Java runtime (J2SE) for Mac OS X v10.0.x has a security hole. It seems to have been fixed in Mac OS X v10.1. http://www.apple.com/support/security/security_updates.html > Security updates are listed below according to the software release in > which they first appeared: > Mac OS X v10.1 > o system clipboard / J2SE - Fixes a security issue that permitted > unauthorized applets access to the system clipboard. However, the patch for Mac OS X 10.0 has not been released. Workaround: Buy Mac OS X v10.1 or do not use Java applets on Mac OS X v10.0 A brief history of this issue: On 9 Feb 2001 Cameron McNeil wrote: > To: java-dev@lists.apple.com > I've recently been playing around with applets and MRJ2.2.4 and I've noticed > that unsigned applets have access to the system clipboard. I remember > reading somewhere that the system clipboard was considered outside of the > sandbox, I know that in windows if you attempt to access the clipboard it > will throw a security exception. Is this a bug in the MRJ security model or > was the ability to access the clipboard left in intentionally? On 9 Feb 2001 Eric Albert <ealbert@apple.com> wrote: > To: java-dev@lists.apple.com > That may well be a bug...I ran into that a month or two ago and was > wondering why MRJ allowed it. Please file a bug report. On 5 Jun 2001 TAKAGI, Hiromitsu <takagi@etl.go.jp> wrote: > To: java-dev@lists.apple.com > On 1 Jun 2001 Mickey Segal wrote: > > Are there release notes telling us what is fixed in MRJ 2.2.5? > > The description at http://www.apple.com/java/ reflects only MRJ 2.2.4. > > This release seems to contain a security fix. The clipboard tapping > vulnerability which was discovered here on Feb 9(*) has been fixed. > However, Apple hasn't notified customers of this fix yet in the release > note nor the security bulletin. > http://asu.info.apple.com/swupdates.nsf/artnum/n11927 > http://www.apple.com/support/security/security_updates.html On 6 Jun 2001 TAKAGI, Hiromitsu <takagi@etl.go.jp> wrote: > To: java-dev@lists.apple.com > Cc: product-security@apple.com, java-security@sun.com > > > This release seems to contain a security fix. The clipboard tapping > > vulnerability which was discovered here on Feb 9(*) has been fixed. > > I prepared a test applet for this vulnerability. > http://java-house.etl.go.jp/~takagi/java/security/mrj-clipboard/Test.html > ...and found that J2SE v1.3 for Mac OS X is also vulnerable. > Why hasn't it been fixed? -- Hiromitsu Takagi, Ph.D. National Institute of Advanced Industrial Science and Technology, Tsukuba Central 2, 1-1-1, Umezono, Tsukuba, Ibaraki 305-8568, Japan http://staff.aist.go.jp/takagi.hiromitsu/
