After the problems generated by the Flashback malware, many security software companies began to give more importance to the OS X platform, and this generated an increase in reports of security problems. In this idea, the CEO of Errata Security discussed with those from ComputerWorld informing them that hackers are currently exploiting a very dangerous vulnerability of OS X. The vulnerability is found in JRE 1.7 which contains Java update 7 and it can be exploited from any browser, regardless of which operating system you use, so it's not just OS X that's affected.
Hackers are exploiting a zero-day vulnerability in Java 7, security experts said today. The unpatched bug can be exploited through any browser running on any operating system, from Windows and Linux to OS X, that has Java installed, said Tod Beardsley, the engineering manager for Metasploit, the open-source penetration testing framework used by both legitimate researchers and criminal hackers. David Maynor, CTO of Errata Security, confirmed that the Metasploit exploit — which was published less than 24 hours after the bug was found — is effective against Java 7 installed on OS X Mountain Lion. "This exploit works on OS X if you are running the 1.7 JRE [Java Runtime Environment]," said Maynor in an update to an earlier blog post.
At the moment, hackers are only attacking the Windows platform with this exploit, but Errata's CEO claims that the OS X platform is also vulnerable through the Safari 6 and Firefox 14 browsers. In practice, the OS X platform is not currently being attacked, IT security experts warn that the hackers they could turn their attention to it as well, a possible Java update can solve the problem, but it won't be released until October 16. Until then, be careful what you click on, which websites you access, because the operating system can be exploited without you knowing.
What is more worrying is the potential for this to be used by other malware developers in the near future. The exploit in all major browsers and appears to work on some versions of Linux, OS X 10.7 and higher, as well as Windows, if you're using the latest version of Java. Java applets have been part of the installation process for almost every malware attack on OS X this year. Oracle is on a quarterly patch schedule, which means the next likely patch will not be released until October 16.
