Go Back   MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Jan 14, 2013, 09:36 AM   #1
MacRumors
macrumors bot
 
Join Date: Apr 2001
Oracle Updates Java 7 to Address Security Vulnerability




On Friday, we noted that Apple had taken the rare step of using its anti-malware tools in OS X to disable existing installations of the Java 7 browser plug-in due to a major security vulnerability that was being actively exploited in the wild. Apple's anti-malware system is capable of enforcing minimum version numbers for plug-ins such as Java and Flash, and Apple simply updated its blacklist information to require that machines be running a higher version of the Java 7 plug-in than was publicly available.

Oracle has now released Java 7 Update 11, and the release notes indicate that it does indeed address the vulnerability. The new release registers with a version string of 1.7.0_11-b21, satisfying Apple's requirement for a minimum version number of 1.7.0_10-b19.

In addition to the fix for the vulnerability, Java 7 Update 11 also sees a change in the default security level setting from "Medium" to "High". Under the new setting, users will be warned before the Java plug-in runs any unsigned application.
Quote:
The default security level for Java applets and web start applications has been increased from "Medium" to "High". This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the "High" setting the user is always warned before any unsigned application is run to prevent silent exploitation.
Article Link: Oracle Updates Java 7 to Address Security Vulnerability
MacRumors is offline   0 Reply With Quote
Old Jan 14, 2013, 09:40 AM   #2
hamkor04
macrumors 6502
 
Join Date: Apr 2011
"Medium" to "High" isn't it awesome?
__________________
“All this has happened before, and all this will happen again.”
hamkor04 is offline   5 Reply With Quote
Old Jan 14, 2013, 09:41 AM   #3
Shrink
macrumors Demi-God
 
Shrink's Avatar
 
Join Date: Feb 2011
Location: New England, USA
Sorry for the dumb question...I have "Enable Java" UNCHECKED in Safari Preferences, and intend to leave it that way.

Should I download the Java Update anyway?

Thanks...
__________________
Two things are infinite, the universe and human stupidity; and I'm not sure about the universe. -- Albert Einstein

Last edited by Shrink; Jan 14, 2013 at 10:05 AM.
Shrink is offline   0 Reply With Quote
Old Jan 14, 2013, 09:46 AM   #4
RMo
macrumors 6502a
 
Join Date: Aug 2007
Location: Iowa, USA
Quote:
Originally Posted by Shrink View Post
Sorry foe the dumb question...I have "Enable Java" UNCHECKED in Safari Preferences, and intend to leave it that way.

Should I download the Java Update anyway?

Thanks...
Yes. You should either do that or uninstall Java completely, but there's no sense in leaving outdated, vulnerable, exploited-in-the-wild software on your machine, even if you have no plans to use it right now. (What if you try another browser in the future and forget about this?)

Quote:
Originally Posted by bwillwall View Post
No, it can't access your system if you don't use it or even have it enabled.
Unchecking a preference in Safari does not mean it is "disabled" on your entire system. Leave it unchecked if you want, but at least fix the problem (or get rid of it).

Last edited by RMo; Jan 14, 2013 at 11:08 AM. Reason: Added reply to other question-answerer
RMo is offline   6 Reply With Quote
Old Jan 14, 2013, 09:53 AM   #5
jent
macrumors 6502a
 
Join Date: Mar 2010
Since Java updates are no longer built into OS X, how do I update Java?
jent is offline   0 Reply With Quote
Old Jan 14, 2013, 09:54 AM   #6
mathcolo
macrumors 6502a
 
mathcolo's Avatar
 
Join Date: Sep 2008
Location: Colorado
Quote:
Originally Posted by jent View Post
Since Java updates are no longer built into OS X, how do I update Java?
If you already have Java 7 installed, head to System Preferences -> Java -> and then go to the Update tab in the control panel.

Note that if the updater is broken, see this thread: http://forums.macrumors.com/showthread.php?t=1525000

Edit: For those who still only have Java SE 6 installed, head to http://www.oracle.com/technetwork/ja...ads/index.html to download v7.
__________________
- 13" rMBP - 2.6 GHz i5 - 512GB SSD - 8GB RAM
- Google Nexus 5
mathcolo is offline   2 Reply With Quote
Old Jan 14, 2013, 09:55 AM   #7
Sweetfeld28
macrumors 65816
 
Sweetfeld28's Avatar
 
Join Date: Feb 2003
Location: Buckeye Country, O-H
Send a message via AIM to Sweetfeld28
Do you have the Java System Pref?

All updates run through that on my computer.
__________________
Laptop: 15" Unibody MacBook Pro [Penryn], 2.53 GHz, 8 GB RAM, 250 GB HD, nVidia 9400M
Desktop: Mac Pro [Harpertown] 2.8GHz Quad, 7GB RAM, 120 GT, 24" LED Cinema Display Mobile:iPhone
Sweetfeld28 is offline   0 Reply With Quote
Old Jan 14, 2013, 10:04 AM   #8
Lone Deranger
macrumors 65816
 
Lone Deranger's Avatar
 
Join Date: Apr 2006
Why is it so often Java that appears to get caught out in these security vulnerabilities?
__________________
Lone Deranger is offline   0 Reply With Quote
Old Jan 14, 2013, 10:43 AM   #9
bwillwall
macrumors 6502a
 
Join Date: Dec 2009
Quote:
Originally Posted by Shrink View Post
Sorry for the dumb question...I have "Enable Java" UNCHECKED in Safari Preferences, and intend to leave it that way.

Should I download the Java Update anyway?

Thanks...
No, it can't access your system if you don't use it or even have it enabled.
bwillwall is offline   0 Reply With Quote
Old Jan 14, 2013, 09:00 PM   #10
Solomani
macrumors 68000
 
Solomani's Avatar
 
Join Date: Sep 2012
Quote:
Originally Posted by Shrink View Post
Should I download the Java Update anyway?
Can we expect Apple to automatically provide the Updated Java to us via the Software Update control panel (sometime soon)? Or do ALL Mac users have to download it manually?

I'm a bit confused on Apple's Modus Operandi when it comes to Java now. As I understand it, they leave the updating/fixing to Oracle. So does that mean Apple is no longer allowed to distribute the updates themselves? And where do we go to Update, on Apple servers or at Oracle download servers?
Solomani is offline   0 Reply With Quote
Old Jan 14, 2013, 10:33 PM   #11
munkery
macrumors 68020
 
munkery's Avatar
 
Join Date: Dec 2006
Quote:
Originally Posted by Solomani View Post
Can we expect Apple to automatically provide the Updated Java to us via the Software Update control panel (sometime soon)? Or do ALL Mac users have to download it manually?

I'm a bit confused on Apple's Modus Operandi when it comes to Java now. As I understand it, they leave the updating/fixing to Oracle. So does that mean Apple is no longer allowed to distribute the updates themselves? And where do we go to Update, on Apple servers or at Oracle download servers?
Java is no longer provided by Apple. Download Java 7 from Oracle.

In the Java preferences that are located in System preferences, go to the "Update" pane and select "Automatically check for updates".

Then select "Automatically download and install updates" in the update window while updating Java for the fist time after the initial installation.
munkery is offline   0 Reply With Quote
Old Jan 14, 2013, 10:51 PM   #12
StudioGuy
macrumors regular
 
Join Date: Nov 2003
Got the Plugin, not the VM

I agree this update correctly updates the Internet Plugin, used in Safari, for example, when you load a page with a java applet.

UPDATED:

I think I see that the VM is actually inside the Contents folder of the Plugin.

So, my question is how to make the desktop applications aware of this, so that they launch in the java 7 VM, and not the old java 6 VM.

Seems like there is an environment variable, framework, or something that needs to be updated.
And, for sure, /user/libexec/java_home still points to the java 6 jdk.

But, still the /System/Library/Frameworks/JavaVM.framework/Versions directory still only has up to java 6. No install there of java 7, as I would have expected.

OK, that's about the extent of my java knowledge - if even this much has been accurate! Hope a java geek can help...

Last edited by StudioGuy; Jan 14, 2013 at 11:11 PM.
StudioGuy is offline   0 Reply With Quote
Old Jan 14, 2013, 11:31 PM   #13
Solomani
macrumors 68000
 
Solomani's Avatar
 
Join Date: Sep 2012
Quote:
Originally Posted by munkery View Post
Java is no longer provided by Apple. Download Java 7 from Oracle.

In the Java preferences that are located in System preferences, go to the "Update" pane and select "Automatically check for updates".

Then select "Automatically download and install updates" in the update window while updating Java for the fist time after the initial installation.
Ahh... I do not see any Java icon/panel in System Preferences. Stock OSX Mountain Lion 10.8.2 pre-installed in my iMac December 2012. I suppose this means I do not see the Java control panel because I never manually installed a full version from Oracle to begin with?


P.S. -- and I'm sure that as far as the Safari Java plug-in, Apple will likely just update that in the next incremental OSX Update (Mountain Lion 10.8.3?)
Solomani is offline   0 Reply With Quote
Old Jan 15, 2013, 01:01 AM   #14
munkery
macrumors 68020
 
munkery's Avatar
 
Join Date: Dec 2006
Quote:
Originally Posted by Solomani View Post
Ahh... I do not see any Java icon/panel in System Preferences. Stock OSX Mountain Lion 10.8.2 pre-installed in my iMac December 2012. I suppose this means I do not see the Java control panel because I never manually installed a full version from Oracle to begin with?
Yes, you have to manually install Java to see the preference pane.

Quote:
P.S. -- and I'm sure that as far as the Safari Java plug-in, Apple will likely just update that in the next incremental OSX Update (Mountain Lion 10.8.3?)
No, Apple is no longer supplying Java in OS X updates.
munkery is offline   1 Reply With Quote
Old Jan 16, 2013, 01:59 AM   #15
syzygy123
macrumors newbie
 
Join Date: Jan 2013
Talk about back door

Does this mean that apple can at any time disable my browser plugins without my explicit consent? Is anybody else bothered by this?
syzygy123 is offline   0 Reply With Quote
Old Jan 15, 2013, 06:40 AM   #16
Shrink
macrumors Demi-God
 
Shrink's Avatar
 
Join Date: Feb 2011
Location: New England, USA
Quote:
Originally Posted by Solomani View Post
Can we expect Apple to automatically provide the Updated Java to us via the Software Update control panel (sometime soon)? Or do ALL Mac users have to download it manually?

I'm a bit confused on Apple's Modus Operandi when it comes to Java now. As I understand it, they leave the updating/fixing to Oracle. So does that mean Apple is no longer allowed to distribute the updates themselves? And where do we go to Update, on Apple servers or at Oracle download servers?
I'm embarrassed to say that I recently figured out that I never even downloaded Java. So it's not an issue, and I obviously don't need it.
__________________
Two things are infinite, the universe and human stupidity; and I'm not sure about the universe. -- Albert Einstein
Shrink is offline   0 Reply With Quote
Old Jan 14, 2013, 09:44 AM   #17
iMikeT
macrumors 68020
 
Join Date: Jul 2006
Location: California
The internet is safe once again!
iMikeT is offline   0 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Apple Releases New Java 6 Updates With Enhanced Security, Uninstalls Apple-Provided Java Applet Plug-in MacRumors Mac Blog Discussion 49 Oct 22, 2013 10:58 AM
Oracle Releases Java 7 Update 13 to Address Security Issues, Reenable Web Plug-in on OS X MacRumors MacRumors.com News Discussion 134 Feb 17, 2013 01:40 PM
Oracle Releases Patch to Address Security Vulnerability in Java 7 MacRumors MacRumors.com News Discussion 63 Sep 5, 2012 02:02 PM
Newly-Discovered Java 7 Security Vulnerability Poses Risks to Macs MacRumors MacRumors.com News Discussion 149 Aug 30, 2012 04:16 PM
Apple Updates Java for Lion and Snow Leopard in Sync with Oracle MacRumors MacRumors.com News Discussion 34 Jun 15, 2012 12:38 AM

Forum Jump

All times are GMT -5. The time now is 06:19 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC