Apple has promptly updated the Xprotect.plist blacklist on OS X computers to address a zero-day vulnerability that has recently been discovered in Oracle’s Java 7. The anti-malware system now requires an unreleased 1.7.0_10-b19 version of Java 7.Users are confirming that systems running Java 7 are failing to pass the check through Xprotect.plist with Java 7 version 1.7.0_10-b18 (the currently-available version from Oracle).
Adam Gowdiak, the CEO of Security Explorations (the company responsible for reporting the zero-day flaw) has said in an email interview with Softpedia that this is just another example of Java vulnerabilities stemming from the insecure implementation of the Reflection API.
The issue affects all Java plugin versions from 4 through 7.
Gowdiak reports that the new attack is a combination of two vulnerabilities, adding that Oracle has been given a heads up about the issue in August 2012.
“The zero-day code would not work if Issue 32 was properly addressed,” Gowdiak mentions.
Apple is now blocking the Java browser plug-in on Macs running anything from OS X 10.6 (Snow Leopard) and newer. Users who are running an earlier version of OS X, such as Leopard, are instructed to disable Java manually.
Since Java 7 is not shipped by default on newer versions of OS X, numerous users remain unaffected. However, there are users who manually installed Java 7.
Safari users can easily disable Java by visiting the browser’s Preferences. There users must select the Security tab and uncheck the “Enable Java” box.
Google Chrome users need to go to chrome://plugins to find the same options, and Firefox users must navigate to the “Tools” menu, then “Add-ons,” and select the “Plugins” tab. Finally, users must click the ‘disable’ button in front of the Java Applet Plug-in.