Java and Flash vulnerabilities mean Macs are no longer safe from security threats

Recently Apple has taken to blocking Java and Flash via Xprotect, this is not surprising given the number of vulnerabilities

When it comes to security on your Mac, most of us think of viruses, worms, and other forms of malware and we conclude that Mac users don't really have to worry about it. However, recent vulnerabilities with Java and Flash have highlighted the fact that there are cross platform threats that even Mac users need to be aware of. Luckily Apple has its own protection against malware attacks, and it's not afraid to use it.

Recently Apple has taken to blocking Java and Flash via Xprotect. Twice in February Apple blocked Java by adding it to the banned list in XProtect. Then earlier this week Apple used Xprotect to block older versions of Flash, forcing users to update to the latest version if they wish to view Flash-based content (such as iPlayer).

Java vulnerabilities

Java has seen an alarmingly high number of exploits since the start of the year, with Apple and Oracle both being forced to issue multiple patches to deal with ongoing issues. It appears that Java has become a key target for criminals, perhaps because malware written for Java can infect Windows, Mac and Linux computers.

On Monday, less than two weeks after its last Java updates, Apple released Java for OS X 2013-002 for OS X 10.8 Mountain Lion and 10.7 Lion and Java for Mac OS X 10.6 Update 14 for 10.6 Snow Leopard. Apple's security page notes that these updates address two critical vulnerabilities (CVE-2013-0809 and CVE-2013-1493), the latter of which has been actively exploited to "maliciously install the McRat executable onto unsuspecting users' machines," according to Oracle.

Apple relies on Oracle to maintain security updates to Java, and the company issued its Java updates soon after Oracle patched flaws in Java 7 and Java 6. However, Oracle says that it will no longer update the aging Java 6 software and this is not good news for Mac users. Unfortunately, not all Mac users can upgrade to Java 7, as it requires Lion or later. According to Net Applications, in February 37% of all Macs were running a version of OS X older than Lion.

It seems likely that Apple will eventually block this old version of Java from running on Macs. For many organizations this could be an issue if they run web-based internal business applications that require the technology. Disabling Java in browsers would break access to these applications. This happened to a number of businesses earlier in February when Apple bared Java on Macs, leaving companies that rely on Java plug-ins out in the cold. Apple blocked Java 7 Update 11 by adding it to the banned list in Apple's XProtect anti-malware feature. Unfortunately, some enterprise users utilize Java and may experience a loss in revenue as their software ceased to work.

Apple has itself been a victim of Java exploits. On 19 February Apple confirmed that some computers belonging to its employees had been targeted by hackers. The hackers were said to be the same group that infiltrated computers belonging to Facebook employees the week before. Both attacks were committed via the same Java vulnerability as the Apple breach.

The company emphasised that: "Since OS X Lion, Macs have shipped without Java installed, and as an added security measure OS X automatically disables Java if it has been unused for 35 days. To protect Mac users that have installed Java, today we are releasing an updated Java malware removal tool that will check Mac systems and remove this malware if found."

Later that day Apple issued a Java update for Mac OS X 10.7 patching a number of security vulnerabilities as well as scanning for the most common variants of the malware in question and removing them.

Sophos's advice is "get rid of Java altogether" or "ban it from your browser"."Keeping Java out of your browser removes the risk of hostile applets - special stripped-down Java programs embedded into web pages" is the advice in Sophos's Naked Security blog.

Apple also dissuades people from running Java, suggesting: "Enable Java in your web browser only when you need to run a Java web app."

Java has come under fire as the means by which hackers have been able to gain control of computers. In April 2012 more than 600,000 Macs were reported to have been infected with a Flashback Trojan horse that was being installed on people's computers with the help of Java exploits. Apple has already stopped bundling Java with OS X by default. You can read about how to disable Java on your Mac here.

Flash vulnerabilities

Of course Java isn't the only baddy as far as security on the Mac is concerned. Adobe has three times in the past month issued Flash updates. This week Apple began to block out-dated Flash players. This was the second time in a month that the company had blocked Flash unless users install a security update.

When attempting to view Flash content in Safari, users may see the alert: "Blocked Plug-in," says Apple on the web page announcing the availability of the update. If you visit a site that uses Flash to display ads you will see the following message: "Adobe Flash Player" is out of date.

"To help protect users from a recent vulnerability, Apple has updated the web plug-in-blocking mechanism to disable older versions of the web plug-in: Adobe Flash Player" said Apple.

The latest version is Flash 11.6.602.171

Apple blocked Adobe Flash on the Mac due to a series of vulnerabilities. However, while it might mean you are being greeted by fewer adverts, you will no doubt have noticed that iPlayer, 4OD and other on demand services no longer work. We explain how to get Flash to work again here.

Like Oracle with Java, Adobe has been busy patching vulnerabilities in its Flash Player over the past month. At the end of February Adobe patched new vulnerabilities in Flash Player that hackers were exploiting in attacks aimed at Firefox users. The company also released patches for Flash Player and Shockwave Player earlier in the month, patching a total of 17 vulnerabilities were patched in the Flash Player, 16 of which were critical and could result in remote code execution.

These vulnerabilities "could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said in a security advisory.

Towards the beginning of February, Adobe released an emergency update for Flash Player on all platforms after two zero-day bugs were discovered in the wild targeting Windows and Mac OS X computers. The vulnerabilities allowed hackers to hijack both Windows PCs and Macs.

Apple's own website was vulnerable

Even Apple has turned out to have security issues on its website. A security researcher discovered a DOM-based cross-site scripting (XSS) vulnerability on the 'Find Locations' subdomain of Apple's website, writes Softpedia.

Apple has addressed the vulnerability that could have been used to hijack user sessions and possibly even accounts, according to Independent security researcher Mirza Burhan Baig of

HTML5 could do data dumps

There is a movement towards HTML5 as a replacement for Flash, but it should be noted that even that may open up certain vulnerabilities.

A flaw in HTML5 coding language could allow websites to bombard users with gigabytes of junk data, according to an Apple Insider report.

Developer Feross Aboukhadijeh claims that the data dumps can be performed on most web browsers, including Apple's Safari. Only Firefox capped the data dump at 5MB.

A loophole allowed HTML5 programmers to bypass the data cap imposed by browsers. Aboukhadijeh was able to dump 1GB of data every 16 seconds on his SSD-equipped MacBook Pro with Retina display, according to the report.

Follow Karen Haslam on Twitter / Follow MacworldUK on Twitter


Blocked Plug-in in iPlayer, 4OD, how do I get it back?

Java security woes to stay with businesses for a long time

Oracle releases emergency fix of Java zero-day exploit

How to disable Java on your Mac

Apple releases Java update and malware removal tool following cyber attack

Apple allows banned Java back on the Mac after update

Keep your Mac secure - Is Apple doing anything?

Join the CSO newsletter!

Error: Please check your email address.

Tags Mac softwareApplesecurityOracle

More about Adobe SystemsAppleApple.FacebookLinuxMacsOracleSophos

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Karen Haslam

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place