Apple Inc. (NASDAQ: AAPL) has proactively moved to disable the Java 7 plugin—the center of a recent Department of Homeland Security warning—from Macs where it is installed. The federal agency warned users to disable or uninstall Java software after security experts noted a serious flaw in the software that allows the installation of malicious software.
“Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system,” the Homeland Security’s Computer Emergency Readiness Team said in a note posted Jan. 10. “We are currently unaware of a practical solution to this problem.”
By exploiting Java and installing malicious software to both personal and business computers, hackers are able to commit identity theft as well as include an infected computer in an ac-hoc network that can be used to attack Web sites.
“This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered,” the agency noted. “To defend against this and future Java vulnerabilities, disable Java in Web browsers.”
More specifically, the flaw—named zero-day—gives remote attackers access to a personal computer. By tricking the computer’s user to visit a “specifically crafted HTML document,” the attacker may then be able to infect the computer with malicious code. A hacker might also infect a legitimate, “trusted” Web site by uploading malicious software that would infect computers that visit said site. Although all versions of Java are affected, browsers running the Java 7 plugin are at the highest risk.
Homeland Security notes applications that use Internet Explorer Web content-rendering components, including Microsoft Office and Windows desktop search, may also be used in an attack on the system.
The Java computer language allows programmers to write software using only one set of code that will run on any tope of computer, including OS X, Windows and Linux, as well as systems used by many corporations. Users generally access Java programs through plugins that run the software on top of browsers such as Firefox and Internet Explorer. The language has become so widely used that it is a prime target for hackers. In fact, Java was responsible for 50 percent of 2012 cyber attacks in which hackers accessed computers by exploiting a software bug.
Java owner Oracle Corp. (NASDAQ: ORCL) has declined to comment on the warning. But Poland-based Security Explorations reported it disclosed details of 31 Java security issues to Oracle last April, and the company opted to issue security patch updates on only two of them.
According to Macrumors, Apple (NASDAQ: AAPL) remotely disabled the Java 7 plugin by updating its “Xpretect.plist” blacklist to require a minimum of Java 7 version 1.7.0_10-b-19, which has yet to be released. Therefore, all OS X systems running Java 7 now fail to pass the check initiated through Apple’s anti-malware system. As the zero-day flaw affects only Windows, Mac OS X and Linux desktops that run multiple browser platforms, iPhone and iPad users running any version of iOS are not vulnerable to an attack.
