Java Vulnerability on Mac OS X

Word is spreading that there’s a critical security vulnerability in Java on Mac OS X. Actually, it’s a couple of vulnerabilities that can be taken advantage of to run commands outside of the browser as the user that launched the browser. The truth is that it’s been known about since at least August of last year and Sun, the makers of Java, fixed it long ago, but those fixes haven’t made it into Mac OS X yet, not even the 10.5.7 update.

So, what’s a Mac User to do? There’s no known use of exploit beyond the proof-of-concept examples, but the triage is pretty simple:

1. Turn off ‘Open “safe” files after downloading’ in Safari -> Preferences -> General
2. Turn off Java in Safari -> Preferences -> Security and any other browsers you use

This will prevent malicious Java code on a web page or downloaded from running automatically. There’s no reason to panic and JavaScript will still function normally, but it’s better to be on the safe side if you’re not regularly visiting web sites requiring Java.

If you’re technically inclined, you may be interested in the detailed explanation of the vulnerabilities.

[Via Daring Fireball]