Apple patches Java hole that was being used to compromise Mac users

Filed Under: Apple, Featured, Java, Malware, Oracle, OS X, Vulnerability

Mac bombAfter leaving Mac users vulnerable for more than six weeks, Apple has finally released a new version of Java for OS X 10.6 (Snow Leopard) and 10.7 (Lion).

This release comes quick on the heels of an in-the-wild exploit actively targeting Mac users, in one of the first cases of drive-by exploitation we have seen for OS X.

Today's release updates Java to version 6 update 31 which Oracle released for Windows, Linux and Unix on February 14th.

This does make you wonder whether Apple takes security as seriously as it should. Perhaps its public facing image of being invulnerable is the prevailing attitude within the company.

Why Apple did not deploy these fixes before Mac users were victimized by criminals is unclear. Fortunately, once it became a problem the company responded quickly.

Apple update to Java 6 update 31If you are running Snow Leopard, upgraded from Snow Leopard to Lion or installed the Java add-on for Lion, be sure to click the Apple icon in the upper-left corner and choose Software Update. Lion does not ship with Java by default on new installations, but many have chosen to install it anyway.

Lion users will see "Java for OS X 2012-001" and Snow Leopard users will see "Java for Mac OS X 10.6 Update 7" in the software updater.

To check which version of Java you currently have installed open Terminal and type "java -version". You should see "java version 1.6.0_31" if you have upgraded successfully.

Another option is to remove Java entirely, or to disable it. Most Mac users don't need Java to work and surf in the year 2012. The guys at Rapid 7 have put together a short video showing how to do this on their blog.

Users of older versions of OS X (10.5 and earlier) should immediately disable the Java plugin as Apple does not appear to be shipping further updates to Java on these platforms.

Of course you should also run anti-virus on your Mac, and Sophos Anti-Virus for Mac Home Edition is free for non-commercial use.

Why not load it to be sure your Mac stays clean from Mac, Windows and Linux nasties? Think of it as a safety net just in case cybercriminals continue to target the growing OS X user population.

, , , , , , , , , ,

You might like

15 Responses to Apple patches Java hole that was being used to compromise Mac users

  1. Colin · 848 days ago

    Lots of links here - but not the important one to the Apple download page!

  2. Nicole · 848 days ago

    no update showing up --- what about Chrome users... ? in the mean time -- disabling all my plug-ins -- Just had to nuke 2 sticks of ram --- in October build mbp

  3. I wonder why Apple does not let users update via the get Java website. It is more effecient than updating yourself.

  4. Finally, 1.6.31. Mac users in corporate settings often dont have the option of removing Java. Unpatched Java (and Flash and Reader) are getting major attention because they are our prime malware vectors.

    And what of the future of OpenJava on Mac? Is it coming with Mountain Lion?

  5. Finally i'm waiting for this patch, i could safely using java again now without disable it.

  6. Oh look, a plug for... wait for it... Sophos Anti-Virus software. What a surprise! Thanks for the major anti-Apple tone in your post, though, Chester. I suppose it's fresher than bashing Microsoft, whose security track record is absolutely atrocious.

  7. Nigel · 846 days ago

    Oh look, it's another...wait for it...anti-Sophos troll. What a surprise!

    There's no anti-Apple tone in Chet's article. I see a question wondering whether Apple takes security as seriously as it should. That's an eminently reasonable question, considering the fact that Apple didn't issue a patch for the Java flaw until SIX WEEKS after the first exploits began to appear. (For the record, the oldest of the twelve vulnerabilities addressed in the 2012, April 3 OS X Java patch was CVE-2011-3563, registered on 2011-09-16.) Evidently such questioning does not pass muster with the Londonblue Brain Police.

    It's laughable that your post bashes Sophos for promoting its FREE Sophos AV for Mac software. Yeah...those greedy bastidges at Sophos. How dare they promote their free (and very effective, I might add) software on their own security blog!

  8. AppleHater · 846 days ago

    Idiots. You're not gonna get viruses or malware cause it's Apple, and you press it as being the absolute fact. And here you are. Now let's see how you handle it. Microsoft is pretty good at it for doing it for a long time, let's flip the tables and see how you handle it.

  9. Player_16 · 845 days ago

    "The guys at Rapid 7 have put together a short video showing how to do this on their blog."

    Charming. You direct us to this site and what are we confronted with... a Flash video.

    Nice.

  10. elliottrichmond · 845 days ago

    Thanks for this, I've been away for a few days, its amazing how things can change so quickly, right!

  11. Rob Knight · 843 days ago

    Can you tell me if the Sophos software will detect the malware once it is installed? I have not installed it on my Mac, but others on my team have and it would be much easier to tell them to run a system scan than to run Terminal commands.

    • Chester Wisniewski · 843 days ago

      Yes, we detect the exploit itself and all known payloads.

      • Rob Knight · 843 days ago

        Thank you for the timely response, Chester! Much appreciated.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.