Landon Fuller posted proof of concept code for an unpatched vulnerability that has been known for months. If you visit the following page, “/usr/bin/say” will be executed on your system by a Java applet, with your current user permissions.
The link will execute code on your system with your current user permissions. The proof of concept runs on fully-patched PowerPC and Intel Mac OS X systems.
Five months ago, and other vulnerabilities were publicly disclosed, and fixed by Sun.
CVE-2008-5353 allows malicious code to escape the Java sandbox and run arbitrary commands with the permissions of the executing user. This may result in untrusted Java applets executing arbitrary code merely by visiting a web page hosting the applet. The issue is trivially exploitable.
These vulnerabilities remain in Apple’s shipping JVMs, as well as Soylatte 1.0.3. As Soylatte does not provide browser plugins, the impact of the vulnerability is reduced. The recent release of OpenJDK6/Mac OS X is not affected by CVE-2008-5353.
More information and a discussion is forming here.