There is no patch for the vulnerability yet. Fortunately, Apple and Mozilla acted quickly and blocked vulnerable versions of Java:
This happened before any Mac malware was known to have been dropped via the vulnerability, and will probably prevent it entirely. Only time will tell, though.
For OS X, if you have Java 7 installed and you kept your OS X software updated, Apple has already pulled the plug for you.
1. Here is the official report from CERT regarding the vulnerability => http://www.kb.cert.org/vuls/id/625617.
- "....We have confirmed that Windows, OS X, and Linux platforms are affected. Other platforms that use Oracle Java 7 may also be affected."
- "We are currently unaware of a practical solution to this problem".
The vulnerability notice recommends a workaround: turn off Java in web browsers.
Pity those who don't have OS X: The attack occurs simply when a user hits a black-hat website, thereby executing hostile code onto their machine.
Snip: "Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for this vulnerability."
2. Here are the Apple-specific details from MacRumors.com => http://www.macrumors.com/2013/01/11/apple-blocks-java-7-on-os-x-to-address-wides pread-security-threat/.
"...Apple has, however, apparently already moved quickly to address the issue, disabling the Java 7 plug-in on Macs where it is already installed."
To follow up on my previous post, I checked my iMac to verify that the Mac Malware Definition list did in fact have the Java 7 in there. It does.
To check, execute command in terminal:
cat /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta. plist
As a paranoid "just in case" measure, I also physically disabled Java execution in the web browser via the Systems Preferences:
System Preferences | Java | Java Control Panel | Security tab, then remove the check on the field "Enable Java content in the browser.