Exploit for unpatched vulnerability in Mac OS X - Update
The security specialist Landon Fuller has published an exploit for Mac OS X which allows an attacker to take control of a computer by directing a user with Safari to a rigged web page. The cause of the drive-by-download hole has been known since the beginning of December 2008; known vulnerabilities in the de-serialisation of certain objects in the sandbox of the Java Virtual machine. This can allow an untrusted applet to gain higher system privileges.
Sun has since fixed the hole with Java 6 Update 11, released in December, but Apple have not followed suit. Since Apple, according to Fuller, have ignored the obvious error for six months, he decided to demonstrate that the hole really is exploitable. In a short test, The H Security tried Fuller's proof of concept and noted the applet exploited the program
/usr/bin/say to make the system say "I am executing an innocuous user process" on an Intel Mac with the latest Mac OS X 10.5.7 running.
Fuller writes that the remedy against such attacks is to disable Java applets (Safari preferences, Security tab) and disable 'Open "safe" files after downloading" (Safari preferences, General tab). The H Security found the first step to be effective in stopping the proof of concept working, but were unable to determine what effect, if any, the second step has on closing the hole.
As well as the Apple Java implementation, the SoyLatte Java port version 1.0.3 is also affected, but the current version of SoyLatte has been fixed. A detailed description of the hole and how to exploit it has also been publicised by Julien Tinnes in his blog.
In tests, heise Security showed that Firefox running on Mac with OS X is also vulnerable, since the open source browser uses the vulnerable version of Java installed on the system. The advice for Firefox users, and most probably for all Mac OS X browsers, is to disable Java in those browsers too. This advice is even more important to follow since Georg Wicherski, who criticises Fuller for releasing an easily decompilable proof of concept, published part of the decompiled source of the exploit in his blog. The proof of concept was decompiled using only the jad decompiler, a step any potential attacker could easily accomplish, and basically allows anyone with a Java compiler to create a drive-by-exploit for Mac OS X.