Mac OS X users should run Software Update to check whether the latest Java update fixing several security flaws is available. Even though the latest fix didn’t make it into the update, a little patch is always better than no patch.
Users running Mac OS X 10.6 (Snow Leopard), OS X 10.7 Lion, and OS X 10.8 Mountain Lion can download the latest Java update which addressed a security-in-depth issue, Apple said in its security advisory released on Wednesday. A close examination of the advisory shows that the latest Java 1.6.0_35 update didn’t patch the serious zero-day vulnerabilities disclosed late last month and currently being exploited in the wild, according to Brian Krebs, a security blogger at KrebsOnSecurity.
The Java for OS X 2012-005 and Java for Mac OS X 10.6 Update 10 patched the CVE 2012-0547 security-in-depth issue, but not the more serious CVE-2012-4681 vulnerability in the Java Runtime Environment which allows remote attackers to execute arbitrary code and bypass the security sandbox, Krebs said. The advisory lists only the security-in-depth issue, even though it links to Oracle’s warning about the more complex vulnerability.
The JRE flaw has a Common Vulnerability Scoring Standard (CVSS) of 10, which is the highest severity. In comparison, the security-in-depth issue has a CVSS of 0.
Oracle patched both CVE-2012-4681 and CVE 2012-0547 in the Java Runtime Environment for other platforms late last week. This update would be the first for Java users running Snow Leopard since June.
Apple being out of sync with Oracle on Java updates leaves Mac users vulnerable to attacks. This was all too clear in March and April this year when the Flashback Trojan infamously created a botnet consisting of an estimated 600,000 infected machines. Flashback exploited a Java flaw that Oracle had fixed in February that Apple had not yet closed. Apple announced shortly afterwards going forward, Oracle will handle Java 7 updates on OS X Lion onwards. Since Snow Leopard runs Apple’s own version of Java 6, older Macs will still need to wait for Apple to release updates.
Apple stopped bundling Java by default in OS X when it introduced 10.7 Lion two years ago. Users who need Java have to download and install the technology separately. The company also pushed out a mechanism which automatically configures the Java browser plugin and disables it entirely if it hadn’t been used for 35 days.
As has already been recommended, users should update Java and then disable it unless they actually need to access a Website using Java. The OS X updates can be applied via Apple’s Software Update function or from the company’s download page.