For a widely distributed runtime like Oracle’s Java, a zero-day vulnerability (a security flaw exploited to create malware before the platform’s maintainers have a chance to analyze and respond) is your basic nightmare. Millions of computers might be affected while a patch is in progress; security companies and ISPs need to coordinate to update malware definitions and block command-and-control websites. Nothing but aggravation — and since Java can run on all varieties of operating systems, there’s plenty of agita to go around.
Research shop FireEye identified a Java zero-day this weekend that is already targeting fully patched versions of the Java JRE version 1.7 running on Windows machines. The exploit attempts to install a dropper executable (Dropper.MsPMs) on the machines it attacks. In theory, a separate dropper could be crafted to attack Mac or Linux systems, although none has yet been observed in the wild.
That’s a reason for Mac users to rest a little more easily, but it’s not the big one. As CNET points out, the vulnerable edition of the JRE — 1.7 — isn’t installed by default in a stock configuration of OS X. The Java that Apple ships on Snow Leopard, Lion and Mountain Lion is JRE 1.6; in order to be on 1.7 and be theoretically susceptible, you’d have to install the Oracle beta build manually (which, hopefully, you’d remember doing).
Some of the more breathless coverage of this exploit seems to have missed that point; the vast majority of OS X machines are not running the vulnerable version, and any that are should (theoretically) be under the supervision of users who specifically chose to move to the new, yet-to-be-mainstream release.
If you did install the Oracle build and you’re concerned about the new exploit, you can disable the Java plugin in each of your browsers individually, or uninstall the beta build entirely. While it bears repeating that there is no evidence of a Mac payload for this exploit at this time, if you don’t have a specific reason to run the new version then it’s probably safest to stick with JRE 1.6 instead. In response to past exploits including Flashback, Apple’s Java web plugin is now set to auto-disable when it isn’t used for some time, further reducing the attack surface for Mac users.
Java 1.7 zero-day exploit unlikely to impact most Mac users originally appeared on TUAW – The Unofficial Apple Weblog on Tue, 28 Aug 2012 14:00:00 EST. Please see our terms for use of feeds.