With a six month old critical Java vulnerability currently being exploited in the wild, it is vital for Apple to address this vulnerability immediately to protect its current Mac users. Most other operating systems such as Microsoft Windows and other major Linux distributions such as Red Hat, Suse as well as HP fixed the bug months ago.
Application add-on issues are nothing new. In the Browser Tip of The Iceberg report published in 2008, it was browser add-ons that remained un-patched, which accounted for a large portion of browser insecurities. A recent story in The Register provided additional details on the Java/Mac issue and we agree with the suggestion that Mac owners disable Java in the Safari browser as well as disable the “Open safe files after downloading” setting in Safari to remain protected until Apple releases an official fix for the vulnerability.
Many of you will probably remember Microsoft using add-ons as at least part of the reason for Vista security woes back in 2006. Microsoft is perhaps in a position to point to others as numerous third party vendors provide Microsoft with compatible add-on software in order to play a part in the install base of Microsoft users. Third party vendor support on the Apple platform is usually a lower priority than on Windows, and this can leave vulnerabilities in an un-patched state for a significantly longer time.
Application add-on’s can create major security headaches and all too often, these add-ons are simply left out of our Vulnerability Management programs. Administrators need to carefully weave these critical applications into their patch management process and create a plan to continually assess and monitor the status of these applications on a regular basis. This way when a vendor releases a patch for any given vulnerability such as the Java one that is the subject of this post, you can immediately and automatically apply the remediation to prevent exploitation. If there is no patch available, we encourage you to look at vendor workarounds to apply them manually until an official vendor patch is available.