Important security updates
Published March 15th, 2013 at 10:02 AM EDT , modified March 15th, 2013 at 10:02 AM EDT
Apple posted a couple updates yesterday with some very important security content, and I advise updating as soon as you can. Both Mac OS X 10.8.3 and Security Update 2013-001, available for both Snow Leopard and Lion, contain a number of important security updates. However, one in particular is likely to cause the hair to stand up on the back of the neck of anyone who has been following the saga of Java’s recent descent into vulnerability perdition.
Tucked discreetly away in Apple’s page giving information about the security content of these updates is the following concerning bit of information:
Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2
Impact: Visiting a maliciously crafted website could allow a Java Web Start application to be launched automatically even if the Java plug-in is disabled
Description: Java Web Start applications would run even if the Java plug-in was disabled. This issue was addressed by removing JNLP files from the CoreTypes safe file type list, so the Web Start application will not be run unless the user opens it in the Downloads directory.
Note the section that I have highlighted… I’ll give you a moment to think about the implications of that.
Okay, you have the heebie-jeebies yet? If you, like me, don’t even have Java installed, probably not. But if you are one of those folks who has Java installed and thought you were safe to just disable it in the web browser… well, guess not!
Fortunately, I have seen absolutely no indications that this vulnerability was known to hackers or that malware has been seen “in the wild” taking advantage of it. However, the fact that the cat is out of the bag now means that hackers will probably start looking for ways to use this bug to install malware on systems that have not yet been updated. This makes installing the update far more important!
Keep in mind that installing updates can be a potential source of problems. Updates can sometimes have bugs that bite early adopters, so it’s probably okay to way a day or so to make sure the update is sitting well with most folks. After all, Apple hasn’t exactly said how this vulnerability can be exploited, so it will take hackers a little time to find it. I wouldn’t give them more than a couple days, though… there are a lot of smart hackers out there these days!
In addition, updates can cause problems if your system is not in good health, so be sure that you have adequate backups (a minimum of two fully separate backups) before updating, and that at least one of them is a full-system backup so you can quickly revert to a working system if something goes wrong. It would also be wise to repair the hard drive with Disk Utility prior to installing the update.