Apple has released a security update for Java, but it does not address another security hole that has been at the center of recent attacks.
Apple on Sept. 5 pushed out an update for Java 6 Mac OS X Snow Leopard, Lion and Mountain Lion. The patches followed a move by Oracle to release a rare out-of-band patch to address security concerns raised by a spate of attacks targeting CVE-2012-4681. However, the update by Apple only addresses CVE-2012-0547, despite linking to an Oracle advisory on the former.
“Given that the Java browser plug-in vulnerabilities outwardly expose endpoints to Web attacks (both drive-by and targeted spear phishing) it’s always prudent to update these patches,” Paul Zimski, vice president of solution marketing at patch management firm Lumension, said in an email. “CVE-2012-0547 does not appear to be directly related to the major vulnerability recently discovered in CVE-2012-4681, but nonetheless, you want your organization’s browsers to be as secure as possible when it comes to users surfing the Web.”
CVE-2012-4681 addresses a security issue in Java 7. Apple still maintains Java 6 for Mac users, but handed support of Java 7 off to Oracle. Oracle issued a patch for CVE-2012-0547 and CVE-2012-4681 the week of Aug. 27. The latter of the two issues has been spotted being targeted by attackers ranging from users of the Black Hole exploit kit to the mind or minds behind the “Nitro” attacks aimed at the chemical industry.
However, the emergency Java update Oracle issued last week has been at the center of some controversy. According to Polish firm Security Explorations, the update contains a bug that allows an attacker to bypass the JVM sandbox and exploit bugs the company had previously disclosed to Oracle in April. Security Explorations CEO Adam Gowdiak declined to share details of the bug, but said the company has notified Oracle, which is investigating.
“We found and reported to Oracle a security issue that affects recently released patched Java version (7 Update 7, version that was released on Aug 30, 2012),” he told eWEEK in an email. “I cannot share more details about the nature of the new bug. [But] when combined with some of the Apr 2012 issues, this new issue can facilitate a successful code execution attack on latest Java SE 7 Update 7.”
Due to Java’s popularity as an attack vector, some security pros have recommended disabling it if there is not a strong use case for it. Earlier this year, a Java vulnerability was used to target Mac users in the now-notorious outbreak of the Flashback Trojan. At its height this spring, the malware built a botnet of more than 600,000 infected machines on the back of a Java vulnerability.
“A mistake many companies make is to focus more on patching their OS (operating system) vulnerabilities and not addressing these third-party vulnerabilities that are so often used by cybercriminals today,” Zimski said.