Apple Pushes Out Java Security Updates (Updated)
In October 2010, there was news that Apple was deprecating the Java runtime that came with its operating system. Indeed, those who have done a fresh installation of Mac OS X Lion will notice that Apple’s own version of Java runtime is no longer installed automatically as part of the OS installation.
However, Apple had also announced that it’d work with Oracle in the OpenJDK project for Mac OS X. So, while the current Java SE 6 continues to be available from Apple for Mac OS X Snow Leopard and Lion, Java SE 7 for OS X (and subsequent versions) will come from Oracle instead.
Just a couple of days ago, Ars Technica reported that the Adobe Flash Player-targeting Flashback trojan now has a variant called Flashback.K that is able to infect a Mac without even needing an administrative password. It’s able to do so by exploiting a critical Java vulnerability (CVE–2012–0507). While Oracle has released a patch in February, Apple has yet to do so for its own versions of Java—until now.
Apple has just released Java for OS X Lion 2012–001 and Java for Mac OS X 10.6 Update 7. These updates are available for Mac OS X 10.6.8 Snow Leopard and 10.7.3 Lion, and they patch multiple vulnerabilities in Java 1.6.0_29—some of which allow malicious software to run on a Mac outside of the Java sandbox, which can be triggered by a mere visit to a web page containing the malicious code. The patches also close the exploit of the Flashback.K trojan.
Users can find the patches by running Software Update on their Mac.
Update: A few days ago, Apple said that it'd be taking action on the Flashback malware that has infected up to 600,000 Macs worldwide. True to its word, the company has just released Java for OS X Lion 2012-003 and Java for Mac OS X 10.6 Update 8 to remove the most common variants of the Flashback malware. The former now also disables automatic execution of Java applets.
So, fire up Software Update on your Mac, or head down to Apple's Support Downloads site.