• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Critical Java Vulnerabilities Update: Apple OS X Patched

September 6, 2012 By Corey Nachreiner

Last week, I posted an alert about some highly critical flaws in Oracle Java; especially one in particular (CVE-2012-4681), which attackers have aggressively exploited in the wild. If an attacker can lure you to a web page or link containing malicious Java content, he can exploit these flaws to execute code on your computer, potentially gaining complete control of it. Oracle released an out-of-cycle update last week to fix this vulnerability, and two others.

This week brings two new updates to this critical Java vulnerability story.

First, and most importantly, Apple has released Java updates for OS X, which fix these vulnerabilities. Technically, OS X is not vulnerable to the primary exploit (CVE-2012-4681) that made all the headlines last week. That particular flaw only affects Java 1.7, and OS X ships with Java 1.6. However, OS X machines do suffer from the two other serious flaws Oracle corrected. This OS X update fixes those two flaws. If you manage OS X Snow Leopard, Lion, or Mountain Lion computers, download and install Apple’s Java updates, or let the Automatic Updater do it for you.

Second, the Polish researchers who originally warned Oracle of some of these Java flaws have claimed that Oracle’s newly released update introduces even more vulnerabilities. In a Bugtraq post, a researcher from Security Explorations warns that the latest Java update introduces a new Java Sandbox bypass vulnerability. This sandbox bypass flaw makes other less exploitable Java flaws much more exploitable. The good news is, Security Explorations has withheld the details of these new issues until Oracle patches. So unlike the zero day vulnerability from last week, attackers are not exploiting this new issue yet. Nonetheless, using Java is risky. If you have no business purpose for Java, I recommend disabling it if you can.

Finally, a quick update for WatchGuard XTM appliance users. In my original advisory, I mentioned that we had both IPS and GAV signatures that will block many of these exploits. I just wanted to add that our latest IPS update (signature set v4.232) has added six more signatures that protect against CVE-2012-4681 exploits. If you have a WatchGuard XTM Appliance with the UTM bundle, you fairly well protected against this flaw (but you should still patch). — Corey Nachreiner, CISSP (@SecAdept)

Share This:

Related

Filed Under: Security Bytes Tagged With: drive-by download, Oracle, sun, Updates and patches, Zero day exploit

Comments

  1. law nurse says

    October 24, 2013 at 11:54 pm

    Its been a while since your site was launched and your SEO needs updating really bad. These people did mine for a really reasonable price
    law nurse http://www.legalnursenetwork.com/

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use