Apple released a Java update this week and that was good, but it did not solve a high-profile flaw that has become the target of attacks over recent weeks, a security researcher said.
Java for OS X 2012-005 and Java for Mac OS X 10.6 Update 10 offer patched versions of Java for OS X Lion and Mountain Lion systems that tackle CVE-2012-0547. But this is different from the CVE-2012-4681 issue affecting Java users, KrebsOnSecurity reported.
Security vulnerabilities in Java are an all-too-real danger for Mac fans, as illustrated by the spread of the Flashback Trojan, which created a 600,000 strain botnet earlier this year. Flashback also exploited a Java hole fixed by Oracle in February, but remained unpatched on Mac systems until April, after Flashback had taken hold.
Oracle patched the CVE-2012-4681 megabug with an update to its vulnerable Java Runtime Environment (JRE) 1.7 last week. However, Security Explorations, the firm that originally found the flaw, warned the patch issued by Oracle was itself buggy, without going into details. Even the original flaw dates from April but people only really stood up and took notice after exploits began circulating, around two weeks ago.
One way to avoid the entire situation is to uninstall Java, or at minimum disable Java-related browser plugins, standard advice from many security firms before the arrival of Oracle’s emergency fix last week. Most mainstream sites, with the exception of a few e-banking sites don’t need Java in order to work.
Users could use an alternative browser for such sites after disabling Java on their main browser, a move that would greatly reduce their exposure to danger.