Attack exploits just-patched Mac security bug If you haven't installed the latest security update for Mac OS X, now would be a good time. A security researcher has released a proof-of-concept attack that exploits critical vulnerabilities that Apple patched on Thursday. The vulns stem from bugs in the Java runtime environment that allow attackers to remotely execute …
Yeah, we have that same problem.
Only thing you can do is put pressure on critical app's vendor to fix their app to work with the latest version.
I never understood that about Java - our critical app breaks even just with a minor/patch release. Our .NET critical apps still work even across a major upgrade.
Controlling the IP is just the start when it comes to exploiting vulns. It's a big start, but it doesn't guarantee arbitrary code execution is possible. Rather than everybody thinking "oh it's just a DoS exploit, no need to scurry to patch just yet" and then some blackhat does the hard work and releases a weaponised exploit this guy is attempting to give everyone a proper heads up ASAP.
If he can quickly prove that arbitrary code execution is possible then the patch gets listed as critical and IT admins perk up and start testing the patch a lot sooner than if it's not critical.
Weaponised doesn't necessarily mean botnet capable etc, just that it has an executable payload such as creating a file, or connecting to a webhost. Ofc that does make it a lot easier to replace the payload with something more sinister.
<quote>This article was the first I heard about the patch so I checked Software Update and there it was. "</quote>
First update is usually set to check once/week. (You can set it up to be daily, weekly or monthly.) It can also download automatically o require YOU to start the downloads. The update WAS JUST RELEASED - so the fact that you just found out about it is not that surprising.
<quote>Why does a Java update require a machine restart? It doesn't on Windows.</quote>
No clue. It might be due to how Java is tied into the OS. This might also be why Apple is always behind on updating Java. (If JAVA is linked into the system then one would need to take longer testing.) I do not know enough about the inside of the OS to be able to tell you for certain - I can only guess.
I got the update notification as soon as I logged on to my Mac yesterday, even though my updates are set to check weekly, and I last checked only a couple of days ago.
I have no idea why it required a restart either, but if it protects my PC then I'm not going to complain about a couple of minutes downtime.
Why is it when they find a problem in Linux and OSX, then patch it, the world goes mental about it! "The sky's falling! The sky's falling!".
Problems on Windows? Yeah, yeah, just another problem, just another day, just another patch to heap on the others.
FFS! The marketers are the only ones who believe this tripe about Linux and OSX being perfect and having no problems, the rest of us in the real world know our Linux and OSX systems are riddled with imperfections!
Knock it off eh? Problem got found, problem got fixed. No story! Nothing to see!
"The exploit is fairly rudimentary, but Finisterre said he plans to weaponize it soon."
You can be sure that weaponized, the best exploits will be stealthy, embeddding and extremely sophisticated. In fact so good that you will not realise the virtual capture, until well past any time that one can counter it.
Such is the very Essence and Nature of what Military Intelligence, that well known Oxymoron, would call Cyber Warfare but which A.N.Other and/or Others Securing their Homelands against Invaders and with a much wider portfolio of Programs and Methodologies/Views and Algorithms would Venture is CyberIntelAIgent Security and Advanced IntelAIgent Virtual Defence.
Novel Simulated Virtual Attacks against Cyber Defenders and/or Warriors very quickly exposed Systemic Catastrophic Flaws and Unpatchable Vulnerabilities which Render the BetaTested System and its IT Administration Team Hierarchy, Immediately Redundant if the System is not to Collapse and Destroy its Active Lead Components/Entrenched Slave Drivers, which in Human Terms would be Manifest in Conspiring Dishonourable Members in Cabals.
"Turns out Java's write-once-run-anywhere promise really is real" .... The Rank Stupidity in Man, which has him not believe what is clearly and succinctly written down and placed before his own eyes to read for his brain to visualise/realise, is that which confines him to his present condition. However, there are those who are not nearly as Stupid as the Vast Majority and some who would not be Stupid at all and may even be Super Bright and Much Smarter than has ever been imagined and made possible before.
But you'll hardly find them working for a wage or to any third party instructions, and that makes them Elusive and Amazingly Unpredictable in what is already an Irregular and Unconventional Base Field of Intellectual Property Operation.
IT also makes them a Invaluable Asset and Priceless Ally whenever Sub-Contracted Privately to Destroy and/or Quarantine Failed Toxic Protocol Practices.
"Good that you found an exploit, reported it but why weaponise it?" ... Aimee Posted Friday 4th December 2009 22:28 GMT.
Aimee, here are just two very simple, easily understood reasons for the weaponization of virtually anything .....
a) to make lucrative exclusive advantage of an abiding failure.
b) to ensure a fix is real and applied for an abiding failure
You can be sure though that there are bound to be many more.
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
