Apple and Mozilla take on Java vulnerabilities
Apple has released a security update to its Mac OS X Java implementation and Mozilla has moved to blacklist all non-current versions of Java in Firefox, at least on Windows. Apple's security update for its Mac OS X implementation of Java brings its Java SE 6 back into line with the most recent release, 1.6.0_31, from Oracle.
A number of flaws in the previous version of Java for Mac OS X, based on 1.6.0_29, have been being exploited by a new version of the Flashback trojan and, with no update available, Mac OS X users' only option to protect themselves was to disable Java. The flaws allowed for arbitrary code execution outside the Java sandbox; just visiting a page with a maliciously crafted untrusted Java applet was enough to compromise a system. The Apple Java update is available for Mac OS X 10.7 (Lion) and 10.6.8 (Snow Leopard) and the server versions; it can be installed through Mac OS X's Software Update. Details of the changes are available in About the security content of Java for OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7.
The vulnerabilities being exploited by the Flashback trojan are the same ones which are being also used as part of a large scale attack on Windows systems. Although the update was made available for Windows in February, Java updates are generally slow to be picked up by the general population, which makes the vulnerabilities very useful for malware authors.
Mozilla has announced that, to ensure that these older versions do not get called on, the blocklist for Windows Firefox will now include the Java Plugin for Java SE 6 Update 30 and earlier and Java SE 7 Update 2 and earlier. The blocklist will stop users from using the earlier versions unless they make an explicit choice, when notified of the block, to keep the plugin enabled. Mozilla has not added the Java plugin to the blocklist on Apple as, at the time of the announcement, the updated Mac OS X Java had not been made available. Mozilla does plan to add older versions of the Mac plugin to the blocklist at a later date. Windows users can update their Java installation by downloading an up-to-date version of the Java Runtime Environment.