Mac Java hole exploited by wild Flashback Trojan strain Security watchers have discovered a strain of Mac-specific malware that exploits an unpatched vulnerability in Java. A variant of the Flashback Trojan exploiting CVE-2012-0507 (a Java vulnerability) has been spotted in the wild, F-Secure warns. Oracle patched the vulnerability for Windows machines in February but is yet to …
"Some banking websites mandate the use of Java, in which case security-conscious Mac fanbois can re-enable Java for the duration of their session before turning it off again, the Finnish security firm suggests."
Really? Re-enable a critically vulnerable piece of software for which there are exploits in the wild to allow internet banking transactions?? I *HOPE* F-Secure are yanking your chain on this, that's the daftest bit of security advice I've heard in ages!
Yes, yes, yes JDX - we all know that, but it's not quite that simple is it?
The key information here is that exploits have been found in the wild so there has been a period of time when machines may already have been compromised and this compromise will likely not have been detected - certainly not by lay users who are the main target of this advice. In that situation using your banking website (or any other that uses sensitive credentials) at all is utterly foolish.
Even if the machine is currently clean it's a stretch to imagine most lay users will take this advice as meaning closing all other browser tabs and web-enabled applications that are potentially vulnerable. Any advice other than not using this software until it is patched is irresponsible.
Of course any complex software will have bugs. The issue is client Java the past few years has been responsible for more serious/critical CVEs than any other cross platform software save for Adobe's crapware (flash, reader, etc). Competing with Adobe security wise when one of the original selling points of the language was security is not good.
...the most commonly observed type of exploits in the first half of 2011 were those targeting vulnerabilities in the Oracle (formerly Sun Microsystems) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK). During the one year period starting in the third quarter of 2010 (3Q10) and ending in the second quarter of 2011 (2Q11), between one-third and one-half of all exploits observed in each quarter were Java exploits.
I'm not sure whether the agreed transition of Java support for Mac OS X from Apple to Oracle has happened. Apple still supplies it but do we know who does the maintenance?
Regardless of that, the plain fact is that Mac OS X 10.7 Lion does NOT install Java by default. Anyone who wants it can get it, but it's not present unless the user specifically installs it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
