Apple ships fixes for new Java Web Start hole

In the latest Apple update for Mac OS X 10.8, 10.8.3, and Security Update 2013-001 for earlier Mac OS X versions, Apple has fixed a flaw which allowed malicious Java code to be run even when the Java plugin was disabled. The updates fix 21 CVE-listed flaws in Mac OS X, of which 11 are listed as allowing for remote code execution.

The Java fix is listed under "CoreTypes" as it does require the file to have been downloaded onto the system. It turns out that the system will attempt to run files automatically if they are labelled as safe and that the Java Web Start application files, .jnlp, were listed among these safe files. An attacker would need to convince a victim, through social engineering or technical trickery, to download the .jnlp file and, if the browser was set to execute safe files, that code would run. At no time would the Java plugin have been involved, so disabling Java in the browser would not have any effect on the process. Apple's fix involves simply removing .jnlp from the list of safe file types; this means Mac OS X users will still be able to explicitly start Web Start applications.

Other flaws fixed in the updates include an Apache directory traversal bug, an authentication bypass, a TIFF exploit, graphics data memory corruption, information disclosure within the kernel, the ability to launch apps using VoiceOver on the login screen, unprompted Facetime calls and remote rerouting of Jabber calls. PDF annotations could lead to remote execution, as could a bounds error in Quicktime.

There were also remote code execution flaws in the Ruby-on-Rails-based Podcast Producer Server, Profile Manager, and Wiki Server, specifically the XML and JSON bugs that affected Rails applications through January and February. Pre-10.8 systems were also vulnerable to a man-in-the-middle attack on software update.

The update also added a malware removal tool which, if it finds and removes common malware, will pop up a dialog informing the user that this has been done; otherwise, it remains silent. It also includes the Safari 6.0.3 security fixes covering WebKit memory corruption and cross-site scripting attacks.

The update can be installed on a Mac OS X system by selecting the Software Update option in the Apple menu or it can be downloaded from Apple as a 10.8.3 Combo Update or Security Update 2013-001 for Snow Leopard 10.6 and Lion 10.7. For further information about the 10.8.3 update, consult the About the OS X Mountain Lion v10.8.3 Update page which includes details of non-security bugs fixed, new features and performance enhancements.

(djwm)