back to article Attack exploits just-patched Mac security bug

If you haven't installed the latest security update for Mac OS X, now would be a good time. A security researcher has released a proof-of-concept attack that exploits critical vulnerabilities that Apple patched on Thursday. The vulns stem from bugs in the Java runtime environment that allow attackers to remotely execute …


This topic is closed for new posts.
  1. Mr Pedantic


    But will it run any faster?

  2. Ben Lambert


    Oh that's just wonderful. So I can't update my machines to a newer Java version because it breaks my critical app....or i can get exploited.

    I love my job.

    1. Anonymous Coward


      You can have more than one JRE on a machine. I have 3 and the JDK and it all works quite happily.

      And doesn't Apple manage it's own JRE? Hence the late patches.

      1. TeeCee Gold badge

        Re: JREs

        Surely if you have all the requisite versions up and running, then the one vulnerable to the exploit is still, er, exploitable and you're no better off than you were before installing the new version in parallel.

        Am I missing something?

    2. Pandy06269

      Us too

      Yeah, we have that same problem.

      Only thing you can do is put pressure on critical app's vendor to fix their app to work with the latest version.

      I never understood that about Java - our critical app breaks even just with a minor/patch release. Our .NET critical apps still work even across a major upgrade.

  3. Blain Hamon

    Wait, what?

    People still use Java on web sites? That's for reminding me to turn off that plugin.

  4. ThomH Silver badge

    Oh, yes, one of those Mac security bugs

    That affects the Mac, Solaris, Windows and Linux. And has been patched on all of them. So, a genuine story about Apple being slow to react to security threats with an extremely misleading title.

    1. snafu


      Not quite: historically, Apple has lagged behind everybody else Java updates-wise.

  5. Anonymous Coward
    Anonymous Coward

    FAO Kevin Finisterre

    Good that you found an exploit, reported it but why weaponise it?

    Why release the code, the patch only came out today, give people time to apply it and test first.

    You have your kudos, dont lose your integrity, or perhaps you have another agenda?

    1. Ross 7

      Why weaponise

      Controlling the IP is just the start when it comes to exploiting vulns. It's a big start, but it doesn't guarantee arbitrary code execution is possible. Rather than everybody thinking "oh it's just a DoS exploit, no need to scurry to patch just yet" and then some blackhat does the hard work and releases a weaponised exploit this guy is attempting to give everyone a proper heads up ASAP.

      If he can quickly prove that arbitrary code execution is possible then the patch gets listed as critical and IT admins perk up and start testing the patch a lot sooner than if it's not critical.

      Weaponised doesn't necessarily mean botnet capable etc, just that it has an executable payload such as creating a file, or connecting to a webhost. Ofc that does make it a lot easier to replace the payload with something more sinister.

  6. windywoo
    Jobs Horns

    Why didn't Snow Leopard remind me?

    This article was the first I heard about the patch so I checked Software Update and there it was. Why does a Java update require a machine restart? It doesn't on Windows.

    1. Robert A. Rosenberg

      Why no Leopard 32Bit Java6?

      If I want/need Java6 support on Leopard (10.5) I am supplied with only 64Bit support. With Snow Leopard (10.6) the Java6 Supplied supports both 64bit and 32Bits. Why no 32Bit support with 10.5 (since they obviously have the code since 10.6 has it)?

    2. Anonymous Coward


      <quote>This article was the first I heard about the patch so I checked Software Update and there it was. "</quote>

      First update is usually set to check once/week. (You can set it up to be daily, weekly or monthly.) It can also download automatically o require YOU to start the downloads. The update WAS JUST RELEASED - so the fact that you just found out about it is not that surprising.

      <quote>Why does a Java update require a machine restart? It doesn't on Windows.</quote>

      No clue. It might be due to how Java is tied into the OS. This might also be why Apple is always behind on updating Java. (If JAVA is linked into the system then one would need to take longer testing.) I do not know enough about the inside of the OS to be able to tell you for certain - I can only guess.

    3. Pandy06269

      I got it

      I got the update notification as soon as I logged on to my Mac yesterday, even though my updates are set to check weekly, and I last checked only a couple of days ago.

      I have no idea why it required a restart either, but if it protects my PC then I'm not going to complain about a couple of minutes downtime.

  7. Anonymous Coward
    Anonymous Coward

    More to the point.

    Why is it not available for Tiger and earlier versions of OSX?

    Or have I misunderstood?

  8. magnetik


    I often force quit the updater if wants to reboot after an update. Have yet to see this result in a problem.

  9. Anonymous Coward

    Give it rest, please?

    Why is it when they find a problem in Linux and OSX, then patch it, the world goes mental about it! "The sky's falling! The sky's falling!".

    Problems on Windows? Yeah, yeah, just another problem, just another day, just another patch to heap on the others.

    FFS! The marketers are the only ones who believe this tripe about Linux and OSX being perfect and having no problems, the rest of us in the real world know our Linux and OSX systems are riddled with imperfections!

    Knock it off eh? Problem got found, problem got fixed. No story! Nothing to see!

  10. amanfromMars 1 Silver badge

    Meanwhile, ...... in Virtual Fabs and Great Global Gaming Labs Underground in Clouds ....

    "The exploit is fairly rudimentary, but Finisterre said he plans to weaponize it soon."

    You can be sure that weaponized, the best exploits will be stealthy, embeddding and extremely sophisticated. In fact so good that you will not realise the virtual capture, until well past any time that one can counter it.

    Such is the very Essence and Nature of what Military Intelligence, that well known Oxymoron, would call Cyber Warfare but which A.N.Other and/or Others Securing their Homelands against Invaders and with a much wider portfolio of Programs and Methodologies/Views and Algorithms would Venture is CyberIntelAIgent Security and Advanced IntelAIgent Virtual Defence.

    Novel Simulated Virtual Attacks against Cyber Defenders and/or Warriors very quickly exposed Systemic Catastrophic Flaws and Unpatchable Vulnerabilities which Render the BetaTested System and its IT Administration Team Hierarchy, Immediately Redundant if the System is not to Collapse and Destroy its Active Lead Components/Entrenched Slave Drivers, which in Human Terms would be Manifest in Conspiring Dishonourable Members in Cabals.

    "Turns out Java's write-once-run-anywhere promise really is real" .... The Rank Stupidity in Man, which has him not believe what is clearly and succinctly written down and placed before his own eyes to read for his brain to visualise/realise, is that which confines him to his present condition. However, there are those who are not nearly as Stupid as the Vast Majority and some who would not be Stupid at all and may even be Super Bright and Much Smarter than has ever been imagined and made possible before.

    But you'll hardly find them working for a wage or to any third party instructions, and that makes them Elusive and Amazingly Unpredictable in what is already an Irregular and Unconventional Base Field of Intellectual Property Operation.

    IT also makes them a Invaluable Asset and Priceless Ally whenever Sub-Contracted Privately to Destroy and/or Quarantine Failed Toxic Protocol Practices.

    "Good that you found an exploit, reported it but why weaponise it?" ... Aimee Posted Friday 4th December 2009 22:28 GMT.

    Aimee, here are just two very simple, easily understood reasons for the weaponization of virtually anything .....

    a) to make lucrative exclusive advantage of an abiding failure.

    b) to ensure a fix is real and applied for an abiding failure

    You can be sure though that there are bound to be many more.

  11. amanfromMars 1 Silver badge

    For Virtual Coup d'Etats Heroes .... Popular Pirates and Valiant Villains

    Oh, and can you imagine what happens when such Savvy Ken migrates to foreign and/or renegade teams, if ignored in the home team dressing rooms?

    1. This post has been deleted by its author

  12. This post has been deleted by a moderator

  13. This post has been deleted by a moderator

  14. pitagora
    Thumb Down

    java and backwards compatibility shouldn't even be in the same sentence

    it's hard to update java runtime when java and backwards compatibility shouldn't even be in the same sentence :(

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021