October 28, 2016

Apple Updates Java to Stop Mac Flashback Malware Which Exploits Java Concurrency Vulnerability

(LiveHacking.Com) – Almost six weeks after Oracle updated Java for the Windows platform, Apple has released the same Java fixes for Mac OS X 10.7 and 10.6. According to the security advisory the update includes a fix for  a serious vulnerability which “which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox.” This is of course referring to the Java concurrency vulnerability which is being used by the  BlackHole exploit kit on Windows and the Flashback malware on OS X.

According to Apple, Macs can become infected with malware which exploit this bug just by visiting a web page containing a maliciously crafted untrusted Java applet. Since the vulnerability allows hackers to break out of the sandbox Apple note that this “may lead to arbitrary code execution with the privileges of the current user.”

Thankfully the update is available for OS X 10.6 Snow Leopard as well as 10.7 Lion. There were concerns that Apple would silently drop supporting 10.6 as it has done for 10.5. OS X Leopard as it was known runs on Intel Macs but Apple insist on users upgrading. Recently Apple dropped 10.6 as a viable platform for developing iOS applications when it didn’t release the iPad 3 SDK for that version. The full list of OS X versions supported with the update are: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.3, Lion Server v10.7.3.

Once you have updated open Terminal and type “java -version” to check the Java version number, you should see “java version 1.6.0_31” if the upgrade was successful.

Since OS X 10.5 Leopard isn’t updates, users should disable Java immediately. You can find instructions on how to do this here or how to disable Java browser plugins can been in this short video.

This release updates Java to Java version 1.6.0 31 and Apple are recommending that users read the Java website at http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html for more information.

Mac Flashback Malware Updated to Exploit Java Concurrency Vulnerability

(LiveHacking.Com) – Following the news that various exploit kits for Windows (including BlackHole) have been updated to integrate exploits for the Java concurrency vulnerability (CVE-20120-0507), it is now being reported that the OS X specific malware known as Flashback has also been updated to exploit the same vulnerability. The vulnerability was fixed in Java Version 6 Update 31, or Java 7 Update 3 on Feb. 15, 2012 but only on the Windows platform. This left Mac users vulnerable.

The latest version of OS X (10.7 – Lion) doesn’t include Java by default however it can be downloaded and installed when needed. The last update Apple released for Java was in November 2011. Secondly there is a portion of Mac users who have remained on OS X 10.6 Snow Leopard (which included Java by default). Apple has been quietly dropping support for 10.6 and it remains to be seen if any eventual Java updates include the older platform.

The exploit used by Flashback is based on a vulnerability in AtomicReferenceArray which allows the malware to disable the Java runtime sandbox mechanism. This is done by creating a special serialized object data which due to a logic error (and not a memory corruption) allows the attacker to run arbitrary code on the victim’s Mac. The exploit is very reliable.

Flashback, which is so named as the first variant was distributed as a fake Flash Player installer, uses Java vulnerabilities dating back to 2009 through 2011. But all the vulnerabilities have been previously patched, up until now that is. Now this latest variant can install itself on any Mac – even those with all the latest updates installed.

Although Oracle released the fix for the concurrency vulnerability back in February,  Apple distributes its own self-compiled version of Java for Macs from Oracle’s source code and subsequent patches. However its release schedule is behind that of the Oracle builds for Java in Windows. It has long been said that this delay in shipping security related patches for Java  on Mac OS could be used by malware writers to their advantage, and the new Flashback.K malware confirms exactly that.

The best advice right now is for Mac users to disable Java completely unless it is absolutely necessary. You can find instructions on how to do this here.