Apple patches the Java hole its own developers fell into - eventually

Filed Under: Apple, Featured, Java, Vulnerability

Shortly after admitting that its own techies got infected thanks to a Java hole, Apple has pushed out a Java update for the rest of us.

Bit of a pity that the Fruity Ones didn't do this back at the beginning of February, when Oracle's emergency "pre-Patch-Tuesday" update came out to fix the hole that Apple is only now closing off.

→ Curiously, Cupertino did push out a patch early in February, but only for OS X 10.6 users. Lion and Mountain Lion users have been in limbo until now.

Apple therefore bumps its Java distribution from 1.6.0_37 to 1.6.0_41, leapfrogging OS X 10.7 and 10.8 users past 1.6.0_39 entirely (the even numbers weren't used for official releases).

This re-aligns Apple's version with Oracle's own recent patch, which came out on 19 February 2013 as scheduled.

Both Facebook and Apple have now admitted to being owned due to malicious Java code hosted inadvertently by a website popular with mobile developers.

Twitter, too, admitted to a breach recently, didn't say how it happened, but suggestively invited everyone to turn off Java in their browser as part of its official statement.

The smart money, then, is that Twitter fell into the same hole as Facebook and Apple.

No-one quite seems to know where this attack, or series of attacks, came from.

Bloomberg offers speculation that "the hackers are a criminal group based in Russia or Eastern Europe."

Reuters quotes an expert who alludes to China as a possible source, but at least has enough perspicacity to mention that "there was no proof."

It doesn't really matter where the attacks came from if you've already followed the advice we've been trotting out since last year to turn Java off in your browser.

That stops dodgy Java applets from anywhere on the web from playing havoc with your computer, whether you're running Windows, OS X, Linux or any other operating system on which Java is supported.

It's telling, perhaps, that Apple, with this most recent update, seems to have washed its hands permanently of browser-based Java.

As its own update notification (see above) points out:

This update disables the Java SE 6 applet plug-in. To use applets on a web page, click on the region labeled "Missing plug-in" to download the latest version of the Java applet plug-in from Oracle.

I wonder how many Apple programmers will tempt their employer's wrath by reaching out to Oracle to re-enable Java in their browsers?

, , , , , , , ,

You might like

One Response to Apple patches the Java hole its own developers fell into - eventually

  1. curious · 413 days ago

    Could you do a post, perhaps, if you haven't yet, on the problems between the statements of the ANZ bank, online, and the fact that they need Java to be read, and the fact that they can't seem to be read on a Mac with those with the most up to date Mac operating system?
    Am wary of upgrading to Mountain Lion due to this, and also of disabling Java. Maybe the sites I've been reading are out of date, and it's now fixed, but I'd like some insight.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog