Apple Issues Fix for Zero-Day Vulnerability in OS X
The Java vulnerability discovered in August has prompted Apple to issue their own patch for Mac OS X customers. According to this security announcement, the free update for Java for OS X 2012-005 and Java for Mac OS X 10.6 in all Mac OS versions from Snow Leopard to date is available immediately.
The company decided to release its own patch for the Java 0-day vulnerability discovered in August. The fix is therefor available for Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 or later, OS X Lion Server v10.7 or later, OS X Mountain Lion 10.8 or later.
Particularly important is that these Java updates are designed to configure Mac users’ web browsers so they won’t automatically run Java applets, but rather inform users which page requires Java and mark the placeholder as “Inactive plug-in” on a web page. If the user trusts the content, they have to click it to activate it.
Apple’s take on restricting the execution of Java content by default, along with the note that “developers should not rely on the Apple-supplied Java runtime being present in future versions of OS X” is another warning sign that the Cupertino-based vendor has had enough from third-party plug-ins. In April, OS X customers were hit by the Flashback Trojan, a piece of malware that also exploited a mega-flaw in Java and that is still affecting users who haven’t updated their vulnerable build.
Apple informs its users that “updating to Java version 1.6.0_35” is “an opportunity for security-in-depth hardening” and for details redirects them also to Oracle’s official webpage hosting a recently released emergency security patch for the controversial CVE-2012-4681 vulnerability and two others in Java 7 running in web browsers on desktops.
Standalone Java desktop applications and Java running on servers were not vulnerable.
Apple officials note that Java for OS X 2012-005 and Java for Mac OS X 10.6 Update 10 “may be obtained from the Software Update pane in System Preferences, or Apple’s Software Downloads web site: http://www.apple.com/support/downloads/” while further “information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222”.