Apple patches Mac Java zero-day bug
Have Java? Then apply the update ASAP, say researchers
Computerworld - Apple yesterday released a Java update for Mac owners that fixes a dozen security flaws, including one that has been exploited by attackers for at least two weeks.
The update follows a decision Monday by Mozilla to blacklist unpatched editions of the Java plug-in from running in the Windows version of Firefox. Mozilla has yet not instituted a similar ban for Firefox on Mac OS X, however.
Apple classified all 12 of the Java vulnerabilities patched Tuesday as critical. Although the company does not use a threat scoring system to rate bug fixes, its use of the phrase "...may lead to arbitrary code execution," in its advisory describes the most serious kind of flaw that could be used by attackers to take control of a machine.
The update applies to Mac OS X 10.6, aka Snow Leopard, and OS X 10.7, better known as Lion.
While Apple no longer packages Oracle's Java with its Mac operating system -- it stopped that practice with Lion last July 2011 -- it continues to issue Java security updates to people running Lion as well as Snow Leopard. Java may have be on some Lion systems: Users are prompted to install the software the first time they try to run a Java applet.
Java is also present on Macs that have been upgraded to Lion from Snow Leopard.
One of the dozen vulnerabilities, identified as CVE-2012-0507, has been targeted by the Flashback clan of Trojan horses since at March 23, according to Mac-only security company Intego.
Oracle patched that Java vulnerability -- and 13 others -- for Windows, Linux and Unix on February 14, but because Apple still maintains Java on OS X.
Flashback.R exploits the CVE-2012-0507 Java bug and like earlier versions of the malware, can silently infect Mac users. The earlier Flashback.G, which Intego analyzed in late February, was the first Mac Trojan that didn't require any user interaction. Before Flashback.G, Mac malware needed help installing, if only getting the user to enter her administrative password.
Flashback.G exploited two different Java bugs, but both of them had been patched months or even years earlier. Flashback.R, as Intego called it, was the first to target an unpatched, or "zero-day," Java bug.
The seven-week stretch between Oracle's and Apple's Java updates wasn't lost on security researchers.
"Why Apple did not deploy these fixes before Mac users were victimized by criminals is unclear," said Chet Wisniewski, a security researcher with U.K.-based vendor Sophos, in a Wednesday blog. "Fortunately, once it became a problem the company responded quickly."
Mac users can determine whether their machines have Java installed by visiting one of several websites, including this one, or by launching Terminal from the Utilities subfolder within the Applications folder, then typing "java -version" without the quotation marks.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts