Apple has just issued a Java update that fixes a major security vulnerability in Java on Macs with Lion and OSX 10.6 installed. This update addresses a dozen security flaws, one of which has been exploited by hackers for at least two weeks. All of these flaws were classified as “critical” by Apple, so it’s good to know that the issue is under control.
Apple no longer updates Java with full system updates, so you will not be prompted to install this update until you run a Java applet on your system. It is recommended that you install this update as soon as possible, because the Flashback Trojan is already using this exploit, and it could cause serious issues for Mac users.
According to Apple’s support page, “Multiple vulnerabilities exist in Java 1.6.0_29, the most serious of which may allow a malicious Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted Java applet may lead to arbitrary code execution with the privileges of the current user.”
Once a user runs the script, a dialog box will pop up, asking the user for their password. However, even if the user disregards this, the malware is already on the machine.
It’s possible that over 550,000 Macs are already infected with the Flashback Trojan, according to Russian firm Dr. Web.
It’s good to see that Apple pushed the update out, but with over 2 weeks to exploit these vulnerabilities hackers were able to do some serious damage. It’s very important that, if you have not updated Java on your Mac, you do so as soon as possible.