Posted by: David Harley | March 15, 2013

Java bug was still biting Lion and Mountain Lion [updated]

[Updated to take account of a link forwarded by Randy Knobloch]

Some of my eagle-eyed colleagues in the security industry have noted something kind of interesting in the(copious) latest updates from Apple, namely the fix for CVE-2013-0967.

Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2

Impact: Visiting a maliciously crafted website could allow a Java Web Start application to be launched automatically even if the Java plug-in is disabled

Description: Java Web Start applications would run even if the Java plug-in was disabled. This issue was addressed by removing JNLP files from the CoreTypes safe file type list, so the Web Start application will not be run unless the user opens it in the Downloads directory.

Paul Ducklin notes for Sophos:

It’ll be something of a surprise for anyone who was relying on Apple’s new-found strictness against Java to find that turning Java off in your browser didn’t necessarily have the desired effect!

Commentary from:

Randy Knobloch (yet another hat tip) drew my attention to an article by Gregg Keizer that points out an apparent shift in Apple update policy:

Apple also patched Macs running Lion and Snow Leopard with Security Update 2013-001. The Snow Leopard update was notable because it arrived a record eight months after the introduction of Mountain Lion, reinforcing the idea that Apple has changed its support policy and will patch “n-2,” where “n” is the current edition of OS X.

Keizer attributes this shift to “the refusal of Snow Leopard to go away“, given that as of last month 28% of Macs were still running 10.6.x. He also points out, however, that there will be no further support for Java 6, and Java 7 runs only on Lion and Mountain Lion.

David Harley
Small Blue-Green World
ESET Senior Research Fellow

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: