Linked by Thom Holwerda on Tue 19th May 2009 22:20 UTC
Mac OS X Six months ago, a certain security flaw in Java was fixed by Sun. This flaw was present in OpenJDK, GIJ, icedtea and Sun's JRE, but it got fixed in those. There's one important shipping Java implementation that still has not been fixed to remove this security flaw: Apple's Java.
Thread beginning with comment 364479
To read all comments associated with this story, please click here.
Waiting for Apple to get its act together
by chandler on Wed 20th May 2009 02:15 UTC
chandler
Member since:
2006-08-29

I waited six months for Apple to patch an issue in the Safari RSS reader that allowed remote JS to run in the file:// zone. Meanwhile the engineer who was assigned the defect was actually working on Safari 4 features. They didn't fix it until I made noise publicly about it. So, their prioritization is all wrong.

Safari users with default settings have been vulnerable to arbitrary code execution vulnerabilities since the browser was first released in 2003 and remain vulnerable today. It'd be trivial to turn any of these into a virus (see http://brian.mastenbrook.net/display/32 ). When will they start taking these issues seriously? Probably after a virus happens.

Browser: Mozilla/5.0 (iPod; U; CPU iPhone OS 2_2_1 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5H11a Safari/525.20

Reply Score: 3

jabbotts Member since:
2007-09-06

I was going to say; "at least there is an osX native Firefox" but it's actually any browser run on osX that is vulnerable to much the platform has to offer.

Reply Parent Score: 2

libray Member since:
2005-08-27

Thanks for the link. I have java turned off now. This is really bad^H^H^Hsad!! Everyone should read that link you posted and it does work in any browser (I tried opera, safari, firefox) except Chromium which does not support java by default!

Reply Parent Score: 2