Apple leaves 'critical' Java flaw unfixed for six months

Security researchers have claimed that Apple still hasn't fixed a Java security flaw that it has known about for almost six months.

Julian Tinnes, who works for Google, said on his blog that there was a flaw allowing an attacker to "execute arbitrary code remotely in Java enabled web browsers."

Tinnes said that he known about it for a while, but was holding off talking about it until Apple patched the vulnerability. As Apple did not fix the flaw in its last security update, he decided to go public.

The first instance of the flaw was found and fixed by Sun late last year for some platforms running Java, but not so for Apple systems. Tinnes said he wanted to warn Mac OS X users that Java should be disabled until the problem was fixed.

Mac security vendor Intego posted on its blog that this vulnerability was "critical" and put Macs at "serious risk".

It said the flaw "can lead to 'drive-by attacks', where users are attacked simply by visiting a malicious website and loading a web page."

Intego also said that if a Java applet was loaded in a web browser and malicious code was run, the hackers could run code to potentially access and delete files, as well as run applications.

If the flaw was executed with a "privilege escalation vulnerability", hackers could remotely run any system-level process and access any Mac, Intego added.

Another security researcher, Landon Fuller, has published a proof-of-concept to demonstrate the issue.

Apple said that it was aware of the issue and were working on a fix.