Oracle Emergency Update Fixes Java Security Bug
Posted on by Derek Erwin
Last week we mentioned that a Java vulnerability put some Mac users at risk, and that an attack on OS X users may not be that far behind. At that time, your best course of action was to disable Java until a patch was released. Over the weekend, Oracle released a patch for the vulnerable Java version 7 to resolve CVE-2013-0422. This update applies only to people that have updated to the Java 7.
There’s a #Mac OS X implementation of that CVE-2013-0422 #Java exploit inside the metasploit framework.
— Intego Mac Security (@IntegoSecurity) January 11, 2013
After much public disclosure of technical details and the reported exploitation of CVE-2013-0422, Oracle worked vigorously over the weekend to resolve the security bug and is now recommending customers apply the updates as soon as possible to mitigate problems. Java 7 Update 11 resolves CVE-2013-0422 and another vulnerability (CVE-2012-3174) affecting Java running in web browsers. Both vulnerabilities may be remotely exploitable without authentication, Oracle reported, meaning that the bug may be exploited over a network without the need for a username and password.
We recommend updating Java immediately. Mac users can go to Oracle’s website to download Java SE 7u11. After doing so, if you have previously disabled Java in your browser, you will need to manually re-enable it after installing the updated release. In Firefox, you can do this in the Add Ons > Plugin screen. In Safari, choose Preferences and then click Security; make sure the Enable Java checkbox is selected. Google Chrome does not support Java 7 on the Mac platform.