QuickTime/Java security flaw affects Safari, Firefox, other Mac browsers; protecting against

QuickTime/Java security flaw affects Safari, Firefox, other Mac browsers; protecting against

[Published Wednesday, April 25th; updated April 26th]

More details are emerging regarding a QuickTime/Java security flaw affecting Mac OS X discovered by Dino Dai Zovi at the CanSecWest conference.

A Secunia report on the flaw states:

"The vulnerability is caused due to an unspecified error within the Java handling in QuickTime. This can be exploited to execute arbitrary code when a user visits a malicious web site using a Java-enabled browser e.g. Safari or Firefox."

It appears that the flaw is triggered by simply accessing a malicious Web page -- no further user action is required.

The flaw can be obviated by temporarily turning off Java, JavaScript and disabling plug-ins (as described by the discoverer of the flaw in this ZDNet article) -- obviously not a long-term solution.

[Note: Although the flaws discoverer states that Java, JavaScript and plug-ins should be disabled to protect against this flaw, you may only need to disable Java per the Secunia report. In other words, things are currently a little confusing because this looks like a Java flaw, only. However, the person who discovered the flaw explicitly stated that users should turn off Java, JavaScript and plug-ins to protect against it. This seems like overkill, and will cause breakage of numerous Web sites' functionality, However until there are any actual details released on the flaw, there is no more reliable word on the subject than from the person who discovered it. So if you want to be absolutely safe, follow the below instructions. Otherwise, use part of the below instructions to disable only Java.]

For Safari, follow these instructions:

  1. Select Preferences from the Safari menu
  2. Click on the Security tab
  3. Uncheck the boxes next to Enable plug-ins, Enable Java, and Enable JavaScript.

For Firefox, follow these instructions:

  1. Select Preferences from the Firefox menu
  2. Click on the Content tab
  3. Uncheck the boxes next to Enable Java and Enable JavaScript.

Feedback? Late-breakers@macfixit.com.

Resources
  • More from Late-Breakers
  •  

    Join the discussion

    Conversation powered by Livefyre

    Show Comments Hide Comments
    Latest Galleries from CNET
    Uber's tumultuous ups and downs in 2014 (pictures)
    The best and worst quotes of 2014 (pictures)
    A roomy range from LG (pictures)
    This plain GE range has all of the essentials (pictures)
    Sony's 'Interview' heard 'round the world (pictures)
    Google Lunar XPrize: Testing Astrobotic's rover on the rocks (pictures)