Summary:
- This vulnerability affects: OS X 10.5.x (Leopard) and 10.6.x (Snow Leopard)
- How an attacker exploits it: By enticing your users to a malicious website containing specially crafted Java applets
- Impact: In the worst case, an attacker executes code on your user’s computer, with that user’s privileges
- What to do: Install Java for OS X 10.5 Update 8 or Java for OS X 10.6 Update 3 as soon as possible, or let Apple’s updater do it for you.
Exposure:
Yesterday, Apple issued two advisories [ 1 / 2 ] describing Java security updates for OS X 10.5.x and OS X 10.6.x. The advisories warn of multiple vulnerabilities in OS X’s Java components; specifically, six Java vulnerabilities in 10.5.x and four in 10.6.x (number based on CVE-IDs). Though the updates only fix a few flaws, many of them pose a serious risk.
For the most part, Apple only describes the impact of these vulnerabilities, leaving out technical details. In general, the flaws share the same potential impact: By luring one of your users to a malicious website containing a specially crafted Java applet, an attacker can exploit these Java flaws to either execute code or elevate privileges on your users’ OS X computers. In most cases, the attacker would only gain the privileges of the currently logged in user, which doesn’t include root or administrator access in OS X. Nonetheless, we recommend you install Apple’s OS X Java update as soon as possible.
As an aside, Microsoft recently pointed out that malware exploiting Java flaws has exploded during 2010. Though no one has reported Mac-based Java threats in the wild yet, I would recommend keeping Java up to date.
Solution Path:
Apple has issued Java for OS X 10.5 Update 8 [dmg file] and Java for OS X 10.6 Update 3 [dmg file] to correct these flaws. If you manage OS X 10.5.x or 10.6.x computers, we recommend you download and deploy these update as soon as possible, or let OS X’s automatic Software Update utility install the proper update for you.
For All WatchGuard Users:
Some of these attacks rely on one of your users visiting a web page containing malicious Java bytecode. The HTTP-Proxy policy that ships with most Firebox models automatically blocks Java bytecode by default, which somewhat mitigates the risk posed by some of these vulnerabilities.
Status:
Apple has released Java updates to fix these issues.
References:
- Apple’s OS X 10.5 Java Update 8 advisory
- Apple’s OS X 10.6 Java Update 3 advisory
- Apple software downloads
- Apple security updates
This alert was researched and written by Corey Nachreiner, CISSP.