AppleInsider Staff
Java for OS X 2012-002 appeared on Software Update just two days after version 2012-001 was released on Tuesday. Apple also released Java for Mac OS X 10.6 Update 7 earlier in the week.
It's not immediately clear, however, how the most recent update differs from the earlier version, as Apple's links for more detail and information point to the same page as the old update. Java for OS X 2012-001 resolved multiple vulnerabilities in Java, the most serious of which could "allow and untrusted Java applet to execute arbitrary code outside the Java sandbox."
On Wednesday, a Russian antivirus company revealed that an estimated 600,000 Macs had been infected by a "Flashback" trojan that exploited the Java vulnerability to turn the computers into bots. The majority of the infected computers were located in the U.S.
The virus was first discovered by a security firm last September. F-SEcure has posted a tutorial on how to detect and removethe threat.
Charles Martin
Malcolm Owen
Andrew O'Hara
William Gallagher
28 Comments
Well something must've gone wrong, or there was an oversight. Hopefully it was of the unremarkable variety.
Again, is it a "trojan" or a "virus"? Get your terms together.
After I installed the earlier Java update, my MBP would no longer output a signal to my external monitor at home (mini DP to DVI), but it was outputting fine to my external monitor at work.
I just installed this second update and my external monitor at home immediately started working again.
It's not immediately clear, however, how the most recent update differs from the earlier version, as Apple's links for more detail and information point to the same page as the old update.
In fact, the "Download" button brings down 2012-001, not 2012-002. The SHA1 hash of the "new" download matches that of 2012-001. At least, that was the case an hour or so ago when I downloaded it.
So it appears as if Apple merely changed the name of the entry on the Support Downloads page, but not the issue date or that to which it links (info or file).
As a person whose Mac was infected under Lion by this trojan, and removed it yesterday, I sure would like to know more about why Apple included another Java update 2 days after the first one.
Edit: Since posting, I have found what was changed by Apple in this new Java update. This is from Apple's Java mailing list:
Java developers,
Today we re-shipped our Java 1.6.0_31 for OS X Lion today to address a critical issue we found in Xcode and the Application Loader tool. This new "Java for OS X 2012-002" package is effectively identical to "Java for OS X 2012-001", with the exception of a few symlinks and version numbers.
For the sake of expediency, we have re-rolled the automatic update as our standard full combo updater, with the hope that most users have not yet been presented with 2012-001. We considered creating a delta update for users who already installed 001, but that would have made the process of getting these fixes to you take longer.
We apologize for the inconvenience, and would like to offer our thanks to the developers who caught this issue and reported it to us as quickly as they did. This issue only impacts Lion users, so Snow Leopard users have nothing to reinstall.
Over the next few days, we will catch up with producing updated release notes, tech notes, and developer packages with the revised 002 version numbers.
Manual download links:
Java for OS X 2012-002: <http://support.apple.com/kb/DL1515>
Java for Mac OS X 10.6 Update 7: <http://support.apple.com/kb/DL1516>