New unpatched Java vulnerability discovered!
Published August 27th, 2012 at 8:50 PM EDT , modified August 29th, 2012 at 1:42 PM EDT
Intego announced today the discovery of a new Java vulnerability that is being actively exploited in the wild to install Windows malware. Unfortunately, all users of Java 7 are vulnerable, regardless of system, and there is currently no patch available to fix the vulnerability. Although there is no known Mac malware being installed via this exploit, that could change at any time. There could be Mac malware beginning to spread via this exploit, just as Flashback did, as you read this.
Users of Java 6, which is the version that installs by default when you try to open a Java applet and tell the system to install Java for you, apparently have nothing to fear. The vulnerability should only affect Java 7, which is only available by downloading directly from Oracle’s web site. (For more details, see Brian Krebs’ report.) If you are not sure what version of Java you are running, open the Terminal (found in the Utilities folder in your Applications folder) and enter the following command:
If the version reported is 1.6.x (where the ‘x’ can be anything), you have Java 6 and are thus safe from this particular vulnerability. If it is 1.7.x, you are vulnerable, as you have installed Java 7. If you are asked to install Java, that’s because you don’t have Java… decline the installation and this will keep you safest of all.
It is critical that those who have installed Java 7 turn off Java in your web browser ASAP! I also advise those using Java 6 to do the same, just on general principles. Java is more full of holes than Swiss cheese, and trusting it has become very dangerous. In Safari, disabling Java is done by unchecking Enable Java in the Security pane of the preferences window (accessed by choosing Preferences from the Safari menu):
In Firefox, select Add-ons from the Tools menu, and in the Plugins pane, disable anything related to Java:
If you cannot disable Java in your web browser for some reason – for example, if your work requires Java or you’re a hopeless Runescape addict – then my advice is to keep it turned off except when you are visiting sites that you absolutely need Java for, and that you trust. Of course, that could require lots of trips to the preferences in your browser to turn Java on and off. It may be more convenient to use a secondary browser. Keep Java turned on in one browser and use it only for trusted sites that require Java. Use your other browser for all other sites.
You would also be wise to disable Java system-wide. Open Java Preferences, which is found in the Utilities folder in the Applications folder. If it refuses to open, saying that you need to install a Java runtime, then you don’t have Java installed and are thus safe. However, if it opens, you should immediately uncheck the box reading “Enable applet plug-in and Web Start applications” in the General tab of Java Preferences.
For more information about the Flashback malware, which illustrates the danger a Java vulnerability can pose, see About the Flashback malware. For information about Java in Mac OS X, see Using Java in Mac OS X.
If you have Java 7 installed, you would be wise to keep an eye on Oracle’s site for an update to Java 7. The current (unpatched) version of Java 7 as of this writing is Java SE 7u6. If you see something newer, install it, though I would still recommend keeping Java disabled.