Davao Mac User

Icon

Mac OS X’s Java vulnerability

Warning! Warning! Hackers can use an exploit to destroy your Mac! Shut down your Mac NOW!!!

Wait! I’m just kidding. Don’t shut down your Mac yet. Well, not until you’ve read what the hoopla is all about.

According  to AppleInsider, Intego, a Mac security software developer, has warned that Apple has yet to fix a critical security vulnerability” in Mac OS X.

The said vulnerability is from a version of Java (What is Java?) Apple is using for Mac OS X; a vulnerability that was patched by Sun about six months ago. Yet, Apple failed to fix this even with the latest Mac OS X update.

So how does this exploit operate and what can it do? According to Ted Landau over at The Mac Observer:

Any Web site may include a Java applet. In most cases, the applet performs some useful and needed function for the Web site.

However, an unscrupulous developer could create a Java applet that executes some “evil” action, such as deleting files from your hard drive.

In Safari, the first time a Java applet attempts to launch, a message should pop up asking whether or not your “trust” the app. This is a security protection. If you are visiting an unfamiliar Web site and you’re unsure how safe the applet is, you can decline to trust the applet, and it won’t run.

The ultimate problem is that it is possible to create Java applets that run without triggering the Safari warning message (emphasis mine). Other browsers may offer more reliable early-warning systems (as covered in this Macworld article by Rob Griffiths), but all of them are subject to some degree of risk. This means that you could get in trouble simply by visiting a Web site that contains a exploitive Java applet. No other action would be required.

The exploit could then be used to access or delete files, execute codes, and run applications.

But how real is this threat? Again, back to Ted Landau on how real the threat is:

The preceding is the official advice and I’m agreeing with it. However, whenever these security topics come up, someone inevitably asks: “Just how real a threat is this? If I don’t do anything to protect myself, how likely is it that something bad will happen to me?”
My answer is: The real world risk is very very low.
In order to be burned, someone would first have to put a dangerous Java applet out in the wild. To date, there are no known such applets.
Second, if such an applet did exist, there would be warnings about it all over the Web, as soon as it was discovered. If you are Web-savvy enough to be reading this column, chances are good you would see these warnings before there was even a remote chance of you being harmed.
Third, even if an exploitive Web site existed and you had not seen warnings about it, you would still have to be deceived into visiting the site. That means you’d have to receive some publicity about the site. Unless the exploiter is very good at generating phony publicity, this is not likely to happen.
Lastly, even if you did get some deceptive come-on, if you typically ignore invitations to go to unfamiliar Web sites and similarly trash all the spam email you receive, you would still be safe.
That’s why the real world risk is very low.

… whenever these security topics come up, someone inevitably asks: “Just how real a threat is this? If I don’t do anything to protect myself, how likely is it that something bad will happen to me?”

My answer is: The real world risk is very very low.

In order to be burned, someone would first have to put a dangerous Java applet out in the wild. To date, there are no known such applets.

Second, if such an applet did exist, there would be warnings about it all over the Web, as soon as it was discovered…

Third, even if an exploitive Web site existed and you had not seen warnings about it, you would still have to be deceived into visiting the site…

Lastly, even if you did get some deceptive come-on, if you typically ignore invitations to go to unfamiliar Web sites and similarly trash all the spam email you receive, you would still be safe.

Though the risk of being exploited by this Java vulnerability in the real world is low, Mr. Landau still advises disabling Java, for now. Macworld’s Rob Griffiths tells you how to disable Java on some web browsers.

Advertisements

Filed under: OS X, , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

RSS Unknown Feed

  • An error has occurred; the feed is probably down. Try again later.

RSS Unknown Feed

  • An error has occurred; the feed is probably down. Try again later.

Categories

%d bloggers like this: