Original URL: http://www.theregister.co.uk/2012/04/04/apple_java_update/
Apple plugs Java hole after Flashback Trojan intrusion
6 weeks after Microsoft machines are patched...
Posted in Security, 4th April 2012 16:17 GMT
Watch Now : Virtual Machine Movement with Hyper-V
Apple released a security update for OS X Java on Tuesday, plugging a security vulnerability exploited by the latest Flashback Trojan.
The latest variant of the Mac-specific malware appeared on Monday and targeted a vulnerability in Java (CVE-2012-0507 [1]) which was patched on Windows machines more than six weeks ago.
Apple's new version of Java for OS X 10.6 (Snow Leopard) and 10.7 (Lion) offers Mac users equivalent protection.
Java is not needed to surf the net, with the exception of applications on some e-banking websites. Security firms – including F-secure, Sophos and others – have begun advising users to disable the technology in their browsers as a largely unnecessary security risk. More discussion on the Apple Java security update, and the reasons users may want to disable Java in their browsers, can be found in a blog post by Chester Wisniewski on Sophos's Naked Security blog here [2].
In related news, Mozilla introduced changes in Firefox on Monday that will block [3] older versions of Java that harbour critical vulnerabilities, specifically the increasingly infamous CVE-2012-0507 security flaw. "Blocklisting" forbids outdated plugins from running, unless specific approval is given. Mozilla has only introduced the technology into Windows versions of its open-source browser software, leaving Mac users without the added safety net.
Commentary on both the Apple update and the Mozilla plugin changes can be found in a blog post by Wolfgang Kandek, CTO at vulnerability scanning firm Qualys, here [4]. ®