Another OS X Java Patch
Last Updated: 2012-04-06 16:33:36 UTC
by Johannes Ullrich (Version: 1)
Only a couple days after releasing the critically late Java patch (2012-001), Apple released another Java update. At this point, Apple's site doesn't mention what this new patch fixes, or why it was released. But eventually, you may see details at http://support.apple.com/kb/HT1222 . Too bad that Apple isn't getting its security house in order. It appears that OS X has reached a level of market penetration that would require a company with a meaningful security response capability behind it.
Just a couple of additional pointers for OS X security:
- Sophos is making a free Antivirus product for OS X. I am running it for a few months now without bad side effects. http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx
- You can try and enable "Gatekeeper" on OS X Lion. This feature will prevent unsigned software from running. This feature will be fully integrated once the next version of OS X (Mountain Lion, OS X 10.8) arrives, but has been included in OS 10.7.3 . To activate it, you need to run: sudo spctl --enable . Expect it to complain about a lot of "normal" software as most OS X software right now is not yet signed. (but you can always allow it to still run).
Otherwise: Keep good backups...
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Java Update 2012-002 is intended to supplant Java Update 2012-001; it is the same Java version and is not a cumulative update. An issue was found with the Lion release of 2012-001 shortly after the update was originally posted, and it was replaced with a new build.
A new version and receipt are required to ensure that any clients that had previously installed 2012-001 would be able to install 2012-002.
To further clarify: 2012-002 is intended to replace 2012-001. Clients that have previously installed 2012-001 will be offered 2012-002 via Software Update. Clients that have not installed either update will only be offered 2012-002. As the issue only affected Lion clients, a new build was not required for Snow Leopard and those machines will only be offered 2012-001. If you're using an internal software update solution, and you have not yet provided 2012-001 to your clients, you will only to supply them with 2012-002.
Product Engineering has indicated that they are working to revise the release notes to reflect the new version.
Apr 6th 2012
1 decade ago