Your favorite Apple, iPhone, iPad, iOS, Jailbreak, and Cydia site.
08-28-2012, 03:59 PM #1
Java 7 Security Issue Poses a Risk to Mac Users
Shortly after Oracle officially took over responsibility for Java on OS X with the launch of Java SE 7 Update 6, a new Java vulnerability has been discovered to pose a significant threat to systems running the software. An issue of Krebs on Security highlighted the case noting that it affects all versions of Java 7 on most browsers. The following was mentioned in the issue:
News of the vulnerability (CVE-2012-4681) surfaced late last week in a somewhat sparse blog post by FireEye, which said the exploit seemed to work against the latest version of Java 7, which is version 1.7, Update 6. This morning, researchers Andreí M. DiMino & Mila Parkour published additional details on the targeted attacks seen so far, confirming that the zero-day affects Java 7 Update 0 through 6, but does not appear to impact Java 6 and below.
Initial reports indicated that the exploit code worked against all versions of Internet Explorer, Firefox and Opera, but did not work against Google Chrome. But according to Rapid 7, there is a Metasploit module in development that successfully deploys this exploit against Chrome (on at least Windows XP).
Issues such as this one arenít the only known Java vulnerabilities, as Apple previously dealt with the Flashback malware that was able to infect over 600,000 Macs by taking advantage of an exploit in Java 6. Incidents such as this one caused Apple to shift responsible for Java updates to Oracle, a move which is said to take place with Java 7. Despite the change, while Mac users will now begin to receive Java updates along with other users on other platforms, Java still remains one of the highest-profile targets for attackers who seek to compromise systems on a broad basis.
One thing that should be pointed out is that most Mac users are currently not susceptible to the issue as Java 7 is not installed by default on Macs. The current version of Java installed on Mac systems continues to be Java 6 for the time being, so users would have to manually update to Java 7 in order to become vulnerable to the issue. The takeaway here is, donít update until further notice!
Source: Computerworld, KrebsonSecurity
08-28-2012, 05:39 PM #2
I just verified my Mountain Lion IMAC - it does indeed have Java 6 on it