Sophos Cloud Optix
Shortly after admitting that its own techies got infected thanks to a Java hole, Apple has pushed out a Java update for the rest of us.
Bit of a pity that the Fruity Ones didn’t do this back at the beginning of February, when Oracle’s emergency “pre-Patch-Tuesday” update came out to fix the hole that Apple is only now closing off.
→ Curiously, Cupertino did push out a patch early in February, but only for OS X 10.6 users. Lion and Mountain Lion users have been in limbo until now.
Apple therefore bumps its Java distribution from 1.6.0_37 to 1.6.0_41, leapfrogging OS X 10.7 and 10.8 users past 1.6.0_39 entirely (the even numbers weren’t used for official releases).
This re-aligns Apple’s version with Oracle’s own recent patch, which came out on 19 February 2013 as scheduled.
Both Facebook and Apple have now admitted to being owned due to malicious Java code hosted inadvertently by a website popular with mobile developers.
Twitter, too, admitted to a breach recently, didn’t say how it happened, but suggestively invited everyone to turn off Java in their browser as part of its official statement.
The smart money, then, is that Twitter fell into the same hole as Facebook and Apple.
No-one quite seems to know where this attack, or series of attacks, came from.
Bloomberg offers speculation that “the hackers are a criminal group based in Russia or Eastern Europe.”
Reuters quotes an expert who alludes to China as a possible source, but at least has enough perspicacity to mention that “there was no proof.”
It doesn’t really matter where the attacks came from if you’ve already followed the advice we’ve been trotting out since last year to turn Java off in your browser.
That stops dodgy Java applets from anywhere on the web from playing havoc with your computer, whether you’re running Windows, OS X, Linux or any other operating system on which Java is supported.
It’s telling, perhaps, that Apple, with this most recent update, seems to have washed its hands permanently of browser-based Java.
As its own update notification (see above) points out:
This update disables the Java SE 6 applet plug-in. To use applets on a web page, click on the region labeled "Missing plug-in" to download the latest version of the Java applet plug-in from Oracle.
I wonder how many Apple programmers will tempt their employer’s wrath by reaching out to Oracle to re-enable Java in their browsers?
Could you do a post, perhaps, if you haven't yet, on the problems between the statements of the ANZ bank, online, and the fact that they need Java to be read, and the fact that they can't seem to be read on a Mac with those with the most up to date Mac operating system?
Am wary of upgrading to Mountain Lion due to this, and also of disabling Java. Maybe the sites I've been reading are out of date, and it's now fixed, but I'd like some insight.