If you’re still using Java, you need to patch it yet again—even if you’re using a Mac.
Over the last few days both Facebook and Apple have reported network breaches. In both cases, employees at those companies visited a particular web site that was infected with a zero day Java exploit, which then infected the victims with malware. Though Facebook and Apple admit that they found malware on their systems, both claim that there is no evidence suggesting the attackers stole any sensitive customer data.
With all the zero day Java vulnerabilities we’ve reported recently, this probably doesn’t come as a huge surprise. Attackers are obviously targeting this popular web plugin. Yet, this incident is a very significant admission from Apple. Not only does it prove what security professionals have been arguing for years—that Macs aren’t immune from malware—but it demonstrates that even large enterprises, like Apple are suffering from cyber attacks.
Attack disclosures aside, both Oracle and Apple have released Java security updates as a result of these attacks. Despite just releasing an earlier Java update this month, Oracle released yet another emergency update on February 19th, fixing five more security vulnerabilities in Java. If you use Java on Windows, Linux, or Solaris computers, you should go get that update immediately. Apple also released their own Java update for OS X today. If you’re a Mac user, you should also install either Java for OS X 2013-001 or Mac OS X v10.6 Update 13 immediately.
After repeated cases of zero day exploits over the past fews months, you’ve probably discerned that Java is very dangerous right now. Apparently, it is rife with security holes and there is no doubt that attackers have focused their efforts on finding them before Oracle does. I’ve said this before, but if there is any way you can live without Java on your computer, you should remove it. Frankly, this advice is easier said than done. Unfortunately, many business applications (even some security ones) rely on Java to function. These applications may prevent you from removing Java immediately. That said, with the current prevalence of Java attacks, perhaps it’s time to re-evaluate any applications that forces Java upon you.— Corey Nachreiner, CISSP (@SecAdept)