When it comes to security on your Mac, most of us think of viruses, worms, and other forms of malware and we conclude that Mac users don’t really have to worry about it. However, recent vulnerabilities with Java and Flash have highlighted the fact that there are cross platform threats that even Mac users need to be aware of. Luckily Apple has its own protection against malware attacks, and it's not afraid to use it.
Recently Apple has taken to blocking Java and Flash via Xprotect. Twice in February Apple blocked Java by adding it to the banned list in XProtect. Then earlier this week Apple used Xprotect to block older versions of Flash, forcing users to update to the latest version if they wish to view Flash-based content (such as iPlayer).
Java has seen an alarmingly high number of exploits since the start of the year, with Apple and Oracle both being forced to issue multiple patches to deal with ongoing issues. It appears that Java has become a key target for criminals, perhaps because malware written for Java can infect Windows, Mac and Linux computers.
On Monday, less than two weeks after its last Java updates, Apple released Java for OS X 2013-002 for OS X 10.8 Mountain Lion and 10.7 Lion and Java for Mac OS X 10.6 Update 14 for 10.6 Snow Leopard. Apple’s security page notes that these updates address two critical vulnerabilities (CVE-2013-0809 and CVE-2013-1493), the latter of which has been actively exploited to "maliciously install the McRat executable onto unsuspecting users’ machines," according to Oracle.
Apple relies on Oracle to maintain security updates to Java, and the company issued its Java updates soon after Oracle patched flaws in Java 7 and Java 6. However, Oracle says that it will no longer update the aging Java 6 software and this is not good news for Mac users. Unfortunately, not all Mac users can upgrade to Java 7, as it requires Lion or later. According to Net Applications, in February 37% of all Macs were running a version of OS X older than Lion.
It seems likely that Apple will eventually block this old version of Java from running on Macs. For many organizations this could be an issue if they run web-based internal business applications that require the technology. Disabling Java in browsers would break access to these applications. This happened to a number of businesses earlier in February when Apple bared Java on Macs, leaving companies that rely on Java plug-ins out in the cold. Apple blocked Java 7 Update 11 by adding it to the banned list in Apple's XProtect anti-malware feature. Unfortunately, some enterprise users utilize Java and may experience a loss in revenue as their software ceased to work.
Apple has itself been a victim of Java exploits. On 19 February Apple confirmed that some computers belonging to its employees had been targeted by hackers. The hackers were said to be the same group that infiltrated computers belonging to Facebook employees the week before. Both attacks were committed via the same Java vulnerability as the Apple breach.
The company emphasised that: "Since OS X Lion, Macs have shipped without Java installed, and as an added security measure OS X automatically disables Java if it has been unused for 35 days. To protect Mac users that have installed Java, today we are releasing an updated Java malware removal tool that will check Mac systems and remove this malware if found."
Later that day Apple issued a Java update for Mac OS X 10.7 patching a number of security vulnerabilities as well as scanning for the most common variants of the malware in question and removing them.
Sophos's advice is "get rid of Java altogether" or "ban it from your browser"."Keeping Java out of your browser removes the risk of hostile applets - special stripped-down Java programs embedded into web pages" is the advice in Sophos's Naked Security blog.
Apple also dissuades people from running Java, suggesting: "Enable Java in your web browser only when you need to run a Java web app."
Java has come under fire as the means by which hackers have been able to gain control of computers. In April 2012 more than 600,000 Macs were reported to have been infected with a Flashback Trojan horse that was being installed on people's computers with the help of Java exploits. Apple has already stopped bundling Java with OS X by default. You can read about how to disable Java on your Mac here.
Of course Java isn't the only baddy as far as security on the Mac is concerned. Adobe has three times in the past month issued Flash updates. This week Apple began to block out-dated Flash players. This was the second time in a month that the company had blocked Flash unless users install a security update.
When attempting to view Flash content in Safari, users may see the alert: "Blocked Plug-in," says Apple on the web page announcing the availability of the update. If you visit a site that uses Flash to display ads you will see the following message: "Adobe Flash Player" is out of date.
"To help protect users from a recent vulnerability, Apple has updated the web plug-in-blocking mechanism to disable older versions of the web plug-in: Adobe Flash Player" said Apple.
The latest version is Flash 11.6.602.171
Apple blocked Adobe Flash on the Mac due to a series of vulnerabilities. However, while it might mean you are being greeted by fewer adverts, you will no doubt have noticed that iPlayer, 4OD and other on demand services no longer work. We explain how to get Flash to work again here.
Like Oracle with Java, Adobe has been busy patching vulnerabilities in its Flash Player over the past month. At the end of February Adobe patched new vulnerabilities in Flash Player that hackers were exploiting in attacks aimed at Firefox users. The company also released patches for Flash Player and Shockwave Player earlier in the month, patching a total of 17 vulnerabilities were patched in the Flash Player, 16 of which were critical and could result in remote code execution.
These vulnerabilities "could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said in a security advisory.
Towards the beginning of February, Adobe released an emergency update for Flash Player on all platforms after two zero-day bugs were discovered in the wild targeting Windows and Mac OS X computers. The vulnerabilities allowed hackers to hijack both Windows PCs and Macs.
Apple's own website was vulnerable
Even Apple has turned out to have security issues on its website. A security researcher discovered a DOM-based cross-site scripting (XSS) vulnerability on the 'Find Locations' subdomain of Apple’s locate.apple.com website, writes Softpedia.
Apple has addressed the vulnerability that could have been used to hijack user sessions and possibly even accounts, according to Independent security researcher Mirza Burhan Baig of blackbitz.net.
HTML5 could do data dumps
There is a movement towards HTML5 as a replacement for Flash, but it should be noted that even that may open up certain vulnerabilities.
A flaw in HTML5 coding language could allow websites to bombard users with gigabytes of junk data, according to an Apple Insider report.
Developer Feross Aboukhadijeh claims that the data dumps can be performed on most web browsers, including Apple's Safari. Only Firefox capped the data dump at 5MB.
A loophole allowed HTML5 programmers to bypass the data cap imposed by browsers. Aboukhadijeh was able to dump 1GB of data every 16 seconds on his SSD-equipped MacBook Pro with Retina display, according to the report.