Currently Being ModeratedJan 12, 2013 12:14 PM (in response to Married with Children)
Nothing so far from either Apple or Oracle.
Currently Being ModeratedJan 12, 2013 12:26 PM (in response to Married with Children)
I haven't re-enabled Java, so I didn't really keep up.
The snippets I read seemed to indicate it was a Java 7 vulnerability.
On another thread I was trying to help with, another poster stated that XProtect has disabled the java plugin, again. No info on whether a patch was available.
Currently Being ModeratedJan 12, 2013 12:53 PM (in response to Barney-15E)
The last info is that the ball is in Oracle's court. They haven't responded with a patch yet.
Currently Being ModeratedJan 12, 2013 1:04 PM (in response to Married with Children)
There is no patch for the vulnerability yet. Fortunately, Apple and Mozilla acted quickly and blocked vulnerable versions of Java:
This happened before any Mac malware was known to have been dropped via the vulnerability, and will probably prevent it entirely. Only time will tell, though.
Currently Being ModeratedJan 12, 2013 1:29 PM (in response to Married with Children)
For OS X, if you have Java 7 installed and you kept your OS X software updated, Apple has already pulled the plug for you.
1. Here is the official report from CERT regarding the vulnerability => http://www.kb.cert.org/vuls/id/625617.
- "....We have confirmed that Windows, OS X, and Linux platforms are affected. Other platforms that use Oracle Java 7 may also be affected."
- "We are currently unaware of a practical solution to this problem".
The vulnerability notice recommends a workaround: turn off Java in web browsers.
Pity those who don't have OS X: The attack occurs simply when a user hits a black-hat website, thereby executing hostile code onto their machine.
Snip: "Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for this vulnerability."
2. Here are the Apple-specific details from MacRumors.com => http://www.macrumors.com/2013/01/11/apple-blocks-java-7-on-os-x-to-address-wides pread-security-threat/.
"...Apple has, however, apparently already moved quickly to address the issue, disabling the Java 7 plug-in on Macs where it is already installed."
Currently Being ModeratedJan 12, 2013 2:15 PM (in response to Married with Children)
To follow up on my previous post, I checked my iMac to verify that the Mac Malware Definition list did in fact have the Java 7 in there. It does.
To check, execute command in terminal:
cat /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta. plist
As a paranoid "just in case" measure, I also physically disabled Java execution in the web browser via the Systems Preferences:
System Preferences | Java | Java Control Panel | Security tab, then remove the check on the field "Enable Java content in the browser.
Currently Being ModeratedJan 13, 2013 4:31 AM (in response to RonFairfaxVA)
Ron, our collective minds are more at ease, thank you.