Update OS X Java to Avoid Spreading Mac Malware

Summary:

• This vulnerability affects: OS X 10.7.x (Lion) and 10.6.x (Snow Leopard)
• How an attacker exploits it: By enticing you to a website containing maliciously crafted Java
• Impact: In the worst case, an attacker executes code on your user’s computer, with that user’s privileges
• What to do: Install Java for OS X Lion 2012-002 or Java for OS X 10.6 Update 7 immediately, or let Apple’s updater do it for you.

Exposure:

Yesterday, Apple released an advisory describing a Java security update for OS X 10.6.x and 10.7.x. The update fixes 12 vulnerabilities in OS X’s Java components (number based on CVE-IDs).

Apple doesn’t describe each flaw in technical detail, but they do share the worst case impact. If an attacker can lure you to a website containing specially crafted Java code, he can exploit many of these vulnerabilities to execute code on your OS X computer, with your privileges.

This Apple update finally brings the Java updates Oracle released in February to OS X users. Unfortunately, attackers have already been exploiting one of these Java vulnerabilities against Mac users in the wild. A Mac trojan called Flashback has reportedly infected over 600,000 Macs, by leveraging one of these Java flaws (as well as a Flash vulnerability in the past). If you have any Mac computers in your organization, we highly recommend you install Apple’s OS X Java update immediately. You can also find instructions for checking your Mac for the Flashback malware here.

Solution Path:

[UPDATE] On Friday, Apple quietly changed the Lion Java update from 2012-001 to 2012-002 for undisclosed reasons (likely the original update didn’t fully work). We have updated this alert to include the new patch. If you updated OS X before Friday, be sure to do so again.

Apple has issued Java for OS X Lion 2012-002 [dmg file] and Java for OS X 10.6 Update 7 [dmg file] to correct these flaws. If you manage OS X 10.6.x or 10.7.x computers, we recommend you download and deploy these updates immediately, or let OS X’s automatic Software Update utility install it for you.

For All WatchGuard Users:

Some of these attacks rely on one of your users visiting a web page containing malicious Java bytecode. The HTTP-Proxy policy that ships with most WatchGuard appliances automatically blocks Java bytecode by default, which somewhat mitigates the risk posed by some of these vulnerabilities.

Status:

Apple has released Java updates to fix these issues.

References:

• Apple’s OS X March Java advisory
• Apple software downloads
• Apple security updates

This alert was researched and written by Corey Nachreiner, CISSP.