Word is spreading that there’s a critical security vulnerability in Java on Mac OS X. Actually, it’s a couple of vulnerabilities that can be taken advantage of to run commands outside of the browser as the user that launched the browser. The truth is that it’s been known about since at least August of last year and Sun, the makers of Java, fixed it long ago, but those fixes haven’t made it into Mac OS X yet, not even the 10.5.7 update.
So, what’s a Mac User to do? There’s no known use of exploit beyond the proof-of-concept examples, but the triage is pretty simple:
1. Turn off ‘Open “safe” files after downloading’ in Safari -> Preferences -> General
2. Turn off Java in Safari -> Preferences -> Security and any other browsers you use
If you’re technically inclined, you may be interested in the detailed explanation of the vulnerabilities.[Via Daring Fireball]