What's the latest regarding the Java hacking in the news today?

Nothing so far from either Apple or Oracle.

Best.

I haven't re-enabled Java, so I didn't really keep up.

The snippets I read seemed to indicate it was a Java 7 vulnerability.

On another thread I was trying to help with, another poster stated that XProtect has disabled the java plugin, again. No info on whether a patch was available.

The last info is that the ball is in Oracle's court. They haven't responded with a patch yet.

There is no patch for the vulnerability yet. Fortunately, Apple and Mozilla acted quickly and blocked vulnerable versions of Java:

http://www.reedcorner.net/apple-and-mozilla-act-fast-to-secure-java/

This happened before any Mac malware was known to have been dropped via the vulnerability, and will probably prevent it entirely. Only time will tell, though.

Hi.

For OS X, if you have Java 7 installed and you kept your OS X software updated, Apple has already pulled the plug for you. 🙂

1. Here is the official report from CERT regarding the vulnerability => http://www.kb.cert.org/vuls/id/625617.

Snips:

• "....We have confirmed that Windows, OS X, and Linux platforms are affected. Other platforms that use Oracle Java 7 may also be affected."
• "We are currently unaware of a practical solution to this problem".

The vulnerability notice recommends a workaround: turn off Java in web browsers.

Pity those who don't have OS X: The attack occurs simply when a user hits a black-hat website, thereby executing hostile code onto their machine.

Snip: "Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for this vulnerability."

2. Here are the Apple-specific details from MacRumors.com => http://www.macrumors.com/2013/01/11/apple-blocks-java-7-on-os-x-to-address-wides pread-security-threat/.

Snip:

"...Apple has, however, apparently already moved quickly to address the issue, disabling the Java 7 plug-in on Macs where it is already installed."

To follow up on my previous post, I checked my iMac to verify that the Mac Malware Definition list did in fact have the Java 7 in there. It does.

Reference: How to Check if your Mac Malware Definitions List is Updated

To check, execute command in terminal:

cat /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta. plist

As a paranoid "just in case" measure, I also physically disabled Java execution in the web browser via the Systems Preferences:

System Preferences | Java | Java Control Panel | Security tab, then remove the check on the field "Enable Java content in the browser.