is "aware of the issue and we are working on a fix." The company released security updates for its Mac OS software just last week.