EDGE 2015 is starting in

Find out more EDGE 2015
Menu
Apple patches Mac Java zero-day bug

Apple patches Mac Java zero-day bug

Have Java? Then apply the update ASAP, say researchers

Apple yesterday released a Java update for Mac owners that fixes a dozen security flaws, including one that has been exploited by attackers for at least two weeks.

The update follows a decision Monday by Mozilla to blacklist unpatched editions of the Java plug-in from running in the Windows version of Firefox. Mozilla has yet not instituted a similar ban for Firefox on Mac OS X, however.

Apple classified all 12 of the Java vulnerabilities patched Tuesday as critical. Although the company does not use a threat scoring system to rate bug fixes, its use of the phrase "...may lead to arbitrary code execution," in its advisory describes the most serious kind of flaw that could be used by attackers to take control of a machine.

The update applies to Mac OS X 10.6, aka Snow Leopard, and OS X 10.7, better known as Lion.

While Apple no longer packages Oracle's Java with its Mac operating system -- it stopped that practice with Lion last July 2011 -- it continues to issue Java security updates to people running Lion as well as Snow Leopard. Java may have be on some Lion systems: Users are prompted to install the software the first time they try to run a Java applet.

Java is also present on Macs that have been upgraded to Lion from Snow Leopard.

One of the dozen vulnerabilities, identified as CVE-2012-0507, has been targeted by the Flashback clan of Trojan horses since at March 23, according to Mac-only security company Intego.

Oracle patched that Java vulnerability -- and 13 others -- for Windows, Linux and Unix on February 14, but because Apple still maintains Java on OS X.

Flashback.R exploits the CVE-2012-0507 Java bug and like earlier versions of the malware , can silently infect Mac users. The earlier Flashback.G, which Intego analyzed in late February, was the first Mac Trojan that didn't require any user interaction. Before Flashback.G, Mac malware needed help installing, if only getting the user to enter her administrative password.

Flashback.G exploited two different Java bugs, but both of them had been patched months or even years earlier. Flashback.R, as Intego called it, was the first to target an unpatched, or "zero-day," Java bug.

The seven-week stretch between Oracle's and Apple's Java updates wasn't lost on security researchers.

"Why Apple did not deploy these fixes before Mac users were victimized by criminals is unclear," said Chet Wisniewski, a security researcher with U.K.-based vendor Sophos, in a Wednesday blog . "Fortunately, once it became a problem the company responded quickly."

Mac users can determine whether their machines have Java installed by visiting one of several websites, including this one , or by launching Terminal from the Utilities subfolder within the Applications folder, then typing "java -version" without the quotation marks.

A version number will appear, or the message "No Java runtime support, requesting install" if Java is not on the Mac.

Users can also disable the Java plug-in from their browsers. (Security company Rapid7 has created a short video describing how to do that in Safari, Chrome and Firefox on the Mac.)

Java vulnerabilities are not new, but they've been off most hackers' to-do lists for some time.

"It continues to pop up as a major vector about once a year and then all of a sudden there is an 'oh crap' moment ... get your Java patched now," said Andrew Storms, director of security operations at nCircle Security, in an interview via instant messaging today. "Java is not on my radar very often, but when it does hit the screen, it's a big deal."

And Storms thought he knew why: Java just isn't what it used to be.

"More people are getting Adobe products up to date [than Java] because Adobe patches more often, so it's fresh in the mind and gets more news coverage," said Storms.

Storm has a point: Adobe has already patched its popular Flash Player, for example, three times this year.

Wisniewski urged users of Mac OS X 10.5 -- nicknamed Leopard -- and earlier to immediately disable the Java plug-in. Apple no longer supports those editions with security updates, including patches for Java.

According to Web metrics company Net Applications, Lion and Snow Leopard powered about 82% of all Macs that went online last month, leaving about one in five Mac users in the Leopard-or-earlier pool.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about security in Computerworld's Security Topic Center.

EDGE 2015:: For all the latest on EDGE 2015 including the keynote speakers visit the EDGE mini-site now

Follow Us

Join the ARN newsletter!

Error: Please check your email address.

Upcoming

Slideshows

In Pictures: Robots that cook, clean, sing and dance
Tech Hive

In Pictures: Robots that cook, clean, sing and dance

Cooking, learning language and doing the laundry are a few of the human skills demonstrated by.real humanoid bots featured in the National Geographic movie Robots.

In Pictures: Robots that cook, clean, sing and dance
IN PICTURES: OKI Data Australia partner event (+10 photos)
Business Products

IN PICTURES: OKI Data Australia partner event (+10 photos)

OKI recently hosted its ChannelOne dealer forum for its executive series channel partners to get together and learn about the company's new high-performance ES8400 A3 multifunction series printers. After a welcome and business overview from OKI Data Australia managing director, Dennie Kawahara, delegates were given a comprehensive overview of the new product, as well as an update on the latest marketing initiatives and software solutions, before being treated to live demos and a product showcase. Partners were also given a preview of OKI’s upcoming A3 digital LED white toner printer. With more than 60 delegates attending from all over the country, the day concluded with dinner at Casa Ristorante Italiano in Sydney and several delegates also participated in a friendly game of golf the following morning.

IN PICTURES: OKI Data Australia partner event (+10 photos)

iasset.com is a channel management ecosystem that automates all major aspects of the entire sales, marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.

Show Comments