Posts Tagged: os x

Feb 13

Critical Java Update Fixes 50 Security Holes

Oracle Corp. has issued an update for its Java SE software that plugs at least 50 security holes in the software, including one the company said was actively being exploited in the wild.

javaiconThe original Critical Patch Update for Java SE – February 2013 had been scheduled to be released on February 19th, but Oracle said it decided to accelerate the release of this update because of active exploitation in the wild of one of the vulnerabilities.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply…fixes as soon as possible,” the company wrote in an advisory.

I couldn’t find a definitive account of which zero-day vulnerability in Java had caused Oracle to move up its patch schedule, but recently researchers have uncovered flaws in a mechanism that the company shipped with the previous version of Java that was designed to thwart attacks on the program. With Java 7 Update 10, Oracle introduced a mechanism that would require users to manually allow the execution of Java code not digitally signed by a trusted authority. Some security experts praised Oracle for adding the feature because it promised to drastically reduce the success of attacks that exploit security bugs in Java, but researchers have shown that the new feature can be easily bypassed.

Continue reading →

Sep 12

Apple Releases Fix for Critical Java Flaw

Apple has issued an update for Mac OS X installations of Java that fixes at least one critical security vulnerability in the software.

If you own a Mac, take a moment today to run the Software Update application and check if there is a Java update available. Delaying this action could set your Mac up for a date with malware. In April, the Flashback Trojan infected more than 650,000 Mac systems using an exploit for a critical Java flaw.

Java for Mac OS X 10.6 Update 10 and Java for OS X 2012-005 are available for Java installations on OS X 10.6, OS X Lion and Mountain Lion systems, via Software Update or from Apple Downloads.

Apple stopped bundling Java by default in OS X 10.7 (Lion), but it offers instructions for downloading and installing the software framework when users access webpages that use it. The latest iteration of Java for OS X configures the Java browser plugin and Java Web Start to be deactivated if they remain unused for an extended period of time.

Update, 8:14 p.m.: It looks like I may have misread Apple’s somewhat hazy advisory, which appears to state that this update addresses CVE-2012-4681, the Java flaw that was recently spotted in increasingly widespread attacks against Java 7 installations on Windows. Upon closer inspection, it looks like this patch applies just to CVE-2012-0547. The above blog post has been changed to reflect that. In any case, Mac users should not delay in updating (or better yet, removing) Java.

Continue reading →

Jun 12

Apple, Oracle Ship Java Security Updates

There must have been some rare planetary alignment yesterday, because the oddest thing happened: Apple and Oracle both shipped software updates for the same Java security flaws on the very same day.

I’ve taken Apple to task several times for its unacceptable delays in patching Java vulnerabilities. Oracle is the official producer of Java, but Apple maintains its own version, and it has consistently lagged months behind Oracle in fixing security bugs. This failure on Apple’s part finally caught up with Mac OS X users earlier this year and turned into a major embarrassment for Apple, when the Flashback malware infected more than 650,000 Mac systems using a vulnerability that Oracle (but not Apple) had patched roughly two months earlier.

Well, it seems that Apple learned a thing or two from that incident. The update Oracle released yesterday, Java 6 Update 33 and Java 7 Update 5, fixes at least 14 security flaws in the oft-attacked software that is installed on more than three billion devices worldwide. Apple’s Java update brings Java on the Mac to 1.6.0_33, and patches 11 of the 14 security vulnerabilities that Oracle fixed in Tuesday’s release. It’s unclear whether those other three flaws simply don’t exist in the Mac version of Java, but we’ll take progress where we can get it.

Regardless of which operating system you use, if you have Java installed, I would advise you to update it, neuter it or remove it as soon as possible. The reason I say this is that Java requires constant patching, and it appears to be the favorite target of attackers these days. Continue reading →

Nov 10

OS X Patch Catch-Up

Apple recently released a massive update to address at least 130 security vulnerabilities in Mac OS X systems, including a monster patch that fixes 55 flaws in Adobe Flash Player.

The seventh major update to OS X  this year includes a fix that stems from a vulnerability Apple patched in the iPhone earlier this year but apparently never scrubbed on OS X. According to security vendor Core Security — which said it released details about the flaw ahead of Apple’s advisory after waiting nearly three months for Apple to fix it — the vulnerability is a variation of the flaw exposed this summer that helped iPhone users jailbreak devices running iOS4. Apple fixed that bug in the iPhone shortly after the exploit was released, but until last week the flaw remained a weak spot in OS X 10.5/Leopard systems, Core said.

Continue reading →

Mar 10

Monster Mac OS X Update

Apple released a software update on Monday that includes fixes for a massive number of security vulnerabilities in Mac OS X and associated software.

The update corrects more than 90 security flaws and weaknesses in a variety of Apple and third-party products included in versions of OS X, such as ClamAV, Firewall, iChat, Mail, PHP and QuickTime.

Updates are available for Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2, through Software Update or via Apple Downloads. You might want to schedule the download when you have some time to be away from the computer: Depending on which version you’re downloading, the size of the update may weigh in at more than 750 megabytes.