Abstract

Landon Fuller reports that an almost six months old Java exploit has still not been fixed for Mac OS X. The exploit allows to compromise the Java sandbox in order to break out and run commands with the permissions of the executing user.

Classification

This issue is classified as serious as Java applets containing malicious code may be executed just by visiting a web page. Ladon Fuller says an illegal exploit is available in the wild. He prepared a proof of concept exploit that will make your Mac OS X computer say “I am executing in a user process“.

Applies to

The exploit aswell applies to Intel as to PowerPC based Mac OS X systems running Safari or Firefox.

More information

Some more background information and workarounds may be found on Fuller’s site.