Macs at risk from 'super dangerous' Java zero-day
Expert confirms Metasploit attack code works on OS X
Computerworld - Hackers are exploiting a zero-day vulnerability in Java 7, security experts said today.
The unpatched bug can be exploited through any browser running on any operating system, from Windows and Linux to OS X, that has Java installed, said Tod Beardsley, the engineering manager for Metasploit, the open-source penetration testing framework used by both legitimate researchers and criminal hackers.
David Maynor, CTO of Errata Security, confirmed that the Metasploit exploit -- which was published less than 24 hours after the bug was found -- is effective against Java 7 installed on OS X Mountain Lion.
"This exploit works on OS X if you are running the 1.7 JRE [Java Runtime Environment]," said Maynor in an update to an earlier blog post.
JRE 1.7 includes the most-current version of Java 7, dubbed "Update 6," that was released earlier this month.
Maynor said he was able to trigger the vulnerability with the Metasploit code in both Firefox 14 and Safari 6 on OS X 10.8, better known as Mountain Lion.
Although the exploits now circulating in the wild have been aimed only at Windows users, it's possible that Macs could also be targeted.
"What is more worrisome is the potential for this to be used by other malware developers in the near future," said Intego, a Mac-specific antivirus vendor, in a post to its own blog Monday. "Java applets have been part of the installation process for almost every malware attack on OS X this year."
The largest Mac malware campaign to date also involved Java. Flashback, which exploited a Java bug that at the time had not been patched by Apple, infected hundreds of thousands of Macs starting in early April 2012.
Apple stopped bundling Java with OS X starting with last year's Lion, a practice it continued with Mountain Lion. Those users, however, may still have Java installed; when a browser encounters a Java applet, it asks the user for permission to download the Oracle software.
People running the older Snow Leopard (2009) and Leopard (2007) are even more vulnerable to attacks, as Java came with those operating systems.
Apple still maintains Java 6, but Oracle is responsible for patching Java 7.
"The vulnerability is not in Java 6, it's in new functionality in Java 7," said Beardsley.
Beardsley called the bug "super dangerous," noting that it was "totally a drive by," meaning that attackers could compromise a Mac, or other personal computers, simply by duping users into browsing to a malicious or previously-hacked website that hosts the attack code.
Beardsley recommended that users disable Java until Oracle delivers a patch, advice seconded by virtually every security expert commenting on the new-found flaw.
Mac owners can disable the Java plug-in from within their browsers, or remove Java 7 from their machines. To do the latter, select "Go to Folder" from the Finder's "Go" menu, enter "/Library/Java/JavaVirtualMachines/" and drag the file "1.7.0.jdk" into the Trash.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts