Apple on Monday released a critical update to its version of Java for Mac OS X that plugs at least a dozen security holes in the program. More importantly, the patch mends a flaw that attackers have recently pounced on to broadly deploy malicious software, both on Windows and Mac systems.
The update, Java for OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7, sews up an extremely serious security vulnerability (CVE-2012-0507) that miscreants recently rolled into automated exploit kits designed to deploy malware to Windows users. But in the past few days, information has surfaced to suggest that the same flaw has been used with great success by the Flashback Trojan to infect large numbers of Mac computers with malware.
The revelations come from Russian security firm Dr.Web, which reports that the Flashback Trojan has successfully infected more than 550,000 Macs, most which it said were U.S. based systems (hat tip to Adrian Sanabria). Dr.Web’s post is available in its Google translated version here.
Flashback is an increasingly sophisticated malware strain that sniffs network traffic in search of user names and passwords. Early versions of it prompted Mac users to enter their password before it would run, but the most recent strains will happily infect vulnerable Mac systems without requiring a password, writes Ars Technica, among others. F-Secure has additional useful information on this Trojan attack here.
As Ars notes, although Apple stopped bundling Java by default in OS X 10.7 (Lion), it offers instructions for downloading and installing the Oracle-developed software framework when users access webpages that use it. If you need Java on your Mac only for a specific application (such as OpenOffice), you can unplug it from the browser by disabling its plugin. In Safari, this can be done by clicking Preferences, and then the Security tab (uncheck “Enable Java”). In Google Chrome, open Preferences, and then type “Java” in the search box. Scroll down to the Plug-ins section, and click the link that says “Disable individual plug-ins.” If you have Java installed, you should see a “disable” link underneath its listing. In Mozilla Firefox for Mac, click Tools, Add-ons, and disable the Java plugin(s).
I can’t stress this point strongly enough: If you don’t need Java, remove it from your system, whether you are a Mac or Windows user. If you need further convincing of my reasons for this recommendation, I’d encourage you to browse through some of my past Java-related posts.
Apple maintains its own version of Java, and as with this release, it has typically fallen unacceptably far behind Oracle in patching critical flaws in this heavily-targeted and cross-platform application. In 2009, I examined Apple’s patch delays on Java and found that the company patched Java flaws on average about six months after official releases were made available by then-Java maintainer Sun. The current custodian of Java – Oracle Corp. – first issued an update to plug this flaw and others back on Feb. 17. I suppose Apple’s performance on this front has improved, but its lackadaisical (and often plain puzzling) response to patching dangerous security holes perpetuates the harmful myth that Mac users don’t need to be concerned about malware attacks.
- Java Security Update Scrubs 14 Flaws
- Java Update Clobbers 29 Security Flaws
- New Java Attack Rolled into Exploit Packs
- Java 6 Update 24 Plugs 21 Security Holes
- Java Patch Plugs 17 Security Holes
Tags: Adrian Sanabria, Ars Technica, CVE-2012-0507, Dr. Web, f-secure, Flashback Trojan, HT5228, Intego, Java for OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7, Oracle, Sun, windows
This entry was posted on Wednesday, April 4th, 2012 at 12:59 pm and is filed under Latest Warnings, Security Tools, Time to Patch. You can follow any comments to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.
Thursday, April 5, 2012
Urgent Fix for Zero-Day Mac Java Flaw
Google takes wraps off Web-based digital glasses | Reuters
Google takes wraps off Web-based digital glasses
SAN FRANCISCO | Thu Apr 5, 2012 6:08am EDT
(Reuters) - Google Inc is getting into the eyewear business with a pair of thin wraparound shades that puts the company's Web services in your face.
The experimental "augmented reality" glasses - from the same team that is developing self-driven cars - can snap photos, initiate videochats and display directions at the sound of a user's voice.
The prototype digital glasses, unveiled on the company's Google+ social network on Wednesday, are still being tweaked and tested, and are not available in stores yet.
"We're sharing this information now because we want to start a conversation and learn from your valuable input," Google wrote in a post on a Google+ page devoted to Project Glass.
The spectacles are being developed by Google, the secretive group working on advanced research projects such as self-driving cars.
The Google+ page featured a 2-1/2 minute video, shot from the perspective of someone wearing the glasses. The wearer goes about his day walking through New York City while speaking commands to the glasses to do things such as take a photo and post it to Google+, get block-by-block directions and weather conditions and get a pop-up alert when a friend is nearby.
The Google (GOOG.O) posting is intended to show "what this technology could look like," the company said. Mock-up images of the glasses on the Google+ page depict a stamp-sized digital display that seems attached to a pair of glasses and sits at the top corner of one of the lenses.
The post asks people to submit their suggestions for what they would like to see in the glasses.
Google, the world's No. 1 search engine, is famous for letting its employees work on ambitious projects that don't always have a direct relation to its business.
Those projects have not always sat well with investors, who worry about Google's spending on projects with uncertain returns.
Google Chief Executive Larry Page has cut down on many of the projects and products underway at the company since taking the reins a year ago. But he has defended Google's commitment to working on "speculative" projects that could one day turn into "billion-dollar businesses," though he has stressed the company isn't "betting the farm" on such efforts.
The glasses could provide a way for Google to more closely entwine its advertising-supported online services, including Web searches, maps and email, into people's daily lives.
The glasses also could help Google match some of the buzz that rival Apple Inc (AAPL.O) has generated with its latest iPhone and the built-in Siri digital assistant, which takes spoken commands to do such tasks as schedule calendar appointments and get weather forecasts.
A Google insider said it is unclear when the glasses might be commercially available, but noted that the philosophy of Google group is to develop technologies that can be used in a relatively short period of time, rather than dreaming up creations that won't be possible for 10 or more years.
The glasses, under development for two years, will be tested in public by members of the Google team, according to the Google insider.
Shares of Google, which reports its first quarter financial results next week, fell about 1.2 percent to close at $635.15 on Wednesday amid a broad market sell-off.
(Reporting By Alexei Oreskovic; Editing by Richard Chang)