• Java 7 Security Issue Poses a Risk to Mac Users

    Shortly after Oracle officially took over responsibility for Java on OS X with the launch of Java SE 7 Update 6, a new Java vulnerability has been discovered to pose a significant threat to systems running the software. An issue of Krebs on Security highlighted the case noting that it affects all versions of Java 7 on most browsers. The following was mentioned in the issue:

    News of the vulnerability (CVE-2012-4681) surfaced late last week in a somewhat sparse blog post by FireEye, which said the exploit seemed to work against the latest version of Java 7, which is version 1.7, Update 6. This morning, researchers Andreí M. DiMino & Mila Parkour published additional details on the targeted attacks seen so far, confirming that the zero-day affects Java 7 Update 0 through 6, but does not appear to impact Java 6 and below.

    Initial reports indicated that the exploit code worked against all versions of Internet Explorer, Firefox and Opera, but did not work against Google Chrome. But according to Rapid 7, there is a Metasploit module in development that successfully deploys this exploit against Chrome (on at least Windows XP).
    It was noted that Oracle seems to be moving to a quarterly update cycle for Java, meaning that the next regularly-scheduled update to Java SE 7 isnít planned until October, but it is unclear how quickly the company will look to address this issue. Meanwhile, security experts are developing an unofficial patch as users are currently being advised to simply disable Java if they donít need it active on their systems. The folks over at Computerworld reported that the issue does affect fully-updated Macs running Java 7 on top of OS X Mountain Lion. The issue was found in both Safari 6 and Firefox 14, leaving both vulnerable on OS X systems.

    Issues such as this one arenít the only known Java vulnerabilities, as Apple previously dealt with the Flashback malware that was able to infect over 600,000 Macs by taking advantage of an exploit in Java 6. Incidents such as this one caused Apple to shift responsible for Java updates to Oracle, a move which is said to take place with Java 7. Despite the change, while Mac users will now begin to receive Java updates along with other users on other platforms, Java still remains one of the highest-profile targets for attackers who seek to compromise systems on a broad basis.

    One thing that should be pointed out is that most Mac users are currently not susceptible to the issue as Java 7 is not installed by default on Macs. The current version of Java installed on Mac systems continues to be Java 6 for the time being, so users would have to manually update to Java 7 in order to become vulnerable to the issue. The takeaway here is, donít update until further notice!

    Source: Computerworld, KrebsonSecurity
    This article was originally published in forum thread: Java 7 Security Issue Poses a Risk to Mac Users started by Akshay Masand View original post
    Comments 1 Comment
    1. dxe's Avatar
      dxe -
      I just verified my Mountain Lion IMAC - it does indeed have Java 6 on it
  • Connect With Us

  • Twitter Box

  • Facebook