Apple Patches OS X Java Security Flaws


Apple recently released a Mac OS X update that patches 12 Java security flaws, including a vulnerability that was being actively exploited by the latest version of the Flashback Trojan.

"Flashback is an increasingly sophisticated malware strain that sniffs network traffic in search of user names and passwords," explains Krebs on Security's Brian Krebs. "Early versions of it prompted Mac users to enter their password before it would run, but the most recent strains will happily infect vulnerable Mac systems without requiring a password, writes Ars Technica, among others. F-Secure has additional useful information on this Trojan attack here."

"The latest variant of the Mac-specific malware appeared on Monday and targeted a vulnerability in Java (CVE-2012-0507) which was patched on Windows machines more than six weeks ago," writes The Register's John Leyden. "Apple's new version of Java for OS X 10.6 (Snow Leopard) and 10.7 (Lion) offers Mac users equivalent protection."

As Sophos' Chester Wisniewski points out, the fact that Apple was slower than Microsoft to patch the flaw may lead some users wonder whether the company is taking security as seriously as it should. "Why Apple did not deploy these fixes before Mac users were victimized by criminals is unclear," he writes. "Fortunately, once it became a problem the company responded quickly."

Ultimately, most Mac users would be well advised to remove Java altogether. "Mac users and IT admins for Macs should review whether Java is actually needed for their usage," writes Qualys' Wolfgang Kandek. "If not Java can be disabled through the Java Preferences program, just uncheck both 64-bit and 32-bit versions."