- This vulnerability affects: OS X 10.7.x (Lion) and 10.6.x (Snow Leopard)
- How an attacker exploits it: By enticing you to a website containing maliciously crafted Java
- Impact: In the worst case, an attacker executes code on your user’s computer, with that user’s privileges
- What to do: Install Java for OS X Lion 2012-001 or Java for OS X 10.6 Update 7 immediately, or let Apple’s updater do it for you.
- This vulnerability affects: OS X 10.7.x (Lion) and 10.6.x (Snow Leopard)
- How an attacker exploits it: By enticing you to a website containing maliciously crafted Java
- Impact: In the worst case, an attacker executes code on your user’s computer, with that user’s privileges
- What to do: Install Java for OS X Lion 2012-001 or Java for OS X 10.6 Update 7 immediately, or let Apple’s updater do it for you.
Yesterday, Apple released an advisory describing a Java security update for OS X 10.6.x and 10.7.x. The update fixes 12 vulnerabilities in OS X’s Java components (number based on CVE-IDs).
Apple doesn’t describe each flaw in technical detail, but they do share the worst case impact. If an attacker can lure you to a website containing specially crafted Java code, he can exploit many of these vulnerabilities to execute code on your OS X computer, with your privileges.
This Apple update finally brings the Java updates Oracle released in February to OS X users. Unfortunately, attackers have already been exploiting one of these Java vulnerabilities against Mac users in the wild. A Mac trojan called Flashback has reportedly infected over 600,000 Macs, by leveraging one of these Java flaws (as well as a Flash vulnerability in the past). If you have any Mac computers in your organization, we highly recommend you install Apple’s OS X Java update immediately. You can also find instructions for checking your Mac for the Flashback malware here.
Solution Path:
Apple has issued Java for OS X Lion 2012-001 [dmg file] and Java for OS X 10.6 Update 7 [dmg file] to correct these flaws. If you manage OS X 10.6.x or 10.7.x computers, we recommend you download and deploy these updates immediately, or let OS X’s automatic Software Update utility install it for you.
For All WatchGuard Users:
Some of these attacks rely on one of your users visiting a web page containing malicious Java bytecode. The HTTP-Proxy policy that ships with most WatchGuard appliances automatically blocks Java bytecode by default, which somewhat mitigates the risk posed by some of these vulnerabilities.
Status:
Apple has released Java updates to fix these issues.
References:
- Apple’s OS X March Java advisory
- Apple software downloads
- Apple security updates