Apple blacklists Java on OS X to prevent latest “critical” exploits

Apple has blacklisted the latest version of the Java browser plugin to protect Mac users from the latest Java exploits. As noted by MacRumors, OS X now requires a newer, as-yet unreleased version of the Java plugin which is expected to patch a flaw that resulted from an incomplete patch added to Java last year.

Previously, OS X required point software updates in order to update its built-in protections against malware. Now, however, Apple can quickly update a malware definition file called Xprotect.plist, and OS X will check a secure Apple server for these updates on a daily basis. As of Friday, Apple has blacklisted the latest version of the Java plugin in Xprotect.plist, requiring a newer version to run Java applets in a browser.

The latest known security hole in Java is already being "massively exploited in the wild," according to security researchers. The US Computer Emergency Readiness Team (CERT) issued a warning that Java should be disabled in browsers until a patch is released by Oracle.

Read 1 remaining paragraphs | Comments

Critical Java vulnerability made possible by earlier incomplete patch (Updated)

The critical Java vulnerability that is currently under attack was made possible by an incomplete patch Oracle developers issued last year to fix an earlier security bug, a researcher said.

The revelation, made Friday by Adam Gowdiak of Poland-based Security Explorations, is the latest black eye for Oracle's Java software framework which is installed on more than 1 billion PCs, smartphones, and other devices. Last year saw a steady stream of attacks that exploited Java vulnerabilities, allowing miscreants to surreptitiously install keyloggers and other malicious software when unwitting people browsed compromised websites. The abuse has already continued into 2013, when on Thursday researchers reported yet another critical bug that is being "massively exploited in the wild".

According to Gowdiak, the latest vulnerability is a holdover from a bug (referred to here as Issue 32) that Security Explorations researchers reported to Oracle in late August. Oracle released a patch for the issue in October but it was incomplete, he said in an e-mail to Ars that was later published to the Bugtraq mailing list.

Read 6 remaining paragraphs | Comments