Despite the claim by Mac users that their operating system is safer than Windows and much more secure; there is a chink in the armour. No, I’m not referring to a Chinese knight; I’m actually referring to something that would better be described as a gaping chasm rather than a chink: There’s still a large security vulnerability in Mac OS X with regard to Java; and it’s never yet been patched by Apple. It’s already been patched in both Windows and Linux.

According to kdawson, writing on slashdot.org: -

"Security researchers say that Mac OS X users are vulnerable to a critical, 6-month-old, remote vulnerability in Java, a component that is enabled by default in Web browsers on this platform. Julien Tinnes notes that this vulnerability differs from typical Java security flaws in that it is ‘a pure Java vulnerability’ and doesn’t involve any native code. It affected not only Sun’s Java but other implementations such as OpenJDK, on multiple platforms, including Linux and Windows. ‘This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers,’ Julien wrote. This bug was demonstrated during the Pwn2own security challenge this year at CanSecWest, but the details were not made public at that time. Tinnes recommends that Mac OS X users disable Java in their browsers until Apple releases a security update."

Here’s how to disable Java in your Safari and FireFox browsers in Mac OS X: -

If you still need Java access, I suggest that you install NoScript into FireFox. (See also.)

To disable Java in Safari on Mac OS X, click the Safari tab in the menu at the top right of your screen. Click Preferences in the drop-down list. In the Security section of the preferences window, uncheck Enable Java.

To disable Java in Firefox on Mac OS X, click the Firefox tab in the menu at the top right of your screen.In the Content section of the preferences window, uncheck Enable Java.

It appears that Mac users are deluding themselves that Macs are more secure than PCs: Just because something gets attacked less doesn’t mean it’s more secure.