Nishtha KanalFeb 20, 2013 16:43:40 IST
While this is the standard quarterly update of Java 6 that Apple distributes, customers who are looking for Java 7 should grab it straight from Oracle’s site. This update includes a malware removal tool that removes most common variants of malware.
In the Mac App Store, the update is available when you navigate to Apple menu and then Software Update, or you can simply find it under the Software Update section. Two separate download packages for OS X Snow Leopard and OS X Lion or Mountain Lion are available through Apple’s software download site.
A new update is out
With this patch, the Java update goes to version 1.6.0_41. If the Java version for OS X is lower than 2012-006, the Java SE 6 plug-in is completely blocked out.
Apple’s update for the patch reads, “This update uninstalls the Apple-provided Java applet plug-in from all web browsers. To use applets on a webpage, click on the region labeled “Missing plug-in” to go download the latest version of the Java applet plug-in from Oracle. This update also removes the Java Preferences application, which is no longer required to configure applet settings.”
The update fixes the sandboxing vulnerability that the hackers ended up exploiting. The issues this update mentions were addressed for OS 10.6 several weeks ago, but interestingly, still remained for 10.7 and 10.8 till right now. Addressing the vulnerability issue, Apple said that multiple vulnerabilities existed in Java 1.6.0_37, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. It also said that visiting a web page containing maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.
Apple has been continuously appealing to users to remove the Java plugin or disabling it if it isn’t in use. In the beginning of this month, Apple blocked Java web plugin on OS X for the second time this year. Apple blacklisted it with the worry that the critical vulnerability the earlier patch failed to fix could be exploited despite all of Oracle’s security mechanisms.
This update comes only hours after Apple announced that a "small number" of employee computers were affected in an attack that exploited a Java vulnerability. Thankfully, the company says that there was "no evidence that any data left Apple" and no user data is said to have been compromised. The malware has apparently been designed to attack the seemingly safe Mac computers.
In a worrisome revelation, Apple said that the malware was also used in attacks against Macs used by "other companies" but refused to elaborate on the scale of the assault. "Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers," the company said in a statement. "The malware was employed in an attack against Apple and other companies, and was spread through a website for software developers. We identified a small number of systems within Apple that were infected and isolated them from our network."