Late last week, Apple updated its Mac OS X operating system to version 10.8.3 fixing at least 21 flaws.
Among the high-impact flaws is CVE-2013-0967, which is an update to the OS X CoreType library. The flaw could have enabled an attacker to exploit Java flaws, even on Mac OS X machines where Java was specifically disabled by the user. Security experts have been warning about the risks of Java for months, and in the case of Apple have simply advised users to disable it. But apparently that’s not enough.
“Java Web Start applications would run even if the Java plug-in was disabled,” Apple warned in its advisory. “This issue was addressed by removing JNLP files from the CoreTypes safe file type list, so the Web Start application will not be run unless the user opens it in the Downloads directory.”