Apple moves to allay fears over a number of Java vulnerabilities
Apple has responded to fears over Java on Mac OS X by releasing an update, which should fix a number of dangerous flaws.
The update was pushed out yesterday for Java for OS X Lion 2012-001 and Java for Mac OS X 10.6.
“Multiple vulnerabilities exist in Java 1.6.0_29, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox,” Apple said in its advisory. “Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating to Java version 1.6.0_31.”
Security companies had been advising people to disable Java on their Macs after reports of escalating attacks exploiting the flaws.
Earlier in the week, F-Secure identified a variant of the Flashback malware that was exploiting the CVE-2012-0507 Java vulnerability. Oracle released a patch for the flaw in February, but only for Windows. Apple’s update covers a total of 12 flaws, including CVE-2012-0507.
Rumours have indicated another available exploit for an “as-yet unpatched critical flaw in Java” was on sale, F-Secure said. It also warned a different vulnerability, CVE-2011-3521, was being exploited.
“It is strongly recommended to update your Java client to the latest version, disable it when not needed, or better yet, remove it completely if you don’t really need it,” the Finnish firm blogged yesterday.
Mac OS X attacks are still much rarer than Windows hits, but cyber criminals are recognising the value of hitting Apple machines. Last week, security researchers uncovered a never-before-seen Trojan targeting Mac users, known as MacControl. It could exploit a remote code execution vulnerability that existed in the way Microsoft Office Word handled a specially crafted file that includes a malformed record.
How much do you know about security? Test yourself with our quiz.