Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Apple Releases Java Update, Doesn’t Fix 0-Day

Mac OS X users should run Software Update to check whether the latest Java update fixing several security flaws is available. Even though the latest fix didn’t make it into the update, a little patch is always better than no patch.

Mac OS X users should run Software Update to check whether the latest Java update fixing several security flaws is available. Even though the latest fix didn’t make it into the update, a little patch is always better than no patch.

Users running Mac OS X 10.6 (Snow Leopard), OS X 10.7 Lion, and OS X 10.8 Mountain Lion can download the latest Java update which addressed a security-in-depth issue, Apple said in its security advisory released on Wednesday. A close examination of the advisory shows that the latest Java 1.6.0_35 update didn’t patch the serious zero-day vulnerabilities disclosed late last month and currently being exploited in the wild, according to Brian Krebs, a security blogger at KrebsOnSecurity.

The Java for OS X 2012-005 and Java for Mac OS X 10.6 Update 10 patched the CVE 2012-0547 security-in-depth issue, but not the more serious CVE-2012-4681 vulnerability in the Java Runtime Environment which allows remote attackers to execute arbitrary code and bypass the security sandbox, Krebs said. The advisory lists only the security-in-depth issue, even though it links to Oracle’s warning about the more complex vulnerability.

The JRE flaw has a Common Vulnerability Scoring Standard (CVSS) of 10, which is the highest severity. In comparison, the security-in-depth issue has a CVSS of 0.

Oracle patched both CVE-2012-4681 and CVE 2012-0547 in the Java Runtime Environment for other platforms late last week. This update would be the first for Java users running Snow Leopard since June.

Apple being out of sync with Oracle on Java updates leaves Mac users vulnerable to attacks. This was all too clear in March and April this year when the Flashback Trojan infamously created a botnet consisting of an estimated 600,000 infected machines. Flashback exploited a Java flaw that Oracle had fixed in February that Apple had not yet closed. Apple announced shortly afterwards going forward, Oracle will handle Java 7 updates on OS X Lion onwards. Since Snow Leopard runs Apple’s own version of Java 6, older Macs will still need to wait for Apple to release updates.

Apple stopped bundling Java by default in OS X when it introduced 10.7 Lion two years ago. Users who need Java have to download and install the technology separately. The company also pushed out a mechanism which automatically configures the Java browser plugin and disables it entirely if it hadn’t been used for 35 days.

As has already been recommended, users should update Java and then disable it unless they actually need to access a Website using Java. The OS X updates can be applied via Apple’s Software Update function or from the company’s download page.

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.