After leaving Mac users vulnerable for more than six weeks, Apple has finally released a new version of Java for OS X 10.6 (Snow Leopard) and 10.7 (Lion).
This release comes quick on the heels of an in-the-wild exploit actively targeting Mac users, in one of the first cases of drive-by exploitation we have seen for OS X.
Today’s release updates Java to version 6 update 31 which Oracle released for Windows, Linux and Unix on February 14th.
This does make you wonder whether Apple takes security as seriously as it should. Perhaps its public facing image of being invulnerable is the prevailing attitude within the company.
Why Apple did not deploy these fixes before Mac users were victimized by criminals is unclear. Fortunately, once it became a problem the company responded quickly.
If you are running Snow Leopard, upgraded from Snow Leopard to Lion or installed the Java add-on for Lion, be sure to click the Apple icon in the upper-left corner and choose Software Update. Lion does not ship with Java by default on new installations, but many have chosen to install it anyway.
Lion users will see “Java for OS X 2012-001” and Snow Leopard users will see “Java for Mac OS X 10.6 Update 7” in the software updater.
To check which version of Java you currently have installed open Terminal and type “java -version”. You should see “java version 1.6.0_31” if you have upgraded successfully.
Another option is to remove Java entirely, or to disable it. Most Mac users don’t need Java to work and surf in the year 2012. The guys at Rapid 7 have put together a short video showing how to do this on their blog.
Users of older versions of OS X (10.5 and earlier) should immediately disable the Java plugin as Apple does not appear to be shipping further updates to Java on these platforms.
Of course you should also run anti-virus on your Mac, and Sophos Anti-Virus for Mac Home Edition is free for non-commercial use.
Why not load it to be sure your Mac stays clean from Mac, Windows and Linux nasties? Think of it as a safety net just in case cybercriminals continue to target the growing OS X user population.
Lots of links here – but not the important one to the Apple download page!
At the time the article was written, Apple hadn't released a patch. I'm glad to see that they have now done something about this vulnerability.
Chet Wisniewski has since written about the patch here: http://nakedsecurity.sophos.com/2012/04/04/apple-…
Thanks for setting me right. Now downloading. CC
no update showing up — what about Chrome users… ? in the mean time — disabling all my plug-ins — Just had to nuke 2 sticks of ram — in October build mbp
I wonder why Apple does not let users update via the get Java website. It is more effecient than updating yourself.
Finally, 1.6.31. Mac users in corporate settings often dont have the option of removing Java. Unpatched Java (and Flash and Reader) are getting major attention because they are our prime malware vectors.
And what of the future of OpenJava on Mac? Is it coming with Mountain Lion?
Finally i'm waiting for this patch, i could safely using java again now without disable it.
Oh look, a plug for… wait for it… Sophos Anti-Virus software. What a surprise! Thanks for the major anti-Apple tone in your post, though, Chester. I suppose it's fresher than bashing Microsoft, whose security track record is absolutely atrocious.
Oh look, it's another…wait for it…anti-Sophos troll. What a surprise!
There's no anti-Apple tone in Chet's article. I see a question wondering whether Apple takes security as seriously as it should. That's an eminently reasonable question, considering the fact that Apple didn't issue a patch for the Java flaw until SIX WEEKS after the first exploits began to appear. (For the record, the oldest of the twelve vulnerabilities addressed in the 2012, April 3 OS X Java patch was CVE-2011-3563, registered on 2011-09-16.) Evidently such questioning does not pass muster with the Londonblue Brain Police.
It's laughable that your post bashes Sophos for promoting its FREE Sophos AV for Mac software. Yeah…those greedy bastidges at Sophos. How dare they promote their free (and very effective, I might add) software on their own security blog!
Idiots. You're not gonna get viruses or malware cause it's Apple, and you press it as being the absolute fact. And here you are. Now let's see how you handle it. Microsoft is pretty good at it for doing it for a long time, let's flip the tables and see how you handle it.
"The guys at Rapid 7 have put together a short video showing how to do this on their blog."
Charming. You direct us to this site and what are we confronted with… a Flash video.
Nice.
Thanks for this, I've been away for a few days, its amazing how things can change so quickly, right!
Can you tell me if the Sophos software will detect the malware once it is installed? I have not installed it on my Mac, but others on my team have and it would be much easier to tell them to run a system scan than to run Terminal commands.
Yes, we detect the exploit itself and all known payloads.
Thank you for the timely response, Chester! Much appreciated.