It’s been claimed that Oracle has known since April about the latest Java vulnerabilities to which so many of us are exposed. Even if Oracle does actually step outside its patch cycle to provide remediation before October – which seems far from certain at the moment – that time lag should give pause to anyone thinks that Java is a safe platform and that Oracle is a safe pair of hands. (As I commented to Infosecurity's Kevin Townsend here.)
There’s plenty of good advice about disabling Java in browsers – for instance from ESET’s Stephen Cobb and Techworld’s Lucian Constantin. But where do Mac users stand in all this otherwise?
Well, I have yet to see a report of any of the current rash of exploits being Mac aware, though that can, of course, change. In fact, Mac-aware exploits may be likelier to be targeted (for instance politically motivated) rather than equivalent to (for instance) Blackhole attacks on Windows users.
Reportedly, users of OS X versions earlier than Lion are not vulnerable: Java 7 doesn’t run on them, and Java 6 doesn’t have these particular holes. While Java isn’t distributed with Lion and Mountain Lion, users shouldn’t consider themselves safe. Even if they haven’t installed Java themselves, it may have been installed in response to a request to allow installation so as to run a Java applet, as Keizer suggests. In fact, it wouldn’t surprise me if some products and services have installed it silently, or at least inconspicuously.