The Mac Security Blog
Brian Krebs has published an article about a Java exploit that is being used in the wild. As part of the Metasploit framework – a hacking tool – this Java attack “has been tested to successfully deliver payloads on a variety of platforms, including the latest Windows, Mac and Linux systems.”
As the Metaslpoit blog points out, “This vulnerability is particularly pernicious, as it is cross-platform, unpatched on some systems, and is an easy-to-exploit client-side that does little to make the user aware they’re being exploited.”
Intego’s senior malware researcher told me that, “this threat is completely invisible, and anyone can get infected by visiting a malicious web site.” If you visit a web site, it might be infected, you may be redirected to another site, or there may be content on a web page that comes from another site… In other words, even seemingly safe sites may be infected by hackers who then take advantage of this exploit to infect Macs.
In other words, if you haven’t updated Java – we alerted you to the latest Java update four weeks ago – you’d better do so now. Launch Software Update and get the latest Java update.
Apple has released the Java for Mac OS X 10.7 Update 1 and Java for Mac OS X 10.6 Update 6, for Lion and Snow Leopard, respectively. These updates patch 17 vulnerabilities, and increment Java to version 1.6.0_29. Full release notes are available on the Oracle web site and on Apple’s web site.
Apple says the following about these updates:
Multiple vulnerabilities exist in Java 1.6.0_26, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.
These updates are available via Software Update, or from Apple’s Support Downloads page. With Lion, Apple does not provide Java in the standard installation, but rather users are prompted to download it the first time it is needed. It is not clear whether this update will show up in Software Update for users who don’t have Java already installed.
Apple has released updates to Java for both Mac OS X 10.5 Leopard, and Mac OS X 10.6 Snow Leopard. These updates apply to both the client and server versions of Mac OS X, and fix 19 vulnerabilities, in the Mac OS X 10.5 version, and 11 vulnerabilities in the Mac OX X 10.6 version.
Multiple vulnerabilities exist…, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.
The updates are 120 MB and 75 MB respectively. Full information about these updates is available here and here.
Apple has issued security updates for Java for both Leopard (Mac OS X 10.5) and Snow Leopard (Mac OS X 10.6). The Java for Mac OS X 10.6 Update 4 fixes 16 vulnerabilities, “the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox.” As Apple says, “Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.”
The Java for Mac OS X 10.5 Update 9 fixes the same vulnerabilities plus 11 others, and covers two versions of Java.
Interestingly, Apple is not giving any details about these flaws; they are merely citing the CVE (Common Vulnerabilities and Exposures) numbers for them. In a recent security update for iTunes for Windows, Apple did the same thing, but in the past, they provided more detailed information for each flaw. Apple directs users to the Oracle website for “more information” about these updates, but the information presented is only about the different version numbers of Java that are affected.
In any case, all those who use Java should update immediately. Java is an easily-exploitable attack vector, due to the way Java applets can be embedded in web pages.
Apple has released security updates for Mac OS X 10.5 and 10.6 for Java, correcting respectively three and four vulnerabilities. The Java for Mac OS X 10.6 Update 3 fixes three flaws that could allow “arbitrary code execution with the privileges of the current user” or “arbitrary code execution with the privileges of another user.” The Java for Mac OS X 10.5 Update 8 corrects four such flaws.
Updates are available via Software Update, or from Apple’s Downloads page. They are 74 and 119 MB respectively. More information about these security updates can be found here.
Apple has released security updates for Java for both Mac OS X 10.6, Snow Leopard, and Mac OS X 10.5, Leopard. The Java for Mac OS X 10.6 Update 2 and Java for Mac OS X 10.5 Update 7 are available from Software Update, as well as from Apple’s Support Downloads page.
The Snow Leopard update patches thirty bugs, all of which could cause the following:
Visiting a web page containing a maliciously crafted untrusted Java applet may lead to an unexpected application termination or arbitrary code execution with the privileges of the current user.
The Leopard version of the update fixes sixty bugs, many of which are the same, which could lead to the same potential problems.
The updates are 78 and 122 MB respectively.