News

Java Flaw Patched for Mac OS X, Blocked in Firefox

Apple released an update for Mac OS X users yesterday that addresses a recent Java flaw that has been exploited in the wild by attackers thanks to its inclusion in the BlackHole hacker toolkit.

"Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user," said the Apple update advisory. "These issues are addressed by updating to Java version 1.6.0_29."

The fix, which is included with 11 other security bulletin items for Mac OS X, comes after Sophos security experts identified an attack on Tuesday that employs a specially crafted Trojan to exploit the known Java flaw in Mac systems.

In a Sophos blog entry posted after Apple released its update, Chester Wisniewski, senior security advisor with the firm, questioned why it took the news that the Java exploit was targeting Mac users before an update was pushed through.

"This does make you wonder whether Apple takes security as seriously as it should," said Wisniewski. "Perhaps its public facing image of being invulnerable is the prevailing attitude within the company."

Apple's update comes on the heels of Mozilla blacklisting the use of outdated versions of Java in its Firefox Web browser. What this means is that Firefox users will be notified that the Java add-on has been disabled when encountering any Web site that utilizes the Oracle applet.

Users can still use the outdated versions by agreeing to enable the pligin. However, Kev Needham, Mozilla's channel manager recommends users (no matter their OS) update their Java as soon as possible due to the "critical" nature of the flaw.

"This vulnerability -- present in the older versions of the JDK and JRE -- is actively being exploited, and is a potential risk to users," said Needham in a blog post. "To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox's blocklist."

The latest version of Java can be downloaded here.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

comments powered by Disqus

Reader Comments:

Sun, Apr 15, 2012 Slogger Central NY State

Even with auto updating turned on, Java updates itself when it pleases. The current version is _31 and at least once a week I find one of my machines still on an older version. I also concur with HAS, the developers need to stay on top of this so that updates don't break sites. Adobe has a similar problem, I am fighting with a devoloper who hasn't updated their site to work properly with the current version of Flash. The developer's solution? He provided a link for the Flash uninstall utility and an outdated version of Flash from November, 2011. Amazing!

Mon, Apr 9, 2012 HAS Atlanta,GA

They are not the only ones that are slow to update. There are a lot of web pages that depend on an older version of JAVA to work. Update your JAVA and the page is broken.

Sun, Apr 8, 2012 Chris

A few days later, I reported the infection vector as well, take a look at how many anti-virus companies decided to analyze it and protect their customers:- https://www.virustotal.com/file/2ca0271b9b2abf8bdd3f038763607846b8e7fcc6ae981965d0781c549c295787/analysis/1331469811/

Sun, Apr 8, 2012 Chris

I reported this exploit exactly 1 month ago today, including samples of the code, to both Sun and Oracle. They never even wrote back to me, and it seems, left everyone with this active exploit hole unpatched for an extra 31 days...

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.