According to several U.S. security agencies, a hack burrowing dangerously around the web through browser-based Java software has already hit Windows and is a serious danger to Mountain Lion OS X.
While the latest Java update, Java 7, has seen stable performance, security personnel have warned it is vulnerable to numerable exploits over the last year. Oracle has consistently updated critical patches to fix security bugs, with the last update two months ago fixing 14 dangerous vulnerabilities.
Like other Java bugs, today’s “zero-day” bug is aimed at duping users to visit a website filled with malicious code. When the user visits that website, the infected applet downloads itself onto the clean computer. In order to protect yourself immediately, security businesses and anti-virus developers recommend disabling all of your Java plug-ins and erasing Java 7 from your computer. However, that might be a bit of overkill. Disabling Java to install applets from untrusted sources should be enough.
A “Zero-day” attack is a hack to a previously unknown app vulnerability, meaning it causes the damage the first day it’s found.
Experts warned the security community earlier this morning about the dangerous hole. They said the exploit can be used in OS X systems running the 1.7 Java Runtime Environment, which comes with the latest software upgrade. The bug was activated by the security programmers through the Metasploit code in Firefox and Safari browsers, as well as in Microsoft Explorer. So far, the bug has only appeared in Microsoft Windows systems but the experts say it’s a matter of time before it is found in Apple computers.
Even if the bug is protected by proper security procedures, the experts warn the vulnerability could be around for awhile. The current version of the Java application has been the source of big security breaches in the past year.
UPDATE: We’ve been notified that Mac users are only at-risk of the bug if they install the new Oracle 1.7 build. So most Mac users should be safe. Thanks to @miketrose.
- Source Computerworld