The Mac Security Blog

Security & Privacy

Java Vulnerability Affects Some Mac Users

Posted on by

Update – January 14, 2013

Oracle has released an emergency update for two vulnerabilities, CVE-2013-0422 and CVE-2012-3174. Updating to this new version, Java 7 update 11, will re-enable Java in Safari and Firefox.

According to Oracle, this update will also tighten the default security settings:

With this Security Alert, and in addition to the fixes for CVE-2013-0422 and CVE-2012-3174, Oracle is switching Java security settings to “high” by default.  The high security setting requires users to expressly authorize the execution of applets which are either unsigned or are self-signed.  As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet.  Note also that Java SE 7 Update 10 introduced the ability for users to easily disable Java in their browsers through the Java Control Panel.

This site will allow you to test whether Java has been successfully re-enabled.

_____

Another day, another Java vulnerability, it would seem.

There has been a lot of talk in the last 24 hours about an unpatched Java vulnerability (CVE-2013-0422), that was discovered because it’s currently being used to attack Windows users. Some well-known exploit packs have added Windows-based attacks that are now being used in the wild. The prevalence of this threat that is hitting users with drive-by downloads has prompted many security experts to recommend (yet again) that people disable Java until a patch can be released.

Some Mac users are at risk for the vulnerability, but likely a small percentage, and not they’re not at risk for the attacks that are currently in the wild. Those users who have specifically updated to Java version 7 are the ones that are at risk. This website will allow you to check your version of Java. Most Mac users will either have Java disabled, or have Java version 6, and thus they’re not at risk.

Here are the circumstances where you are not at risk from this exploit:

  • If you do not have Java installed
  • If you have Java installed and it’s still on version 6
  • If you installed Java and then subsequently disabled it
  • If you are running 10.6 or older OS, as Java 7 requires 10.7 or higher

There is a proof-of-concept exploit that’s been published for OS X, which mean an attack may not be far behind. If you do have Java version 7, it’s a good idea to disable Java until a patch can be released. These warnings seem to be coming more and more frequently, and this trend is unlikely to stop any time soon. If you are not currently able to completely disable Java, it would be wise to start reevaluating whatever is keeping you from doing that.

Update – January 13, 2013

Apple updated XProtect to disable Java 7

It looks as though Apple has silently updated XProtect to disable Java 7 until Oracle’s next release. This may come as a rude surprise to some users, as the next update is not scheduled till February. But it’s possible Oracle will make another unscheduled update, like they did after CVE-2012-4681 caused similar malware problems.

Apple is not alone in taking this sort of proactive action. Mozilla has announced that Firefox is now also disabling recent versions of Java plugins.