The Mac Security Blog

Apple + Security News

Apple Updates XProtect to Block Vulnerable Java Versions

Posted on by

java-software-headerApple has released an update to its XProtect component of Mac OS X to block certain outdated versions of the Java browser plug-in. These older versions will no longer run in Safari or Mail after this automatic update is applied.

The minimum required version of Apple’s Java plug-in for Snow Leopard is now 13.9.7 (Java 6 Update 51), up from 13.9.5 (Java 6 Update 45). Apple provides its own version of Java for Snow Leopard and has continued to release security updates for it.

XProtect 65 for Snow Leopard

On Lion and Mountain Lion, the minimum version of Apple’s Java plug-in has increased from 14.7.0 (which corresponds with Oracle’s Java 7 Update 21) to 14.8.0 (which corresponds with Java 7 Update 25). Beginning with Lion, Apple no longer bundles Java with OS X; it is now a third-party offering available from Oracle.

XProtect 2039 for Mountain Lion

Apple likely changed the minimum Java plug-in version due to reports that a previously patched Java 6 vulnerability has been added to the Neutrino exploit kit, making it easier for evildoers to infect a Mac or PC running an outdated version of Java.

In a support article related to this update, Apple recommends only enabling the Java browser plug-in when you need it for a particular site, and then disabling the Java plug-in again afterward.

Adobe Flash Player Security UpdateMeanwhile, Apple still has a very low minimum requirement for the Adobe Flash Player plug-in. Flash Player 11.6.602.171 was released in late February, and Apple began requiring it within a couple days of Adobe’s release due to reports of active, in-the-wild exploitation of vulnerabilities in older versions.

Adobe has since released several versions of Flash Player that fix a number of vulnerabilities, but none of these versions was an urgent patch to fix bugs that were being actively exploited at the time. The current version of Flash Player is 11.8.800.94 as of when this article was published; any version older than that has known vulnerabilities. You can check to see whether you have the latest version of Flash Player by going to https://www.adobe.com/software/flash/about/

Apple’s XProtect system provides rudimentary protection against certain Mac threats. It does not offer live malware scanning, protection against Windows threats or phishing sites, or other protection that full-featured antivirus software can provide. Intego develops a number of specialized security products for Mac, available from www.intego.com

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which is often featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →