Computerworld – (International) Macs at risk from ‘super dangerous’ Java zero-day. Hackers are exploiting a zero-day vulnerability in Java 7, security experts said August 27. The unpatched bug can be exploited through any browser running on any operating system, from Windows and Linux to OS X, that has Java installed, said the engineering manager for Metasploit, an open-source penetration testing framework. The CTO of Errata Security confirmed the Metasploit exploit — which was published less than 24 hours after the bug was found — is effective against Java 7 installed on OS X Mountain Lion. He said he was able to trigger the vulnerability with the Metasploit code in Firefox 14 and Safari 6 on OS X 10.8. Although the exploits now circulating in the wild have been aimed only at Windows users, it is possible Macs could also be targeted. ―What is more worrisome is the potential for this to be used by other malware developers in the near future, said antivirus vendor Intego. ―Java applets have been part of the installation process for almost every malware attack on OS X this year. The engineering manager for Metasploit called the bug ―super dangerous, noting that it was ―totally a drive by, meaning that attackers could compromise computers simply by duping users into browsing to a Web site that hosts the attack code. Security experts have recommended - 17 - that users disable Java until Oracle delivers a patch.
Ali Loney, on August 27, 2012