[Updated to take account of a link forwarded by Randy Knobloch]
Some of my eagle-eyed colleagues in the security industry have noted something kind of interesting in the(copious) latest updates from Apple, namely the fix for CVE-2013-0967.
Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2
Impact: Visiting a maliciously crafted website could allow a Java Web Start application to be launched automatically even if the Java plug-in is disabled
Description: Java Web Start applications would run even if the Java plug-in was disabled. This issue was addressed by removing JNLP files from the CoreTypes safe file type list, so the Web Start application will not be run unless the user opens it in the Downloads directory.
Paul Ducklin notes for Sophos:
It’ll be something of a surprise for anyone who was relying on Apple’s new-found strictness against Java to find that turning Java off in your browser didn’t necessarily have the desired effect!
Randy Knobloch (yet another hat tip) drew my attention to an article by Gregg Keizer that points out an apparent shift in Apple update policy:
Apple also patched Macs running Lion and Snow Leopard with Security Update 2013-001. The Snow Leopard update was notable because it arrived a record eight months after the introduction of Mountain Lion, reinforcing the idea that Apple has changed its support policy and will patch “n-2,” where “n” is the current edition of OS X.
Keizer attributes this shift to “the refusal of Snow Leopard to go away“, given that as of last month 28% of Macs were still running 10.6.x. He also points out, however, that there will be no further support for Java 6, and Java 7 runs only on Lion and Mountain Lion.
Small Blue-Green World
ESET Senior Research Fellow