New Java vulnerability affects Macs, could lead to more malware
According to Tod Beardsley, engineering manager for open-source testing framework Metasploit, hackers can use the bug to compromise any system through a web browser running the latest Java software, reports Computerworld.
While there have yet to be reports of the new exploit affecting Macs, Errata Security confirmed the Metasploit exploit is effective against the latest Java 1.7 runtime on Apple's latest OS X 10.8 Mountain Lion.
Mac users running older versions of OS X, like Snow Leopard or Leopard, could be more vulnerable as those operating systems came bundled with Java, however the new exploit is actually in Oracle's latest software, dubbed "Update 6."
"The vulnerability is not in Java 6, it's in new functionality in Java 7," said Beardsley.
He went on to call the bug "super dangerous" and said a potential piece of malware can feasibly compromise the security of a Mac by simply having a user visit a website that is host to the attack code. This means both purpose-built malicious sites as well as those which have been hacked can compromise a system.
"What is more worrisome is the potential for this to be used by other malware developers in the near future," said antivirus vendor Intego. "Java applets have been part of the installation process for almost every malware attack on OS X this year."
Screenshot from Java's website-based installation checker as viewed in Safari.
As Oracle has not yet released a patch for the exploit, Beardsley recommends users disable Java until one is pushed out.
Mac users can visit Java's site here to check if they have the 1.7 runtime installed. Alternately, the "Java Preferences" application can also be used to make sure the software is disabled.
The new flaw is the latest in a number of security holes found in Java code on OS X, including the infamous Flashback trojan that reportedly affected some 600,000 Macs worldwide. Apple released a removal tool specifically tailored for the malware, later disabling the Java runtime in subsequent versions of Safari. Java was removed from OS X when Lion was released last year, forcing users to authorize a browser request to download and install the software if an applet for the runtime appears.