Apple plugs Java hole, shifts away from plug-in

Apple has released a fix for a critical Java vulnerability, while also taking further steps to distance itself from the technology, which has become a major security risk in Web browsers.

Apple released the fix Wednesday for Mac OS X Snow Leopard, Lion and Mountain Lion. The patches, Java for Mac OS X 10.6 Update 10 and Java for OS X 2012-005, shipped a week after Java-steward Oracle released an emergency patch.

As as of this week, more than a quarter-million computers on the Web have been infected with malware exploiting the vulnerabilities, said Atif Mushtaq, a security researcher at FireEye.

The bugs were in the Java plug-in used in all the major Web browsers, including Google Chrome, Microsoft Internet Explorer, Apple Safari and Mozilla Firefox. The flaws were rated critical because cybercriminals could use them to install malware capable of commandeering a computer.

Apple's patches automatically deactivated the Java plug-ins in browsers, leaving it up to Mac users to turn them back on. Until a few months ago, Apple had handled the release of all Java updates. Now, customers can download and install fixes directly from Oracle.

[Bill Brenner in Salted Hash: 4 Flaws - Fun with iPhone, Java, Dropbox and the brain]

"Apple is trying to distance itself from Java in general," said Marcus Carey, a security researcher at Rapid7. "Over the last six months, Java has been a headache for everyone in the industry."

By turning off Java by default, Apple is making customers choose whether to take the risk in running the browser plug-in. "People who need Java are going to be on their own," Carey said.

The recent outbreak has led many security vendors to advise people to disable Java in browsers, because the technology is not used on the majority of Web sites. Over the last few years, Java applets have been replaced with more modern Web technologies, such as HTML 5, XML and JavaScript.

"In my opinion, most Apple users should just turn Java off," Andrew Storm, director of security operations for nCircle, said by email. "Apple doesn't ship it pre-installed anymore and most Java applets are slow and clunky. It's always good security practice to turn off anything you don't really need."

While Apple moves away from the technology, Java remains a headache for Oracle. Many security experts have criticized the business software maker for the amount of time it takes to release a patch for known Java vulnerabilities.

In the latest incident, Polish company Security Explorations said it told Oracle about the flaws in April. Oracle has not commented on why it took four months to release a patch.

"Why talking to your customers about security is so difficult is beyond my comprehension," Storm said. "All software has bugs, customers know that. We don't ask for a lot of information; the minimum requirements include an estimate of when a fix will be available and some mitigation advice. How hard is that?"

For years, Apple faced the same criticism for taking months to release to its customers Java updates already available through Oracle. In June, Apple appeared to change, releasing a Java patch the same day as Oracle for the first time. Apple doesn't comment on product security.

"Overall, Apple has been very fast in coming out with new versions of Java, which is a great security improvement over the past," Wolfgang Kandek, chief technology officer for Qualys, said by email.

Apple's response to Java vulnerabilities changed in April when 650,000 Macs worldwide were infected with the Flashback malware that exploited a Java flaw. Apple did not release a fix for six weeks after Oracle, giving cybercriminals plenty of time to build exploits and launch attacks.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place