Users of Macs that are still running older OS versions such as Snow Leopard and earlier, as well as those running newer OS versions but have installed Java on their own, are advised to turn off the Java functionality in both their browser and system, thanks to a critical new flaw found in all currently-supported versions of Java, including the latest ones. The bug allows attackers to bypass security features and install malware on Macs or Windows machines that have Java installed and active. All versions from Java 5 on up are affected by the flaw.
Security researcher Adam Gowdiak found the issue just days before the start of Oracle’s annual JavaOne conference, and could affect as many as one billion computers. The flaw was even found in the very latest developer preview build from September 20. Current Mac users have a lower risk of seeing the issue due to the fact that Apple stopped shipping a version of Java with Macs beginning with OS X 10.7 (Lion), in part because of the number of security issues. There have been at least two critical exploits already patched this year — one of them so severe Oracle was forced to issue a rare “emergency” update at the end of August.
The August flaw was limited to Java 7, which Mac users can optionally install on their machines but must do so manually. Users on both Macs and PCs were advised at the time to downgrade Java to version 6, which was considered safe. However, the new flaw covers all recent versions, and thus the risk of attacks is far more widespread than the August exploit. While no reported attacks exploiting the new issue have been reported so far, Gowdiak feels its a matter of time before his research is duplicated and used by cyber criminals. He told Computerworld he reported the issue on Tuesday, and received confirmation of the problem earlier today.
Oracle is said to have promised to address the flaw in a future update, but didn’t specify a time frame. In early September of this year, Apple issued an unusual post-support Java patch for users of Lion and Snow Leopard systems that would automatically disable Java if it hadn’t been used in a while, and turns off the “always on” status of the Java plug-in (though if a user encounters a site or web program that needs Java, a dialogue appears asking if the user wants to re-enable it temporarily).
Lion and Mountain Lion don’t ship with Java, but if it is installed the program has to ask permission from the user to run before each occurance. For this reason, it’s likely that few if any Macs running fully-patched Snow Leopard and higher systems will be affected — but there aren’t any safeguards on Leopard and Tiger system, which while well outdated are still seen running in a small percentage of the Mac userbase. Java is much more widely installed on Windows systems, and this is where any attacks are likely to be focused.
The bug affects Java in all current browsers that can use a Java plug-in, including Safari, Firefox, Chrome, Internet Explorer 9, and Opera. Gowdiak recommends users disable the browser plug-in at least until Oracle issues a patch. The next regular release of Java updates is scheduled for October 16, though given the potential severity of the issue and the timing of the announcements, Oracle may work to release a patch before the end of the month.
