Specifically, the Java update is for OS X Lion 2012-001 and Mac OS X 10.6 Update 7. Apple cautioned that “visiting a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.”
This is the process that the recent variant of the Flashback malware uses to gain control of machines, noted Intego’s Mac Security blog.
“Java is quickly becoming a new vector of attack for malware, and the Flashback malware has notably used Java in several different ways, taking advantage of known or unpatched vulnerabilities to get through a Mac’s defenses”, the blog warned.
“Java applets are not affected by Mac OS X’s quarantine system. This means that Mac users do not get a warning dialog when Java applets are downloaded as objects in a web page. This also gets around Apple’s Xprotect malware scanning system, which does not scan objects in web pages”, it added.
Sophos researcher Chester Wisniewski criticized Apple for taking six weeks to plug the Java security hole.
“This does make you wonder whether Apple takes security as seriously as it should. Perhaps its public facing image of being invulnerable is the prevailing attitude within the company. Why Apple did not deploy these fixes before Mac users were victimized by criminals is unclear. Fortunately, once it became a problem the company responded quickly”, he wrote in a Naked Security blog.