Apple Updates XProtect to Block Vulnerable Java Versions
Posted on by Joshua Long
Apple has released an update to its XProtect component of Mac OS X to block certain outdated versions of the Java browser plug-in. These older versions will no longer run in Safari or Mail after this automatic update is applied.
The minimum required version of Apple’s Java plug-in for Snow Leopard is now 13.9.7 (Java 6 Update 51), up from 13.9.5 (Java 6 Update 45). Apple provides its own version of Java for Snow Leopard and has continued to release security updates for it.
On Lion and Mountain Lion, the minimum version of Apple’s Java plug-in has increased from 14.7.0 (which corresponds with Oracle’s Java 7 Update 21) to 14.8.0 (which corresponds with Java 7 Update 25). Beginning with Lion, Apple no longer bundles Java with OS X; it is now a third-party offering available from Oracle.
Apple likely changed the minimum Java plug-in version due to reports that a previously patched Java 6 vulnerability has been added to the Neutrino exploit kit, making it easier for evildoers to infect a Mac or PC running an outdated version of Java.
In a support article related to this update, Apple recommends only enabling the Java browser plug-in when you need it for a particular site, and then disabling the Java plug-in again afterward.
Meanwhile, Apple still has a very low minimum requirement for the Adobe Flash Player plug-in. Flash Player 11.6.602.171 was released in late February, and Apple began requiring it within a couple days of Adobe’s release due to reports of active, in-the-wild exploitation of vulnerabilities in older versions.
Adobe has since released several versions of Flash Player that fix a number of vulnerabilities, but none of these versions was an urgent patch to fix bugs that were being actively exploited at the time. The current version of Flash Player is 11.8.800.94 as of when this article was published; any version older than that has known vulnerabilities. You can check to see whether you have the latest version of Flash Player by going to https://www.adobe.com/software/flash/about/
Apple’s XProtect system provides rudimentary protection against certain Mac threats. It does not offer live malware scanning, protection against Windows threats or phishing sites, or other protection that full-featured antivirus software can provide. Intego develops a number of specialized security products for Mac, available from www.intego.com