When it comes to security on your Mac, most of us think of viruses, worms, and other forms of malware and we conclude that Mac users don't really have to worry about it. However, recent vulnerabilities with Java and Flash have highlighted the fact that there are cross platform threats that even Mac users need to be aware of. Luckily Apple has its own protection against malware attacks, and it's not afraid to use it.
Recently Apple has taken to blocking Java and Flash via Xprotect. Twice in February Apple blocked Java by adding it to the banned list in XProtect. Then earlier this week Apple used Xprotect to block older versions of Flash, forcing users to update to the latest version if they wish to view Flash-based content (such as iPlayer).
Java has seen an alarmingly high number of exploits since the start of the year, with Apple and Oracle both being forced to issue multiple patches to deal with ongoing issues. It appears that Java has become a key target for criminals, perhaps because malware written for Java can infect Windows, Mac and Linux computers.
On Monday, less than two weeks after its last Java updates, Apple released Java for OS X 2013-002 for OS X 10.8 Mountain Lion and 10.7 Lion and Java for Mac OS X 10.6 Update 14 for 10.6 Snow Leopard. Apple's security page notes that these updates address two critical vulnerabilities (CVE-2013-0809 and CVE-2013-1493), the latter of which has been actively exploited to "maliciously install the McRat executable onto unsuspecting users' machines," according to Oracle.
Apple relies on Oracle to maintain security updates to Java, and the company issued its Java updates soon after Oracle patched flaws in Java 7 and Java 6. However, Oracle says that it will no longer update the aging Java 6 software and this is not good news for Mac users. Unfortunately, not all Mac users can upgrade to Java 7, as it requires Lion or later. According to Net Applications, in February 37% of all Macs were running a version of OS X older than Lion.
It seems likely that Apple will eventually block this old version of Java from running on Macs. For many organizations this could be an issue if they run web-based internal business applications that require the technology. Disabling Java in browsers would break access to these applications. This happened to a number of businesses earlier in February when Apple bared Java on Macs, leaving companies that rely on Java plug-ins out in the cold. Apple blocked Java 7 Update 11 by adding it to the banned list in Apple's XProtect anti-malware feature. Unfortunately, some enterprise users utilize Java and may experience a loss in revenue as their software ceased to work.
Sign up for CIO Asia eNewsletters.