Apple has released Java for OS X 2012-001 and Java for Mac OS X 10.6 Update 7, featuring a dozen security fixes, including one that has been used a recent variant of the Flashback malware, CVE-2012-0507. As the information about this update that Apple provides says,
Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.
This is exactly what happens with the recent variant of the Flashback malware that we discussed yesterday.
It’s worth noting that Java is no longer provided with Mac OS X 10.7 Lion, but the first time a user needs to run it – when a Java applet loads, or when a user launches a Java applet on their Mac – the system will ask if the user wants to download it. If so, Apple provides the download directly. Apple also maintains their own version of Java. The new version of Java is 1.6.0_31.
Java is quickly becoming a new vector of attack for malware, and the Flashback malware has notably used Java in several different ways, taking advantage of known or unpatched vulnerabilities to get through a Mac’s defenses. Java applets are not affected by Mac OS X’s quarantine system. This means that Mac users do not get a warning dialog when Java applets are downloaded as objects in a web page. This also gets around Apple’s Xprotect malware scanning system, which does not scan objects in web pages.
If you have Java on your Mac, this 66.6 MB update will be available via Software Update. If not, your Mac will offer to download it the first time it is needed.
More information about this Java update is available here.