A six-month-old critical vulnerability in Java in Mac OS X is still unpatched, say The Register and security researcher Landon Fuller. Apple is putting Mac users in danger, not fixing a problem that “allows malicious code to escape the Java sandbox and run arbitrary commands with the permissions of the executing user. This may result in untrusted Java applets executing arbitrary code merely by visiting a web page hosting the applet. The issue is trivially exploitable,” says Fuller. Apple has shown their sluggishness in updating such third-party software in Mac OS X in the past, but this six month delay is truly excessive.
There are a few things Mac users can do to protect themselves against this issue. Disable the use of Java applets in their browsers and disable the “Open ‘safe’ files after downloading” option in Safari’s General preferences (or similar settings in other browsers).
In case you’re wondering if this vulnerability is truly dangerous, Landon Fuller has created a proof of concept Java applet (linked here) that “will be executed on your system by a Java applet, with your current user permissions.” (Make sure you have the sound on when you try this out.)