Patched Safari bug being exploited by hackers

Though the bug is known and has been addressed, hackers may still attempt to use a JavaScript vulnerability to target unpatched Macs.

A known vulnerability in Apple's Safari browser is the new target for a proof-of-concept exploit that allows a hacker to arbitrarily run code on unpatched Mac systems.

The exploit, which was made available today on Packet Storm, takes advantage of a JavaScript vulnerability where information could be written to memory outside of defined buffers, and cause a crash that could result in the executable code being run.

This vulnerability is specific for Safari version 6.0.1 and earlier; it was found and addressed by Apple in November 2012, so it will only affect systems that have not been updated. Nevertheless, it is out there, and hackers and cybercriminals are notorious for preying on unpatched systems.

Generally, once a vulnerability is found, it is kept under wraps until a patch is available for it; however, this does not mean all systems will be safe. For the patch to be effective, users must actually install it, but often users are quite stubborn in this regard and will not install patches for fear of bugs or other disruptions to their workflow.

In most cases, Apple builds OS X to regularly update or at least notify users of updates, so as long as you have kept Software Update running and have applied the latest security patches to OS X 10.7 and 10.8, you should be safe from this threat.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.