Unaddressed critical Java vulnerability in OS X
Apple has apparently not addressed a relatively long-standing bug in Java that allows for arbitrary code execution as the current user, which can be dangerous if you are running as administrator.
Apple has apparently not addressed a relatively long-standing bug in Java that allows for arbitrary code execution as the current user, which can be dangerous if you are running as administrator.
This bug can be exploited by just visiting a web page that loads a malicious java applet, but also can be taken advantage of by standalone java applications. As such, to help safeguard your computer until Apple patches this problem, be sure to only load java applets from trusted websites, or better yet just disable java applets in Safari and other browsers for the time being.
Java applets will usually take a few seconds to start up, and in the mean time show a coffee mug with circular arrows around it. If this is displayed on a web page you do not trust, closing the browser window will kill the process. To disable java in Safari, go to the preferences and uncheck the "Enable Java" option in the "Security" section (keep in mind that "Javascript" is not "Java" and does not need to be disabled).
Apple tech blogger "Landon Fuller" has posted information about this vulnerability, and includes a proof of concept java applet that executes the "/usr/bin/say" (text-to-speech) command as the current user. This vulnerability is also discussed in depth elsewhere (1, 2). In addition to keeping Java off, as per Mr. Fuller's recommendations we also suggest you also disable the option to automatically open "Safe" files after downloading, which is good practice even when there are no known exploitable bugs.
Unfortunately this vulnerability affects all Mac users even if your computer is fully patched, so lets hope Apple tackles this and releases a patch soon.
Luckily relatively few sites use java extensively so most day-to-day workflow should not be inconvenienced by keeping java off, and you can always temporarily turn Java back on for visiting a specific site; however, for standard browsing we recommend you keep it off.
Since Apple has not addressed this bug even though it has been documented for months now, we encourage you to send feedback to Apple's OS X development team to ensure they address this problem soon: http://www.apple.com/feedback/macosx.html
Resources