Oracle Updates Java 7 to Address Security Vulnerability

[MacRumors]

On Friday, we noted that Apple had taken the rare step of using its anti-malware tools in OS X to disable existing installations of the Java 7 browser plug-in due to a major security vulnerability that was being actively exploited in the wild. Apple's anti-malware system is capable of enforcing minimum version numbers for plug-ins such as Java and Flash, and Apple simply updated its blacklist information to require that machines be running a higher version of the Java 7 plug-in than was publicly available.

Oracle has now released Java 7 Update 11, and the release notes indicate that it does indeed address the vulnerability. The new release registers with a version string of 1.7.0_11-b21, satisfying Apple's requirement for a minimum version number of 1.7.0_10-b19.

In addition to the fix for the vulnerability, Java 7 Update 11 also sees a change in the default security level setting from "Medium" to "High". Under the new setting, users will be warned before the Java plug-in runs any unsigned application.

Quote:

The default security level for Java applets and web start applications has been increased from "Medium" to "High". This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the "High" setting the user is always warned before any unsigned application is run to prevent silent exploitation.

Article Link: Oracle Updates Java 7 to Address Security Vulnerability

[hamkor04]

"Medium" to "High" isn't it awesome?

[Shrink]

Sorry for the dumb question...I have "Enable Java" UNCHECKED in Safari Preferences, and intend to leave it that way.

Should I download the Java Update anyway?

Thanks...

[RMo]

Quote:

Originally Posted by Shrink

Sorry foe the dumb question...I have "Enable Java" UNCHECKED in Safari Preferences, and intend to leave it that way.

Should I download the Java Update anyway?

Thanks...

Yes. You should either do that or uninstall Java completely, but there's no sense in leaving outdated, vulnerable, exploited-in-the-wild software on your machine, even if you have no plans to use it right now. (What if you try another browser in the future and forget about this?)

Quote:

Originally Posted by bwillwall

No, it can't access your system if you don't use it or even have it enabled.

Unchecking a preference in Safari does not mean it is "disabled" on your entire system. Leave it unchecked if you want, but at least fix the problem (or get rid of it).

[jent]

Since Java updates are no longer built into OS X, how do I update Java?

[mathcolo]

Quote:

Originally Posted by jent

Since Java updates are no longer built into OS X, how do I update Java?

If you already have Java 7 installed, head to System Preferences -> Java -> and then go to the Update tab in the control panel.

Note that if the updater is broken, see this thread: http://forums.macrumors.com/showthread.php?t=1525000

Edit: For those who still only have Java SE 6 installed, head to http://www.oracle.com/technetwork/ja...ads/index.html to download v7.

[Sweetfeld28]

Do you have the Java System Pref?

All updates run through that on my computer.

[Lone Deranger]

Why is it so often Java that appears to get caught out in these security vulnerabilities?

[bwillwall]

Quote:

Originally Posted by Shrink

Sorry for the dumb question...I have "Enable Java" UNCHECKED in Safari Preferences, and intend to leave it that way.

Should I download the Java Update anyway?

Thanks...

No, it can't access your system if you don't use it or even have it enabled.

[Solomani]

Quote:

Originally Posted by Shrink

Should I download the Java Update anyway?

Can we expect Apple to automatically provide the Updated Java to us via the Software Update control panel (sometime soon)? Or do ALL Mac users have to download it manually?

I'm a bit confused on Apple's Modus Operandi when it comes to Java now. As I understand it, they leave the updating/fixing to Oracle. So does that mean Apple is no longer allowed to distribute the updates themselves? And where do we go to Update, on Apple servers or at Oracle download servers?

[munkery]

Quote:

Originally Posted by Solomani

Can we expect Apple to automatically provide the Updated Java to us via the Software Update control panel (sometime soon)? Or do ALL Mac users have to download it manually?

I'm a bit confused on Apple's Modus Operandi when it comes to Java now. As I understand it, they leave the updating/fixing to Oracle. So does that mean Apple is no longer allowed to distribute the updates themselves? And where do we go to Update, on Apple servers or at Oracle download servers?

Java is no longer provided by Apple. Download Java 7 from Oracle.

In the Java preferences that are located in System preferences, go to the "Update" pane and select "Automatically check for updates".

Then select "Automatically download and install updates" in the update window while updating Java for the fist time after the initial installation.

[StudioGuy]

I agree this update correctly updates the Internet Plugin, used in Safari, for example, when you load a page with a java applet.

UPDATED:

I think I see that the VM is actually inside the Contents folder of the Plugin.

So, my question is how to make the desktop applications aware of this, so that they launch in the java 7 VM, and not the old java 6 VM.

Seems like there is an environment variable, framework, or something that needs to be updated.
And, for sure, /user/libexec/java_home still points to the java 6 jdk.

But, still the /System/Library/Frameworks/JavaVM.framework/Versions directory still only has up to java 6. No install there of java 7, as I would have expected.

OK, that's about the extent of my java knowledge - if even this much has been accurate! Hope a java geek can help...

[Solomani]

Quote:

Originally Posted by munkery

Java is no longer provided by Apple. Download Java 7 from Oracle.

In the Java preferences that are located in System preferences, go to the "Update" pane and select "Automatically check for updates".

Then select "Automatically download and install updates" in the update window while updating Java for the fist time after the initial installation.

Ahh... I do not see any Java icon/panel in System Preferences. Stock OSX Mountain Lion 10.8.2 pre-installed in my iMac December 2012. I suppose this means I do not see the Java control panel because I never manually installed a full version from Oracle to begin with?


P.S. -- and I'm sure that as far as the Safari Java plug-in, Apple will likely just update that in the next incremental OSX Update (Mountain Lion 10.8.3?)

[munkery]

Quote:

Originally Posted by Solomani

Ahh... I do not see any Java icon/panel in System Preferences. Stock OSX Mountain Lion 10.8.2 pre-installed in my iMac December 2012. I suppose this means I do not see the Java control panel because I never manually installed a full version from Oracle to begin with?

Yes, you have to manually install Java to see the preference pane.

Quote:

P.S. -- and I'm sure that as far as the Safari Java plug-in, Apple will likely just update that in the next incremental OSX Update (Mountain Lion 10.8.3?)

No, Apple is no longer supplying Java in OS X updates.

[syzygy123]

Does this mean that apple can at any time disable my browser plugins without my explicit consent? Is anybody else bothered by this?

[Shrink]

Quote:

Originally Posted by Solomani

Can we expect Apple to automatically provide the Updated Java to us via the Software Update control panel (sometime soon)? Or do ALL Mac users have to download it manually?

I'm a bit confused on Apple's Modus Operandi when it comes to Java now. As I understand it, they leave the updating/fixing to Oracle. So does that mean Apple is no longer allowed to distribute the updates themselves? And where do we go to Update, on Apple servers or at Oracle download servers?

I'm embarrassed to say that I recently figured out that I never even downloaded Java. So it's not an issue, and I obviously don't need it.

[iMikeT]

The internet is safe once again!