Latest Apple Mac OS X Java update doesn’t fix exploit

Apple released a Java update on Wednesday 5th September. Java for OS X 2012-005 and Java for Mac OS X 10.6 Update patch versions of Java for OS X Lion and Mountain Lion but only fix the issues found in CVE-2012-0547. This update doesn’t address the CVE-2012-4681 exploit. Anyone remember the Flashback Trojan which exploited a Java bug?

The CVE-2012-4681 mega update from Oracle last week patched CVE-2012-4681, which saw a patch for the vulnerable Java Runtime Environment (RTE) 1.7, is claimed now to be unstable. So my advice would be to uninstall CVE-2012-4681 right now, until that is Oracle and Apple come back with stable patch.

Simple tips – How to: (using popular browsers)

  • Uninstall Java or disable the Java browser plugins on Safari and Firefox
  • Disable Java in Chrome – copy and paste chrome://plugins/ into the browser bar > hit ‘Return’ and scroll down to Java plugin and click > Disable
  • Disable Java in Opera – configure plug-ins to only execute on demand by selecting Opera > Settings -> Preferences… > Advanced > Enable plug-ins only on demand
  • Disable Java in Internet Explorer – Tools > Manage add-ons > Scroll down in the right window until you find the two plug-ins: Java(tm) Plug-In 2 SSV Helper and Java(tm) Plug-In SSV Helper > click on one of the above and click ‘Disable’. Both plug-ins should now be disabled. Note: Where it says “Show” click on the drop down and choose > All add-ons – otherwise you will be unable to see ALL add ons
  • Use a second browser for say banking or financial websites that use Java (not your primary browser)

Safe surfing folks!

Bootnote: This update configures the Java plug-in to deactivate when no applets are run for an extended period of time. If the prior update named “Java for OS X 2012-004” was not installed, this update will disable the Java web plug-in immediately. Java applets may be re-enabled by clicking the region labeled “Inactive plug-in” on a web page.

This entry was posted in apple, browser and tagged , , , , . Bookmark the permalink.

2 Responses to Latest Apple Mac OS X Java update doesn’t fix exploit

  1. Julian,

    The Apple update doesn’t fix CVE-2012-4681 for OS X because OS X’s Java implementation isn’t vulnerable to it. OS X ships with Java 1.6 and that flaw only affects Java 1.7. You should not expect an update for that issue in OS X unless Apple also updates to Java 1.7.

    I mention this in my weekly security recap video:

  2. Julian says:

    Corey – I’ve double checked – you are correct. OS X uses Java 1.6, so isn’t vulnerable to CVE-2012-4681. It however, patches other security flaws that do affect Java 1.6. Thanks a million for the clarification. 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *