Oracle, Apple Patched Vulnerable Java After Apple ‘Hacked’ by Cybercriminals
Posted on by Derek Erwin
Oracle has released Java SE 7u15 with important security fixes. This critical patch contains 5 new security fixes and applies to Java 7 Update 13 and all versions before. Alongside Oracle’s Java SE critical patch update, Apple has updated Java SE 6 and released Java for Mac OS X 10.6 Update 13 to “improve security, reliability and compatibility.” Apple also released Java for OS X 2013-001, in addition to a malware removal tool likely in response to reports that Apple was hacked by cybercriminals.
Oracle Java Security Updates
Earlier this month, Oracle released an out-of-band update to address active exploitation “in the wild” of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers. Due to the earlier-than-anticipated release of its Java software, in a follow-up blog post Oracle announced that the company would release another software update (“special update”) on the initially scheduled February 19 date to include all intended bug fixes:
As a result of the accelerated release of the Critical Patch Update, Oracle did not include a small number of fixes initially intended for inclusion in the February 2013 Critical Patch Update for Java SE. Oracle is therefore planning to release an updated version of the February 2013 Critical Patch Update on the initially scheduled date.
The 5 new security fixes addressed in this software update are as follows:
- CVE-2013-0169 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JSSE). Supported versions that are affected are 7 Update 13 and before, 6 Update 39 and before, 5.0 Update 39 and before and 1.4.2_41 and before. Difficult to exploit vulnerability allows successful unauthenticated network attacks via SSL/TLS. Successful attack of this vulnerability can result in unauthorized read access to a subset of Java Runtime Environment accessible data. Note: SSL/TLS Plaintext Recovery vulnerability also known as “Lucky Thirteen” vulnerability.
- CVE-2013-1484 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries ). Supported versions that are affected are 7 Update 13 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets.
- CVE-2013-1485 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are 7 Update 13 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets.
- CVE-2013-1486 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: JMX). Supported versions that are affected are 7 Update 13 and before, 6 Update 39 and before, 5.0 Update 39 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets.
- CVE-2013-1487 Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are 7 Update 13 and before, 6 Update 39 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. This vulnerability can be exploited only through untrusted Java Web Start applications and untrusted Java applets.
Apple Java Security Updates
In addition to Oracle’s software update, Apple released Java for OS X 2013-001 and Mac OS X v10.6 Update 13. Apple’s Java update for OS X 2013-001 is available for OS X Lion v10.7 or later, OS X Lion Server v10.7 or later, and OS X Mountain Lion 10.8 or later. The software update fixes multiple vulnerabilities in Java 1.6.0.37, covering a total of 30 CVEs.
Apple describes the Java update for OS X 2013-001 as follows:
Multiple vulnerabilities existed in Java 1.6.0_37, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues were addressed by updating to Java version 1.6.0_41. For Mac OS X v10.6 systems, these issues were addressed in Java for Mac OS X v10.6 Update 13.
Apple’s Mac OS X v10.6 Update 13 is available for Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 or later, OS X Lion Server v10.7 or later, and OS X Mountain Lion 10.8 or later. Mac OS X v10.6 Update 13 fixes multiple vulnerabilities, covering a total of 3 CVEs.
Apple describes its Mac OS X v10.6 Update 13 as follows:
Multiple vulnerabilities existed in Java, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues were addressed by updating to Java version 1.6.0_41.
Update Java Software Now
Oracle strongly recommends that all Java SE 7 users upgrade to this release. Mac users can go to Oracle’s website to download Java SE 7u15 as advised. Java SE 6 users can head over to Apple’s download page to install the 69.32 MB update to 1.6.0_41. At Intego we recommend our Mac antivirus software as the best option for real-time malware protection.