Following an internal attack on its Macintosh computers, Apple has released a Java update patching not only its own Macs but also computers in the wild. The update not only includes patches, but also runs a malware removal tool.
Delivered in two separate packages targeting specific Mac OS versions – Java for Mac OS X v10.6 Update 13 and Java for OS X 2013-001 – the security release updates the Apple-provided system Java SE 6 to version 1.6.0_41 for Mac OS X v10.6 and for OS X 10.7 and 10.8.
The Cupertino giant has released an advisory which details the security content of Java for OS X 2013-001 and Mac OS X v10.6 Update 13.
A truckload of vulnerabilities affected OS X Lion v10.7 or later, OS X Lion Server v10.7 or later, OS X Mountain Lion 10.8 or later.
The most serious of these flaws allowed an untrusted Java applet to execute arbitrary code outside the Java sandbox.
Confirming what its own developers / testers did to get infected (unknowingly), Apple explains that “Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.”
These issues are now addressed in the latest Java releases from Apple.
Three vulnerabilities affected not only the aforementioned OS X versions, but also Snow Leopard computers (running OS X 10.6).
Most importantly, Java for OS X 2013-001 and Java for Mac OS X v10.6 Update 13 runs a malware removal tool that eradicates “the most common variants of malware,” according to Apple’s advisory.
“If malware is found, it presents a dialog notifying the user that malware was removed. There is no indication to the user if malware is not found. This update is available for systems that installed Java 6,” Apple confirms.