I’m not sure if I divulged this, but I am an avid Mac OS fan. No, I’m not the creative type, but most of my computer knowledge was done via Mac. My very first Mac was a Mac Plus (never really owned a PC till I built one much later on). Then I got a job at E! Entertainment Television, and they were an all Mac OS shop. So my point is I’m a big Mac fanatic.
So it disheartens me to a great extent when I find this Java Exploit (CVE-2008-5353). As with most exploits, if compromised, the attacker may take over a system. Now the popular thought was that Mac would not be vulnerable to all these various attacks that Windows have been vulnerable for a long time, but that is a dangerous assumption to make. This particular one, is not Windows specific, Mac specific, or even UNIX specific. This is in the Sun Java code, which they really did fix, and it has been incorporated in all Windows, Linux, Solaris, and all other OS’s that use JAVA Runtime Engine … except for MAC. Why, oh why, Apple, why?
This exploit was patched and fixed by Sun in December 2008, so this fix has been around for coming up on 6 months. Is there a good reason for not putting this in? I kept trying to think of a good reason, but I can’t. In fact, one individual got so frustrated with Apple, waiting for them to fix this, that he decided to put an exploit out in the wild, and publish this, in hopes that Apple will finally do something about this. This has been distributed throughout the security community … I’ve seen it posted on securemac, slashdot, zdnet, and even US Cert. We’ll have to wait and see if Apple actually does anything with this.
Nice job, Apple!