Related Stories

  • Mac users: “If you have no real need for Java, remove it”
    Discussing the latest drive-by threat to Mac users that exploits an unpatched Java vulnerability known as CVE-2012-0507, Graham Cluley of Sophos blogs, “My advice is that if you have no real need for Java, remove it.”
  • Weaponized MS Word files targeting Macs
    Weaponized Word files targeting Macs have been identified by AlienVault Labs, which says the malware is coming from the same Chinese group that has been targeting the Tibetan government and nongovernmental organizations.
  • Welcoming Apple to the Malware Party
    Conventional wisdom says that, due to its smaller market share, the Mac OS X is far less susceptible to security threats than its operating system counterparts. But times are changing – along with Apple’s market share – which prompted Esther Shein to explore the myth that the Mac OS X is still immune to today’s malware threats
  • Mac users – you’re not as safe as you think
    The Mac Flashback trojan installs itself by either using one of two Java vulnerabilities, or via a social engineering trick that gets the user to install it.
  • New Flashback trojan variant uses novel delivery to infect Macs
    A new Flashback trojan variant uses Java vulnerabilities to infect Macs with limited user intervention, according to Intego.

Top 5 Stories


Apple releases Java update with 12 security fixes

04 April 2012

Apple has shipped a Java update for Mac operating systems with 12 security fixes, including one that plugs a hole exploited by a recent variant of the Flashback malware.

Specifically, the Java update is for OS X Lion 2012-001 and Mac OS X 10.6 Update 7. Apple cautioned that “visiting a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.”

This is the process that the recent variant of the Flashback malware uses to gain control of machines, noted Intego’s Mac Security blog.

“Java is quickly becoming a new vector of attack for malware, and the Flashback malware has notably used Java in several different ways, taking advantage of known or unpatched vulnerabilities to get through a Mac’s defenses”, the blog warned.

“Java applets are not affected by Mac OS X’s quarantine system. This means that Mac users do not get a warning dialog when Java applets are downloaded as objects in a web page. This also gets around Apple’s Xprotect malware scanning system, which does not scan objects in web pages”, it added.

Sophos researcher Chester Wisniewski criticized Apple for taking six weeks to plug the Java security hole.
“This does make you wonder whether Apple takes security as seriously as it should. Perhaps its public facing image of being invulnerable is the prevailing attitude within the company. Why Apple did not deploy these fixes before Mac users were victimized by criminals is unclear. Fortunately, once it became a problem the company responded quickly”, he wrote in a Naked Security blog.

This article is featured in:
Application Security  •  Internet and Network Security  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×