Mac malware exploits unpatched drive-by Java vulnerability

Filed Under: Apple, Featured, Java, Malware, Vulnerability

Mac and JavaMalware striking Mac computers is making the headlines again, this time exploiting a drive-by vulnerability in Java that has left Apple users dangerously exposed to attack.

The new Mac malware exploits a Java vulnerability (known as CVE-2012-0507), that Apple users are still not patched against.

Apple users won't feel any consolation at all in the knowledge that their Windows cousins have been protected against the flaw since February.

Sophos security products identify the various components of the Mac malware attack as Exp/20120507-A, Troj/JavaDl-JI, OSX/Dloadr-DMU and OSX/Flshplyr-B - intercepting the threat before it can compromise Mac owners' computers.

Once again, you're left to ponder whether having Java installed on your computer is really worth it. Having Java on your PC or Mac may help you run some archaic applications, but it can also dramatically widen the attack surface which hackers can exploit.

My advice is that if you have no real need for Java, remove it.

The latest version of Mac OS X (known as Lion), unlike earlier editions, does not include Java by default, meaning users are not at risk *unless* they have subsequently installed the software.

If you're not already doing so, run anti-virus software on your Macs. If you're a home user, there really is no excuse at all as we offer a free anti-virus for Mac consumers.

Update: Apple has now issued a patch which fixes the Java vulnerability for Snow Leopard and Lion users. Mac users who have Java installed are strongly recommended to install it.

, , , , , ,

You might like

15 Responses to Mac malware exploits unpatched drive-by Java vulnerability

  1. WhiteWinter · 1284 days ago

    Java is used for minecraft, so I wouldn't say it's as uncommon as people think.

  2. Linda Steers · 1284 days ago

    Does this effect both PowerPCs and the new Macs? I'm running Lion on a G5 - just need to know if I'm vulnerable.


    • Peter J Taylor · 1283 days ago

      I didn't know one could run OS 10.7 Lion on a PPC G5. I thought the highest OS was version 10.5.1 "Leopard". Can anyone confirm this?

      • Chester Wisniewski · 1283 days ago

        PPC Macs are totally unsupported by Apple for quite some time now. 10.5 is the latest to my knowledge.

        • Peter J Taylor · 1282 days ago

          Planned obsolescence, isn't it? Mine is six years old, and there's nothing wrong with it. I've changed my computers every seven years since 1985, and it's always cost me about a grand each time.
          We wouldn't be happy if our cars ceased to be supported by manufacturers at six years old, would we?

  3. Anon · 1284 days ago

    I have Sophos on my MacBook, but out of interest how do you remove Java - there doesn't appear to be a uninstall option. Thanks x

    • Jonny · 1284 days ago

      Internet plug-ins are stored in /Library/Internet Plug-Ins/

      If you follow the JavaAppletPlugin.plugin alias, it will lead you to /System/Library/Java

      Deleting that folder is the quick-and-dirty way of uninstalling Java. From Terminal, run:

      sudo rm -rf /System/Library/Java

      and then restart your computer.

  4. smone · 1284 days ago

    very very interesting that u would suggest to just uninstall java. i mean, its like the key cross platform language, and if any os is gunna be missing out on programs, its gunna be mac's. interesting that u think of it as so archaic, i mean, even minecraft is made in java

  5. Unjava · 1284 days ago

    How do I remove Java from my Snow Leopard computer, given that it's part of the "batteries included" of 10.6?

    Is removing it a good enough defense or will the next Mac software update reapply Java even if I don't want it back?

  6. Kai · 1284 days ago

    Funny enough, it seems like all you need to do to avoid an infection is disable Java Applets in your browser. For Firefox, you can use the NoScript extension to handle this. Safari has a checkbox in the security section of it's settings where you can do this. For Opera, look under "Content">>"Plugins", and yes you can achieve the same with Chrome too.

    Yes, Java Applets are a huge security risk, and Apples slow security update cycle is making the situation even worse. We should get rid of them as quick as possible. But disabling/uninstalling Java is IMHO the wrong answer, given the possibilities i pointed out above.

  7. I do believe that the advice to "remove it" can cause more problems than it solves for many users. Java is still a very widely supported language although if you do need the JRE Mac OSX will prompt you to install it. This problem stems from Apples abandonment of Java with Lion as updating Java for Mac without the Apple patch requires you compiling it yourself. Something many users will be unable to do. Or should the packaging of Java for Mac be picked up by Oracle which supply compiled files for all other major OS's?

    • Aurelio · 1281 days ago

      Oracle has already announced that it will take over producing Java for Mac. Latest news are that 7u4 -late April- will be the first Java release for Mac. It will be only the JDK not the JRE though -biggest difference is that applets and webstart won't be supported yet. Full support will happen in 7u6.

  8. gorgar · 1283 days ago

    What a dumb @ss comment, REMOVE JAVA indeed. There are programs that rely on java, Dreamweaver for instance. Mine became unresponsive when I mistakenly installed the patch while it was open. Then I got the blue screen of death. Scared the crap out of me. But the machine booted normally after a forced reset. I'd be very careful about removing it without considering all the ramifications. The fix is already in, apply the patch. My recommendation is to simply turn it off in your browsers, but don't expect a lot of websites to function correctly.

  9. Peter J Taylor · 1282 days ago

    I uninstalled Java on my OS 10.4.11 Desktop G5. Then when I wanted to use eBay it told me that eBay requires Javascript and will not function without it. It seems we're damned if we do, and damned if we don't!
    Surely computer operating system manufacturers who have built security deficiencies into their products should provide patches for them, going back to the year dot.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley