Oracle has released an official fix for the Java security flaw that was reported by CERT (the Computer Emergency Readiness Team) on January 11. Shortly after the flagging by CERT, Apple took steps to disable the Java plug-in on all Macs running OS X 10.6 or later by amending the XProtect malware/minimum versions file.
Users who want to re-enable a secure, working version of Java can download the update here. The update is recommended users on all operating systems including Windows and Linux. Of course, if you don’t need to be running a Java VM for a specific reason, your most secure path is to not have it installed.
At a minimum, you might consider TJ’s reasonable advice and reserve your browser-centric Java activities to a single-site browser like Fluid.app, or simply leave Java disabled for browser access most of the time and only turn it on when specifically required.
From the release notes, Oracle states: “Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2013-0422 ‘in the wild,’ Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.”
Apple no longer distributes its own version of Java for Macs running OS X 10.7 or higher. Oracle is now directly responsible for producing and updating the Mac JRE package, as it does for other mainstream operating systems.
Oracle releases v11 fix for zero-day Java security flaw originally appeared on TUAW – The Unofficial Apple Weblog on Mon, 14 Jan 2013 09:00:00 EST. Please see our terms for use of feeds.