Apple Patches Malware-Targeted Java Bug


Apple released Wednesday a patch for multiple Java vulnerabilities, a couple of days after a security vendor reported that password-stealing malware exploiting the flaws was floating about the Web.

Apple launched Java for OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7 almost two months after patches for the same exploits were released for Windows. Experts often criticize the Mac maker for taking too long to patch Java vulnerabilities.

Apple's delay in getting out patches has led to security vendors recommending Mac owners disable Java and use the technology only as needed. "Mac users and IT admins for Macs should review whether Java is actually needed for their usage," Wolfgang Kandek, chief technology officer for security vendor Qualys, said in the Redwood Shores, Calif.-based company's blog.

[Related: 2012 Partner Programs Guide: 5-Star Security Vendors]

The latest Apple updates are for Mac OS X v10.6.8 and OS X Lion v10.7.3, including the sever versions. The patches fix Java 1.6.0_29. For detailed information on the flaws, Cupertino, Calif.-based Apple recommends going to the site of Java-owner Oracle.

The most serious vulnerabilities enable a cyber-criminal to execute code on a Web browser, including Apple Safari, when a person visits a compromised Web site. Crooks can run the code on a Mac without requiring the user to enter a password.

Helsinki, Finland-based F-Secure reported Monday that a variant of the Flashback malware exploiting unpatched Java on the Mac had been spotted on the Internet. Flashback, which targets the Safari and Firefox Web browsers, is designed to steal passwords to online banking and other Web sites visited by people with an infected Mac.