Tag Archives: snow leopard

Another OS X Java Update to Mitigate Flashback-like Malware

In two posts [ 1 / 2 ] last week, I warned you about an Apple OS X Java update that fixed a vulnerability attackers were leveraging to spread a mac trojan called Flashback. According to reports, this botnet trojan infected over 600,000 Mac users.

Today, Apple released yet another OS X Java update, this time designed to remove Flashback infections and to potentially mitigate future Java attacks.

According to Apple’s advisory, Java for OS X Lion 2012-003 configures the Java web plug-in to disable automatic execution of Java applets. This means if you visit a web page containing malicious (or legitimate) Java code, that code will not run automatically; thereby possibly preventing a drive-by download attack. The update does still allow you to manually re-enable automatic Java applet execution. However, if you do so, the plug-in will re-disable it if it detects you haven’t run Java applets for a long period of time.

This update also tries to detect and remove Flashback infections from your computer. It will inform you if it finds and removes an infection, otherwise it will remain silent when installed.

Though I don’t think the 2012-003 Java update is as critical as the first ones (which actually corrected Java vulnerabilities), it can help mitigate future Java-based attacks. If you’re a Mac user, I recommend you install it as soon as you can, or let Apple’s Software Updater do it for you. One note though…at the time of writing, though Apple had released their advisory and email about this update’s availability, I could not locate the update on their download page. I can only assume they either haven’t finished posting it, or have pulled it temporarily for some reason. In any case, I suspect it will show up on their download page, or in their Software Updater shortly.  — Corey Nachreiner, CISSP (@SecAdept)

Update OS X Java to Avoid Spreading Mac Malware

Summary:

  • This vulnerability affects: OS X 10.7.x (Lion) and 10.6.x (Snow Leopard)
  • How an attacker exploits it: By enticing you to a website containing maliciously crafted Java
  • Impact: In the worst case, an attacker executes code on your user’s computer, with that user’s privileges
  • What to do: Install Java for OS X Lion 2012-002 or Java for OS X 10.6 Update 7 immediately, or let Apple’s updater do it for you.

Exposure:

Yesterday, Apple released an advisory describing a Java security update for OS X 10.6.x and 10.7.x. The update fixes 12 vulnerabilities in OS X’s Java components (number based on CVE-IDs).

Apple doesn’t describe each flaw in technical detail, but they do share the worst case impact. If an attacker can lure you to a website containing specially crafted Java code, he can exploit many of these vulnerabilities to execute code on your OS X computer, with your privileges.

This Apple update finally brings the Java updates Oracle released in February to OS X users. Unfortunately, attackers have already been exploiting one of these Java vulnerabilities against Mac users in the wild. A Mac trojan called Flashback has reportedly infected over 600,000 Macs, by leveraging one of these Java flaws (as well as a Flash vulnerability in the past). If you have any Mac computers in your organization, we highly recommend you install Apple’s OS X Java update immediately. You can also find instructions for checking your Mac for the Flashback malware here.

Solution Path:

[UPDATE] On Friday, Apple quietly changed the Lion Java update from 2012-001 to 2012-002 for undisclosed reasons (likely the original update didn’t fully work). We have updated this alert to include the new patch. If you updated OS X before Friday, be sure to do so again.

Apple has issued Java for OS X Lion 2012-002 [dmg file] and Java for OS X 10.6 Update 7 [dmg file] to correct these flaws. If you manage OS X 10.6.x or 10.7.x computers, we recommend you download and deploy these updates immediately, or let OS X’s automatic Software Update utility install it for you.

For All WatchGuard Users:

Some of these attacks rely on one of your users visiting a web page containing malicious Java bytecode. The HTTP-Proxy policy that ships with most WatchGuard appliances automatically blocks Java bytecode by default, which somewhat mitigates the risk posed by some of these vulnerabilities.

Status:

Apple has released Java updates to fix these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Latest OS X Java Updates Prevent Code Execution

Summary:

  • This vulnerability affects: OS X 10.5.x (Leopard) and 10.6.x (Snow Leopard)
  • How an attacker exploits it: By enticing your users to a malicious website containing specially crafted Java applets
  • Impact: In the worst case, an attacker executes code on your user’s computer, with that user’s privileges
  • What to do: Install Java for OS X 10.5 Update 9 or Java for OS X 10.6 Update 4 as soon as possible, or let Apple’s updater do it for you.

Exposure:

Today, Apple issued two advisories [ 1 / 2 ] describing Java security updates for OS X 10.5.x and OS X 10.6.x. The advisories warn of 16 vulnerabilities in OS X’s Java components (number based on CVE-IDs).

Apple doesn’t describe these flaws in specific detail, rather, they only share the  potential impact of the worst case flaw. By luring one of your users to a malicious website containing a specially crafted Java applet, an attacker can exploit some of these Java flaws to either execute code or elevate privileges on your users’ OS X computers. In most cases, the attacker would only gain the privileges of the currently logged in user, which doesn’t include root or administrator access in OS X. Nonetheless, we recommend you install Apple’s OS X Java update as soon as possible.

Solution Path:

Apple has issued Java for OS X 10.5 Update 9 [dmg file] and Java for OS X 10.6 Update 4 [dmg file] to correct these flaws. If you manage OS X 10.5.x or 10.6.x computers, we recommend you download and deploy these update as soon as possible, or let OS X’s automatic Software Update utility install the proper update for you.

For All WatchGuard Users:

Some of these attacks rely on one of your users visiting a web page containing malicious Java bytecode. The HTTP-Proxy policy that ships with most Firebox models automatically blocks Java bytecode by default, which somewhat mitigates the risk posed by some of these vulnerabilities.

Status:

Apple has released Java updates to fix these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Apple Posts OS X Java Updates for Tiger and Leopard

Summary:

  • This vulnerability affects: OS X 10.5.x (Leopard) and 10.6.x (Snow Leopard)
  • How an attacker exploits it: By enticing your users to a malicious website containing specially crafted Java applets
  • Impact: In the worst case, an attacker executes code on your user’s computer, with that user’s privileges
  • What to do: Install Java for OS X 10.5 Update 8 or Java for OS X 10.6 Update 3 as soon as possible, or let Apple’s updater do it for you.

Exposure:

Yesterday, Apple issued two advisories [ 1 / 2 ] describing Java security updates for OS X 10.5.x and OS X 10.6.x. The advisories warn of multiple vulnerabilities in OS X’s Java components; specifically, six Java vulnerabilities in 10.5.x and four in 10.6.x (number based on CVE-IDs). Though the updates only fix a few flaws, many of them pose a serious risk.

For the most part, Apple only describes the impact of these vulnerabilities, leaving out technical details. In general, the flaws share the same potential impact: By luring one of your users to a malicious website containing a specially crafted Java applet, an attacker can exploit these Java flaws to either execute code or elevate privileges on your users’ OS X computers. In most cases, the attacker would only gain the privileges of the currently logged in user, which doesn’t include root or administrator access in OS X. Nonetheless, we recommend you install Apple’s OS X Java update as soon as possible.

As an aside, Microsoft recently pointed out that malware exploiting Java flaws has exploded during 2010. Though no one has reported Mac-based Java threats in the wild yet, I would recommend keeping Java up to date.

Solution Path:

Apple has issued Java for OS X 10.5 Update 8 [dmg file] and Java for OS X 10.6 Update 3 [dmg file] to correct these flaws. If you manage OS X 10.5.x or 10.6.x computers, we recommend you download and deploy these update as soon as possible, or let OS X’s automatic Software Update utility install the proper update for you.

For All WatchGuard Users:

Some of these attacks rely on one of your users visiting a web page containing malicious Java bytecode. The HTTP-Proxy policy that ships with most Firebox models automatically blocks Java bytecode by default, which somewhat mitigates the risk posed by some of these vulnerabilities.

Status:

Apple has released Java updates to fix these issues.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

 


Follow

Get every new post delivered to your Inbox.

Join 7,521 other followers

%d bloggers like this: