Apple has updated OS X to patch more than a dozen security flaws, including one that allowed attackers to exploit Web-based Java flaws even when end users had disabled the widely abused browser plugin.
The CoreTypes vulnerability in OS X Lion and Mountain Lion posed a threat because it undermined widely repeated advice for Mac users to disable Java in browser plugins. The measure is designed to repel a surge of attacks that exploit vulnerabilities in the Oracle-controlled software. Criminal hackers use them to surreptitiously install malware when computers visit booby-trapped websites. According to a bulletin accompanying Thursday's OS X update, attackers could override the protective measure by manipulating the Java Network Launching Protocol, or JNLP, which allows applications to launch directly from a browser.
"Visiting a maliciously crafted website could allow a Java Web Start application to be launched automatically even if the Java plug-in is disabled," the bulletin explained. "Java Web Start applications would run even if the Java plug-in was disabled. This issue was addressed by removing JNLP files from the CoreTypes safe file type list, so the Web Start application will not be run unless the user opens it in the Downloads directory."