Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Bug Businesses Java Programming Apple

Apple Finally Patches Java Vulnerability 177

macs4all writes "Apple has finally addressed the Java vulnerability that nearly everyone else patched months ago. Available now for OS X 10.4 and 10.5, and through Apple's Software Update service, this update patches a flaw in the Java Virtual Machine that could potentially allow a malicious Java applet to execute arbitrary code on the machine. Apple had previously advised users to turn off Java temporarily in their Web browsers."
This discussion has been archived. No new comments can be posted.

Apple Finally Patches Java Vulnerability

Comments Filter:
  • SAD :( (Score:4, Insightful)

    by Anonymous Coward on Monday June 15, 2009 @07:27PM (#28342705)
    It is truly sad that Apple still just don't "Get" security. Makes me a sad panda to think it is going to take some sort of devastating worm or virus for them to finally wake up and smell the shit they are pumping out.
    • Re:SAD :( (Score:4, Funny)

      by QuantumG ( 50515 ) * <qg@biodome.org> on Monday June 15, 2009 @07:40PM (#28342821) Homepage Journal

      Yes, they believe their own press.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Apple has a special interest in being slow about Java. If Java "works beautifully and unproblematically" on the Mac, then that eats into the Cocoa market by a slippery slope of argument:

        1. "Why develop in Cocoa when Java works beautifully on Macs but can also run on other platforms too?"
        2. "Hey now we've got this wonderful Java thing that runs on Windows and Mac"
        3. "Hang on, there are 5 to 10 times as many Windows users so we should target the bigger market"
        4. "Hmm, looks like we're now treating Mac as a second-tier
        • Re: (Score:3, Informative)

          by ThePhilips ( 752041 )

          What a load of bull.

          Mac OS software takes special pride in its taste and aesthetics - something Java can never achieve.

          And now as more users and developers focus on notebooks, resource hungry Java applications are again bad fit. Spinning cycles for nothing is forgivable on desktops and servers - not on notebooks.

          The simple truth is that for Apple, Java was always and is a secondary/tertiary technology. What I heard from Linux's Java porters in past, Sun JDK/JRE is a total mess, demanding loads of

          • Re: (Score:3, Insightful)

            by dfghjk ( 711126 )

            "Mac OS software takes special pride in its taste and aesthetics - something Java can never achieve."

            Nonsense, it just hasn't achieved it to date.

            "And now as more users and developers focus on notebooks, resource hungry Java applications are again bad fit."

            Tell that to Android.

            "Spinning cycles for nothing is forgivable on desktops and servers - not on notebooks."

            I think you got that backwards, fanboy.

            • "Mac OS software takes special pride in its taste and aesthetics - something Java can never achieve."

              Nonsense, it just hasn't achieved it to date.

              "To date"??? I was working with Java 1.0.x - and there were lots of promises made by Sun. None of which came to fruition. AWT was awful. Swing was a major fluke, only to be forgotten few point releases later. Yeah, they have very cool internal API, but no, they do not allow to develop nice looking and fast UI.

              Apple had in fact made Java libraries to allow to access Cocoa, but very few applications are using them. (None known to me actually.) Several applications use Java libraries in background, but for

    • Re: (Score:3, Insightful)

      by TinBromide ( 921574 )
      I get the funniest looks when I say that Apple has had the benefit of security via obscurity and when it comes to security measures, Apple is now at the point where Microsoft was in 1998. Yes, mod me troll, but as you do so, you know that Apple hasn't had the same trial by fire that Microsoft has. If you look at the yearly exploit conferences, OS X doesn't fare much better than Windows, and that's only because apple has the benefit of running a bsd based kernel. Picking a more secure solution from the get-g
      • Re:SAD :( (Score:5, Informative)

        by interactive_civilian ( 205158 ) <mamoru&gmail,com> on Monday June 15, 2009 @09:20PM (#28343519) Homepage Journal

        Apple is now at the point where Microsoft was in 1998.

        In 1998, there were tens of thousands of Windows viruses (I remember reading a number like over 40,000, but I can't find a source), while at the same time, MacOS 8 had 7 or so, all of which were protected from freely by the anti-virus program Disinfectant. While I can't find a direct source for my Windows numbers, here's an article [viruslist.com] that makes it look like 1998 was not a very good year for Windows viruses. Even if my memories are off by an order of magnitude or two, it still wasn't a good time for Windows and viruses.

        Are you honestly saying that Apple is at that point right now? We have yet to see an actual MacOS X virus in the wild, and there have been how many Trojans in the wild so far? 4?

        • by zonky ( 1153039 )
          You just can't 'protect' against "viruses" (malware is probably a better definition) with a signature based anti-malware app that is post-updated when viruses are discovered.

          That is no protection at all.

          • That is no protection at all.

            Well, that explains every Mac virus, trojan, adware, and any other malware you can think of I have ever been infected by in the 20 years I have been using Macintosh computer. All ZERO of them. And the last anti-virus or any other anti-malware software I used was Disinfectant, which was discontinued in May 1998. I've never even had to clean infected files off of a disk (versus the Windows side where my system has been infected once, disks and external drives have had to be cleaned many times from coming in

            • Re: (Score:3, Informative)

              by zonky ( 1153039 )
              OS X, like windows, or linux, is not immune to someone choosing to install malware, whether it is on grounds of greed, social engineering, or otherwise. So don't pretend that it isn't. i.e : http://www.chotocheeta.com/2009/01/23/apple-os-x-gets-a-virus-attack-p2p-distributed-iwork-09-comes-with-osxtrojaniservicesa-trojan-horse/ [chotocheeta.com]
              • Re: (Score:3, Informative)

                So don't pretend that it isn't.

                Ummm... Don't put words in my mouth?

                I am fully aware that no OS is immune to stupid users. If a user is dumb enough to type in his or her OS's equivalent to "sudo rm -rf /" then they deserve what they get. This is not the point I am trying to make.

                You seem to be continuing to ignore my point. The point is, in 1998, Microsoft had numerous malware problems, especially with viruses and worms (which would infect and spread with little or no user interaction). There were literally thousands of viruses, worms, a

                • Re:SAD :( (Score:4, Insightful)

                  by pjt33 ( 739471 ) on Tuesday June 16, 2009 @05:26AM (#28345835)

                  The post I replied to said that Apple is *now* where Microsoft was in 1998.

                  In fairness, the post you replied to said that

                  when it comes to security measures, Apple is now at the point where Microsoft was in 1998

                  not, "when it comes to number of worms, viruses and trojans, ...".

                  • I would also add that in 1998 the automatic patching and updates concept was brand new, and even the windows update site wasn't pushing patches, but rather desktop themes and other nonsense "add ons".

                    Apple has a really good updating service built into OSX, so good that I barely notice that it has done anything when it is finished. There aren't as many patches as I get bombarded with on Windows, but I still don't think that means "they are in 1998".
                  • In fairness, the post you replied to said that

                    Fair enough. However, to that point, I can only ask this: If Apple is in the same level of security and security vulnerabilities now as Microsoft was in 1998, then where are the exploits in the wild? So far, we have only seen a few trojans in the wild which dupe the users into typing in their own passwords (something that was notably absent in Win98 and Me...i.e. the need to dupe the user into typing in a password to exploit the system) to install the Trojan. What we did see in Windows in 1998 (and beyond)

        • by AHuxley ( 892839 )
          Still working on it, as a 'enter password for codec, plug, application installer" under OS X.
          Click a web link to own or download and own seems a while away in the wild?
          I would think the feds and smart hackers have all the Mac OS X tools needed.
          Mess with them and its like Windows, point and click.
          The low end of the script kid, hacker spectrum are only warming up it seems.
        • by dave420 ( 699308 )
          It isn't the number of viruses/trojans that defines how bad the situation is, but how potent each is, and how easy it is to disinfect. Getting caught up in numbers only serves to miss the actual issue entirely - safety. One virus that gives instant root access, which a manufacturer makes difficult to fix, is far more devastating than (say) 40,000 viruses that show pop-ups, especially if the manufacturer isn't getting in the way to fix.
      • Re:SAD :( (Score:4, Informative)

        by pauljlucas ( 529435 ) on Monday June 15, 2009 @09:35PM (#28343603) Homepage Journal

        ... [A]pple has the benefit of running a bsd based kernel.

        It's a Mach-based kernel in a BSD-like environment.

      • So the only reason that they're managing to stay secure is because they picked an inherently more secure operating system? Not to mention that they're actively patching a system which has to date never had a virus? Yeah, Apple really is dropping the ball on this one.

        I will, however, agree that it would be nice if Apple would be more timely; it's not like they don't have enough money to hire new programmers if the current bunch is spread around too thin. Telling people to just turn Java off for a few mont

      • by Lars T. ( 470328 )
        Fuck, you are crazy. In 1998, no wait, make that 2003, Windows was like swiss cheese, and Blaster made the Internet almost unbearable not only for Windows users. And you say "Apple is now at the point where Microsoft was in 1998"? I proclaim you Fanboi Numero Uno.
    • With the increasing use of Macs (Mac Minis, iMacs, Mac Pros and the MacBook series of notebooks) to connect to the Internet, the ignorance of Mac users to a potential major malware attack is something that Apple needs to address soon, because many Mac users think that they don't need malware protection. One major malware attack directed specifically against Macs will finally convince Mac users to address this issue very quickly, that's to be sure.

      Windows since Windows XP Service Pack 2 forces you to practic

    • by elrous0 ( 869638 ) *
      On Apple's, malware just works.
  • Old versions. (Score:4, Insightful)

    by saintlupus ( 227599 ) on Monday June 15, 2009 @07:32PM (#28342747)

    ...and this means that we can expect Vic20_love to come along any moment now and complain that his OS X 10.1 machine from 19-dickity-6 doesn't have a patch out yet, so Apple sucks.

    Not that Apple doesn't suck, but you don't really need to troll for reasons.

    (Bye, karma, nice knowing you...)

    --saint

    • Re:Old versions. (Score:5, Informative)

      by Anonymous Coward on Monday June 15, 2009 @07:43PM (#28342845)

      ...and this means that we can expect Vic20_love to come along any moment now and complain that his OS X 10.1 machine from 19-dickity-6 doesn't have a patch out yet, so Apple sucks.

      Apple sucks for different reasons:

      Apple PREVENTS Sun (by contract) from releasing java patches. Mac users get their java patches whenever Apple feels like it and gets a round to it [ituit.com].

      • by MrLint ( 519792 )

        I'm not trying to grief, and it is certainly consistent with reality, but is this documented anywhere?

        • Re:Old versions. (Score:4, Informative)

          by Anonymous Coward on Monday June 15, 2009 @08:21PM (#28343099)

          I'm not trying to grief, and it is certainly consistent with reality, but is this documented anywhere?

          Sure. Only Apple can release java for mac. Something about look & feel and/or quality assurance.

          http://blog.cr0.org/2009/05/write-once-own-everyone.html [cr0.org]
          http://java.dzone.com/news/critical-mac-osx-java [dzone.com]

          Look at the "java downloads for all operating systems" webpage:

          http://www.java.com/en/download/manual.jsp [java.com]

          Notice that you can't download java for mac from Sun?

          • Re: (Score:3, Interesting)

            by jonwil ( 467024 )

            Maybe its time for Sun (who DO control Java) to tell Apple to change its ways (and give control of Java on the Mac to Sun so that Sun can fix stuff without having to wait for Apple).
            Its not like Sun needs Apple in order to produce Java for the Mac.

            Or is this like the graphics drivers where only Apple has access to the "secret bits" necessary for a JVM to do all the things that the current Mac JVM does?
            How hard would it be to just port OpenJDK/IceTea/whatever to Mac and be done with it?

            • Re:Old versions. (Score:5, Informative)

              by ThrowAwaySociety ( 1351793 ) on Monday June 15, 2009 @11:02PM (#28344161)

              ...Its not like Sun needs Apple in order to produce Java for the Mac.

              Sun did a JVM for the Classic Mac OS, and by all accounts it sucked. As in, it was barely usable. This is why Apple (contractually) locked Sun out of delivering Java on OS X. At the time, Apple was bullish on Java, and invested some considerable resources making OS X's JVM integrated into the rest of the OS.

              Unfortunately, Apple no longer gives a shit about Java, and it shows. But Sun is still locked out, as far as I know.

              Or is this like the graphics drivers where only Apple has access to the "secret bits" necessary for a JVM to do all the things that the current Mac JVM does?
              How hard would it be to just port OpenJDK/IceTea/whatever to Mac and be done with it?

              There already is. It's the only way to get Java 6 on PowerPC and 32-bit Intel Macs, or on 10.4.x

              Unfortunately, it relies on X11 for its GUI, which is generally a big non-starter on the Mac. Also, I don't believe it's possible to use it as the JVM for Java applets in a browser, probably for the same reason.

              • Re: (Score:3, Insightful)

                by jonwil ( 467024 )

                Ok, so is there any reason why a proper native OpenJDK port (that works in all the browsers and doesn't use X11) wouldnt be possible? Is it just a case of "patches wanted" or are there undocumented/hidden/internal parts of OSX that only Apple can use that are needed for a full JVM?

                • Ok, so is there any reason why a proper native OpenJDK port (that works in all the browsers and doesn't use X11) wouldnt be possible? Is it just a case of "patches wanted" or are there undocumented/hidden/internal parts of OSX that only Apple can use that are needed for a full JVM?

                  I don't see why there would be any special legal or technical impediments over and above porting any other major codebase to the Mac. But, given the difficulty Apple has had doing the exact same thing with its official releases, it would not be a trivial set of patches. My understanding is that Apple creates an extensive mapping between Java GUI toolkits and its own, and also exposes a subset of OS X native APIs through custom com.apple packages. You could probably skip the latter without too much complaint

              • by Ant P. ( 974313 )

                At the time, Apple was bullish on Java, and invested some considerable resources making OS X's JVM integrated into the rest of the OS.

                Unfortunately, Apple no longer gives a shit about Java, and it shows.

                Now I understand what that "OS X now is where windows was in 1998" comment from earlier meant...

          • by Lars T. ( 470328 )
            So does Apple also prevent Sun from releasing BSD versions for Java? Let alone BeOS, VMX, Amiga...
    • Re: (Score:3, Insightful)

      by shentino ( 1139071 )

      Interesting that people who willingly "kiss their karma goodbye" and make statements to that effect are the ones who wind up with the upmods?

      • The "kiss my karma goodbye" line transforms the post in an anti-troll. Everyone who tries to mod it down gets his/hers karma burned and gives a +inf insightful/informative/funny/totally kickass mod to the OP.
    • by Draek ( 916851 )

      Well, when the fanboys start praising Apple for the "long lifetime" of their products and "vibrant second-hand market", they always neglect to mention you're still stuck in the upgrade treadmill if you want your computer secure.

      So yes, the fact that they don't have a patch for his OSX 10.1 machine *is* a problem and a big reason why I recommend Debian PPC for old Macs instead of crusty versions of OSX. Updates are faster to come, its still supported, and OS upgrades are free.

  • What about PPC Java? (Score:3, Interesting)

    by BikeHelmet ( 1437881 ) on Monday June 15, 2009 @07:42PM (#28342835) Journal

    Just wondering. PPC Java for OSX is even more out of date than x86 Java.

    The latest java on PPC is 1.5, and I'm sure it's out of date too...

  • Rich also chided Apple for leaving such a major hole unpatched for so long.

    Yeah, Apple, a meager market share (not accounting for cost per unit of course) isn't an excuse to leave stuff like this busted. I hereby CHIDE you!

  • maybe (Score:2, Informative)

    by bcrowell ( 177657 )

    Well, maybe.

    First off, pretty much every time we get one of these "OMG!" stories on slashdot about a security flaw going unfixed, we find out that it's not nearly as bad as suggested by the slashdot summary. In this case, the description linked to from the slashdot article says: "The Java plug-in does not block applets from launching file:// URLs. Visiting a website containing a maliciously crafted Java applet may allow a remote attacker to launch local files, which may lead to arbitrary code execution."

    • Re:maybe (Score:4, Informative)

      by QuantumG ( 50515 ) * <qg@biodome.org> on Monday June 15, 2009 @08:07PM (#28343009) Homepage Journal

      Do you work for Apple? Cause if your attitude is in any way related to theirs, I'll skip using their software thanks. "I can run anything on your harddrive" is trivial to leverage to "I can execute anything I want". Even the dumbest hacker can figure it out. Clearly you're dumber.

    • Re: (Score:3, Funny)

      by ctmurray ( 1475885 )
      I agree with this post. As a Mac owner I am glad, for whatever reason, viruses are of no concern to me. On my work computer my employer can spend whatever they want to support XP (and it is a great deal of money). But at home I get to relax, and ignore the issue completely.
      • Re:maybe (Score:5, Interesting)

        by jackspenn ( 682188 ) on Monday June 15, 2009 @10:13PM (#28343855)

        As a Mac owner I am glad, for whatever reason, viruses are of no concern to me.

        ...

        But at home I get to relax, and ignore the issue completely.

        Until the day you can't. I am sorry, but you make me want to troll the net for the next security issue that is resolved in Linux and/or Windows, but Apple drags their feet on (again). Then I can use it to F with people like you. Your confidence comes from your ignorance.

        Here is the sad truth, Both the Linux/BSD communities and Microsoft take security more seriously than Apple.

        Apply repeatedly leaves a lot of holes open longer then they should be. I am thinking iTunes may present a nice target vector, but there have been so many in the past and I am sure there will be more in the future.

        I can see the HP/MS commercial now during the Superbowl next year:

        PC - "Hi, I'm a PC"
        MAC - "and I'm .... full of crap."
        PC - "Oh, MAC. While your designers were working to change your outsides from white to aluminum they didn't have time to patch the latest security threats to your OS."
        MAC - "All my music, all my pictures and all my home movies, gone, the worm even reformated my Time Machine drive and replaced restore points with pointers to an image of a piece of shit and a burning NEXT cube."
        PC - "Well, MAC, you like to talk a big game, but you are not good at playing the big game. So let everyone go back to those who can; first with the guys in Superbowl 44 and then with Windows 7 on their next laptop."

        • by hondo77 ( 324058 )

          Here is the sad truth, Both the Linux/BSD communities and Microsoft take security more seriously than Apple.

          You claim that, despite no Mac OS X viruses in the wild ever? I don't think "security" means what you think it means.

          • I lock my car doors and have had my car broken into once. All of my other friends (except one) lock their cars and two of them have been broken into as well.

            Sighting that fact, would it be reasonable for me to claim that unlocked cars are more secure and safe then locked cars?

            No. Same goes for Apple.

            First, viruses aren't the sole threat out there. It is not that Apples are more secure. It is mainly they have benefited from security through obscurity in the past and more recently security on the
    • Re:maybe (Score:5, Informative)

      by SpazmodeusG ( 1334705 ) on Monday June 15, 2009 @08:43PM (#28343267)
      Normally I absolutely agree. Most vulnerabilities are overhyped. Not this one though. Read this article and click the link to a page that runs /usr/bin/say on your unpatched machine.
      http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html [bikemonkey.org]
    • Get the user to download an executable then pop up a window with your java applet that executes ~\Downloads\JustDownloadedMalware

      But it's still a bit far-fetched. By default, newly downloaded executables from the internet have a flag (similar to Windows) that would ask for a confirmation before executing, thus requiring user input to work, I'm not sure if this vulnerability would bypass this.

      • by cibyr ( 898667 )

        By default, newly downloaded executables from the internet have a flag (similar to Windows) that would ask for a confirmation before executing, thus requiring user input to work, I'm not sure if this vulnerability would bypass this.

        You say "by default" - do you know how to turn this off? This is one "security" feature that really bugs me - on windows and on OS X. Yes, I really want to run that executable that I downloaded. That's why I downloaded it! I think I'm smart enough not to run some random executable that suddenly appeared on my desktop/in my downloads folder.

    • by Malc ( 1751 )

      Do you realise how dangerous it is being able to execute anything? If somebody deploying an exploit against this Java issue waits until there is a separate local root exploit, then it's game over. Or as somebody else pointed out, if they can get a user to download something else innocuous sounding, then again, it's all over. And yes, I've had a computer remotely exploited due to a weak password and an unpatched local root security hole.

    • I'm understanding correctly, it apparently doesn't let the attacker launch any code the attacker choses. It only lets the attacker launch code that's already present on the user's filesystem. And doesn't the java sandbox model prevent java applets from writing to the filesystem? So the attacker really may have very little opportunity to execute arbitrary code of the attacker's choosing.

      If the attacker can launch Bash, what else could he possibly need? Oh, and isn't Python there as well? Perl? Ruby?

      By the way, I wonder if wget is also present in default OS X install. That would be even more fun.

    • The Java plug-in does not block applets from launching file:// URLs. Visiting a website containing a maliciously crafted Java applet may allow a remote attacker to launch local files, which may lead to arbitrary code execution.

      Like any file from the malicious website in your browser cache. Oops.

  • Just turn off Java (Score:5, Insightful)

    by Anonymous Coward on Monday June 15, 2009 @08:03PM (#28342983)

    Apple had previously advised users to turn off Java temporarily in their Web browsers

    Even after updating, I've found that's advice I can live with.

    • I know you were making a joke but it's not far off the truth. I've had Java turned off for months now and never even noticed a difference.

    • by Lars T. ( 470328 )
      From the last story on this: http://blog.cr0.org/2009/05/write-once-own-everyone.html [cr0.org]

      So MacOS X users, please disable Java in your web browser. Others: make sure you have updated Java and still disable it in your web browser: it's a huge attack surface and it suffers from many other security vulnerabilities.

      Oh, and to all who pointed out that Sun had patched this months ago - have you updated Java since then?

      for various reasons, Java is usually poorly updated:

      • The Sun Java update mechanism isn't tied to the operating system update system on the Windows platform. Personal users and companies don't update it often, some of them do have processes in place to deal with Microsoft's patch Tuesdays but don't for other software updates.
      • Many companies are using web applications or Java software that rely on a specific Java version. It may be tedious to update Java because it would break many things. This may be the reason why Apple's Java updates are so infrequent.
      • Some Linux distributions don't support Sun's JRE (proprietary software) despite making it available. When I asked Ubuntu to fix this vulnerability, they fixed OpenJDK quickly but told me the Sun JRE was not supported (despite being available by default on the latest LTS Ubuntu release).
    • by ukyoCE ( 106879 )

      People use Java in web browsers? And it's enabled by default? O.o

      WHY

  • I do not understand...but since when have problems in Java been Apple's problems?

    Seriously, the title talks of problems with Java and then goes ahead to mention that these problems are Apple's problems - absurd!

    May be the title should be changed to say something like: -

    "...Java exploits a vulnerability on Apple's OSX..."

  • by EEPROMS ( 889169 ) on Monday June 15, 2009 @08:37PM (#28343223)
    Apple Guy "Halt who goes there"
    Black Haxor "It is I the black haxor, I seek the finest computer coders to join me in my quest"
    Apple Guy " You shall not pass"
    Black Haxor "What ?"
    Apple Guy "Non shall pass"
    Black Haxor "I have no quarrel with you, good sir, but I must move on"
    Apple Guy "Then you shall first install photoshop and make an offering at the alter of Steve and promise to buy hardware at twice the price from the lords of apple".
    Black Haxor "I command you to stand aside! for I am the Black Haxor"
    Apple Guy "I move for no man for I am impervious to all your tricks for I run OSX"
    Black Haxor "So be it"
    [Black Haxor pulls out his laptop and starts to type]
    [HAH]
    Apple Guy "What have you done ?"
    Black Haxor "I have exploited a java script bug on your system and signed you up as the local leader for the "Pedo's Rights" association and then passed the details on to the the local parents and teachers group"
    Apple Guy "what is this trickery, for such is impossible, you lie"
    [a rabble of middle aged parents turn up]
    Crowd "THERE HE IS, GET HIM!!"
    Apple Guy "BAH! Tis but a lie"
    Black Haxor "run man, they weld clubs and carry petrol containers and mean harm upon you"
    Apple Guy "They do not wish me harm as my laptop colour matches my shoes, thus they come to tell me how great my karma is"
    [15 minutes later the Black Haxor is staring at a smoldering pile on the ground]
    Black Haxor "Sigh"
    [Crosses bridge]
  • I mean hell us Mac users can FINALLY get back on the internet. Shooo took long enough <shakes fist at Steve Jobs> We just sat here living in fear. Mac powered off. Checking in with our Windows friends to see when it was safe again, while flashbacks to the "Code Red" nightmare from year ago filled our head. Oh wait, Code Red is when my company swore off ever using Windows for critical systems.... Scratch that.

    But anyways us Mac fan bois are back! WOO HOO!!!! "finally"
    • However, today's Windows XP (with Service Pack 3) and Windows Vista (with Service Pack 2) aren't as vulnerable as you think. This is because both operating systems gives you a LOT of security warnings about:

      1) Keeping Windows Update at least in Notify mode, which at least warns you about the availability of the latest security patches from Microsoft.

      2) Installing at least an antivirus and firewall security programs.

      As such, most XP and Vista users have at least Windows Update warning about installing the la

  • ...but I didn't have a mac, so I had to use a vm with an unpatched linux (ubuntu 8.10 actually). I tried to convince a guy with a mac in the audience to go to my exploit url, but he was not willing... One cool thing of this exploit is that it is pure java, so the same exploit can work on linux, mac and windows.

    Here is a writeup on the vulnerability: http://blog.cr0.org/2009/05/write-once-own-everyone.html [cr0.org]

    And here is a proof-of-concept exploit: http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20 [bikemonkey.org]
  • problems with librxtxSerial.jnilib arrrgh!
  • they can do something about this "The update "Java for Mac OS X 10.5 Update 4" can't be installed error message I get when I try to install the thing.

    • I got that too, on two different machines.

      But it worked fine when I fired off the updater manually -- if you select "Download Only" it will reveal the package in the Finder.

Children begin by loving their parents. After a time they judge them. Rarely, if ever, do they forgive them. - Oscar Wilde

Working...