September 5, 2012

Apple has issued an update for Mac OS X installations of Java that fixes at least one critical security vulnerability in the software.

If you own a Mac, take a moment today to run the Software Update application and check if there is a Java update available. Delaying this action could set your Mac up for a date with malware. In April, the Flashback Trojan infected more than 650,000 Mac systems using an exploit for a critical Java flaw.

Java for Mac OS X 10.6 Update 10 and Java for OS X 2012-005 are available for Java installations on OS X 10.6, OS X Lion and Mountain Lion systems, via Software Update or from Apple Downloads.

Apple stopped bundling Java by default in OS X 10.7 (Lion), but it offers instructions for downloading and installing the software framework when users access webpages that use it. The latest iteration of Java for OS X configures the Java browser plugin and Java Web Start to be deactivated if they remain unused for an extended period of time.

Update, 8:14 p.m.: It looks like I may have misread Apple’s somewhat hazy advisory, which appears to state that this update addresses CVE-2012-4681, the Java flaw that was recently spotted in increasingly widespread attacks against Java 7 installations on Windows. Upon closer inspection, it looks like this patch applies just to CVE-2012-0547. The above blog post has been changed to reflect that. In any case, Mac users should not delay in updating (or better yet, removing) Java.

If you don’t really need Java, remove it from your system. If you decide later that you do need Java, you can always reinstall the program. If you still want to keep Java, but only need it for specific Web sites, you can still dramatically reduce the risk from Java attacks just by disabling the plugin in your Web browser. In this case, I would suggest updating to the latest version and then adopting a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, Safari, etc.) with Java enabled to browse only the site that requires it. For browser-specific instructions on disabling Java, click here.


16 thoughts on “Apple Releases Fix for Critical Java Flaw

  1. Greg

    Brian,

    I’m on it. I knew I subscribed to your updates for a reason.

    Thanks.

    1. Brian Krebs

      From Apple’s emailed advisory

      —–BEGIN PGP SIGNED MESSAGE—–
      Hash: SHA1

      APPLE-SA-2012-09-05-1 Java for OS X 2012-005 and
      Java for Mac OS X 10.6 Update 10

      Java for OS X 2012-005 and Java for Mac OS X 10.6 Update 10 are now
      available and address the following:

      Java
      Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
      OS X Lion v10.7 or later, OS X Lion Server v10.7 or later,
      OS X Mountain Lion 10.8 or later
      Description: An opportunity for security-in-depth hardening is
      addressed by updating to Java version 1.6.0_35. Further information
      is available via the Java website at
      http://www.oracle.com/technetwork/topics/security/alert-
      cve-2012-4681-1835715.html
      CVE-ID
      CVE-2012-0547

      1. Rick Zeman

        I’m trying something new: seeing how long I can go before I install Java into my Mountain Lion installation. So far, it’s been two months and there’s only been one need (the LivePhish music downloader), and they have a non-java version.
        Now if I can dump Flash…

      2. Jose M

        I think Bill Johnson is right, CVE-2012-4681 is not reported to only be an issue with Java SE 7.

        OSX ships with Java SE 6, which shouldn’t be vulnerable.

        I’m not sure how Brian’s repost of the advisory changes this fact?

  2. Greg

    I simply updated (Java and a pending OSX security fix).

    I’ll leave the minor quibbling to those who are qualified to do so. 🙂

  3. Robert

    I have had my iMac since 2007. When I purchased it I knew that it would only be a matter of time before the “uninterested” would be become “interested” in hacks and exploits against Apple products.

    My advice…patch/update…whenever necessary!

  4. Greg

    Agreed.

    I’ve had my MBP since 2009. I run both OSX Snow Leopard and Windows XP (for work).

    So much of what I do is in this device it’s “sick”. Programing, Web design, Music (reading this blog). I suppose it’s the same for a lot of people.

    Backups are golden.

    1. Bill Johnson

      I recommend against running SnowLeopard. It lacks many security features found in Mountain Lion.

  5. Stuart

    Just to be extra clear, Oracle assigned CVE-2012-0547 to a “defense-in-depth” improvement. It is not actually a vulnerability, but it may prevent other vulnerabilities from being exploited.

  6. Bruce

    Brian: Would you comment on the relationship and relative risk of Javascript vs. Java in browsers please. I have Java disabled in the browser but Java script partially enabled.

    1. BrianKrebs Post author

      It is not hard to browse the web without Java. It is harder to browse without Javascript. Javascript is a very powerful scripting language used on many sites. It is often difficult to watch videos on the web without enabling Javascript, and many forms and other types of interactive features won’t work unless you selectively or wholesale enable scripting a site.

      But browsing the web with Javascript full on is a recipe for disaster, because all of the things that Javascript can be made to do in the hands of bad guys who like to plant nasty scripts at hacked/legitimate sites. So, your best bet is to use a script blocking function that lets you select which scripts per site you want to run. This takes a bit of getting used to, and some people really can’t deal with it, but I’ve found that using Noscript on Firefox and Notscripts on Chrome (or even Google’s built-in script-blocking feature) isn’t that much trouble and saves me from a lot of danger.

      Also, since most Java applets require some type of scripting to run, script-blocking programs like those mentioned should block the automatic running of Java applets unless you enable that site to run scripts.

      1. Kbarb

        I’m glad someone asked that question actually . . .

        Before I understood the difference, and when I first started reading the warnings here about Java, I used to wonder . . . so “disable Java” – does that also mean Javascript is disabled ? Are they interrelated somehow ?, or one affects the other ?
        Which plugin disables what ?
        So I just put off the disabling until I had time to figure it out.

        After doing the google search “java vs javascript’ I got it.
        But remember, we’re all beginners at some point.
        People might be just arriving on krebsonsecurity and have the same confusion but be afraid to ask.

        So I was thinking it might be helpful for the parts in the Java articles where you eventually recommend disabling Java, to routinely tack on a very short note that Java and Javascript are completely different animals, and perhaps why. I think you’ve done that a bit actually.

        = = =

        Here’s a few copy & pastes :

        https://developer.mozilla.org/en-US/docs/JavaScript/A_re-introduction_to_JavaScript?redirectlocale=en-US&redirectslug=A_re-introduction_to_JavaScript

        “It’s useful to start with an idea of the language’s history. JavaScript was created in 1995 by Brendan Eich, an engineer at Netscape, and first released with Netscape 2 early in 1996. It was originally going to be called LiveScript, but was renamed in an ill-fated marketing decision to try to capitalize on the popularity of Sun Microsystem’s Java language — despite the two having very little in common. This has been a source of confusion ever since.”

        http://stackoverflow.com/questions/245062/whats-the-difference-between-javascript-and-java

        JavaScript is an object-oriented scripting language that allows you to create dynamic HTML pages, allowing you to process input data and maintain data, usually within the browser.

        Java is a programming language, core set of libraries, and virtual machine platform that allows you to create compiled programs that run on nearly every platform, without distribution of source code in its raw form or recompilation.

        While the two have similar names, they are really two completely different programming languages/models/platforms, and are used to solve completely different sets of problems.”

        For a more detailed explanation :
        http://www.htmlgoodies.com/beyond/javascript/article.php/3470971/Java-vs-JavaScript.htm

        But as Brian notes :
        “It is not hard to browse the web without Java. It is harder to browse without Javascript. “

  7. Kbarb

    Also, for the disabling on the fly . . . .

    I found NoScript to be just too much of a hassle – I never had time to get efficient with it.

    So I’m trying the QuickJava extension for Firefox.
    https://addons.mozilla.org/en-US/firefox/addon/quickjava/

    “Allows quick enable and disable of Java, Javascript, Cookies, Image Animations, Flash, Silverlight, Images, Stylesheets and Proxy from the Statusbar and/or Toolbar.”

    You get 8 buttons in the Add-On bar, where you can click disabling buttons for Javascript, Java, etc, on-the-fly.

    That probably isn’t going to help for a legitimate but infected site, unless you’ve disabled things ahead of time.
    In that vein, via QuickJava I have Java permanently disabled.

    But if you were going to a site that you had a hunch was suspicious, you could disable a lot of things ahead of time.
    Of course it’s not always that straightforward.

    Perhaps someone more expert than I will have a better approach.

  8. Bruce

    Thanks for your replies, I do understand the basics now and am trying QuickJava on several machines at home. I have not yet resolved the best solution for our family machine in the kitchen used by many. I do like QuickJava for myself.

Comments are closed.