There’s a serious Java vulnerability that could indeed affect Mac security. The feds advise disabling Java because the vulnerability is being actively exploited in the wild and that upwards of 850 million computers are vulnerable. Meanwhile Oracle is promising that a fix will be released in short order.
In the here and now, the Department of Homeland Security (DHS), the people that put on security theater at the airport, has issued an alert stating that anyone with Java installed should disable it. Moreover, the security issue affects Java 4 through Java 7, says the National Vulnerability Database.
“We are currently unaware of a practical solution to this problem,” said the DHS’ Computer Emergency Readiness Team (CERT). “This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available.”
DHS, unaware? Say it isn’t so. But fear not, intrepid Mac users, because Apple in its infinite wisdom has done something brilliant — updated OS X’s integrated security app, XProject, to prevent anything but Java 1.7.0_10-b19, which hasn’t been released yet, from running automatically.
So, when Oracle gets its act together, XProtect will again allow Java to automatically run when needed.
[u] Oracle has issued a fix that’s available from Oracle, though hasn’t yet appeared in the Mac App Store.
Further, assuming that you have Java installed on your Mac and haven’t used it in the last 90 days, OS X already automatically disabled it.
Mac Security: Trust With Verification
To check that your Mac has received the XProtect update, which Apple delivered via a background push update on Thursday, January 10, get Adam Christenson’s Safe Download Version (image above).
So, Apple’s XProtect, which is part of OS X 10.6.x, 10.7 and 10.8, obviates this new Java security issue automatically as along as you’re connected to the internet. The Macintosh, it just works…