Go Back   MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Aug 28, 2012, 02:40 PM   #1
MacRumors
macrumors bot
 
Join Date: Apr 2001
Newly-Discovered Java 7 Security Vulnerability Poses Risks to Macs






Just two weeks after Oracle officially took over responsibility for Java on OS X with the launch of Java SE 7 Update 6, a new Java vulnerability has been discovered to pose a significant threat to systems running the software. Krebs on Security highlighted the issue yesterday, noting that it affects all versions of Java 7 on most browsers.
Quote:
News of the vulnerability (CVE-2012-4681) surfaced late last week in a somewhat sparse blog post by FireEye, which said the exploit seemed to work against the latest version of Java 7, which is version 1.7, Update 6. This morning, researchers Andre' M. DiMino & Mila Parkour published additional details on the targeted attacks seen so far, confirming that the zero-day affects Java 7 Update 0 through 6, but does not appear to impact Java 6 and below.

Initial reports indicated that the exploit code worked against all versions of Internet Explorer, Firefox and Opera, but did not work against Google Chrome. But according to Rapid 7, there is a Metasploit module in development that successfully deploys this exploit against Chrome (on at least Windows XP).
The report notes that Oracle is moving to a quarterly update cycle for Java, meaning that the next regularly-scheduled update to Java SE 7 is not planned until October, but it is unclear how quickly the company will move to address the issue. In the interim, some security experts are developing an unofficial patch while users are advised to simply disable Java if they do not need it active on their systems.

Computerworld reports that the issue does indeed affect fully-updated Macs running Java 7 on top of OS X Mountain Lion.
Quote:
David Maynor, CTO of Errata Security, confirmed that the Metasploit exploit -- which was published less than 24 hours after the bug was found -- is effective against Java 7 installed on OS X Mountain Lion.

"This exploit works on OS X if you are running the 1.7 JRE [Java Runtime Environment]," said Maynor in an update to an earlier blog post.

JRE 1.7 includes the most-current version of Java 7, dubbed "Update 6," that was released earlier this month.
Both Safari 6 and Firefox 14 have been found to be vulnerable to the issue on OS X systems.

Apple has of course had its own issues with Java vulnerabilities, most recently with the Flashback malware that was able to infect over 600,000 Macs by taking advantage of an exploit in Java 6 that had already been patched by Oracle for most platforms but not by Apple for OS X. It is due to smaller, previous incidents similar to Flashback that Apple had already been moving to shift responsibility for Java updates to Oracle, a move that is taking place with Java 7. But while Mac users will now receive Java updates simultaneously with users on other platforms, Java remains one of the highest-profile targets for attackers seeking to compromise systems on a broad basis.

Update: CNET noted earlier today that most Mac users are not currently susceptible to the issue, as Java 7 is not installed by default on Macs. The current version of Java installed on Mac remains Java 6 for the time being, so users would have to have manually updated to Java 7 in order for their systems to be vulnerable.

Article Link: Newly-Discovered Java 7 Security Vulnerability Poses Risks to Macs
MacRumors is offline   0 Reply With Quote
Old Aug 28, 2012, 02:42 PM   #2
iPhoneApple
macrumors 6502
 
Join Date: Jan 2011
wow. How many Java vulnerabilities are there?
iPhoneApple is offline   2 Reply With Quote
Old Aug 28, 2012, 02:44 PM   #3
neiltc13
macrumors 68040
 
neiltc13's Avatar
 
Join Date: May 2006
Cue "Java sucks, why does anyone even need Java" comments...
neiltc13 is offline   7 Reply With Quote
Old Aug 28, 2012, 02:46 PM   #4
Prodo123
macrumors 68020
 
Prodo123's Avatar
 
Join Date: Nov 2010
Just to emphasize, this is NOT a Mac security issue but rather a JAVA security issue which affects its host system, which includes Macs.

Nor is this a Windows virus. Macs are still impervious to Windows viruses.
__________________
MacBook Pro 15" 2.2Ghz hi-res glossy, 16GB RAM, 840 EVO 250GB, WD Blue 1TB Optibay iPhone 5 White 32GB Audiophile Photographer, videographer, audio engineer

Last edited by Prodo123; Aug 28, 2012 at 03:14 PM.
Prodo123 is offline   16 Reply With Quote
Old Aug 28, 2012, 02:47 PM   #5
Slix
macrumors 6502
 
Join Date: Mar 2010
Another reason I've had Java disabled on my Safari for years.
__________________
Looking for a small, close, friendly community where you can hang out, talk about Pokémon and anything, and have fun?
Check out The 'Wag!
Slix is offline   6 Reply With Quote
Old Aug 28, 2012, 02:49 PM   #6
BC2009
macrumors 68000
 
BC2009's Avatar
 
Join Date: Jul 2009
Open Terminal..

Run: java -version

I get:

Java(TM) SE Runtime Environment (build 1.6.0_33-b03-424-11M3720)
Java HotSpot(TM) 64-Bit Server VM (build 20.8-b03-424, mixed mode)

So it looks like I am good. "build 1.6" is "Java 6". I have Mountain Lion and just recently installed Java after upgrading to Mountain Lion, so I was a bit surprised that I had Java 6 and not Java 7.
BC2009 is offline   5 Reply With Quote
Old Aug 28, 2012, 02:49 PM   #7
Bahamut Eos
macrumors member
 
Join Date: Mar 2008
Location: Los Angeles
How can we tell what version of Java we have installed?
Bahamut Eos is offline   0 Reply With Quote
Old Aug 28, 2012, 02:50 PM   #8
techpr
macrumors 6502
 
Join Date: Sep 2008
Location: San Juan, PR
So Java is the new Flash
__________________
http://twitter.com/barcelo
techpr is offline   3 Reply With Quote
Old Aug 28, 2012, 02:51 PM   #9
M87
macrumors 65816
 
Join Date: Jul 2009
Quote:
Originally Posted by BC2009 View Post
Open Terminal..

Run: java -version

I get:

Java(TM) SE Runtime Environment (build 1.6.0_33-b03-424-11M3720)
Java HotSpot(TM) 64-Bit Server VM (build 20.8-b03-424, mixed mode)

So it looks like I am good. "build 1.6" is "Java 6". I have Mountain Lion and just recently installed Java after upgrading to Mountain Lion, so I was a bit surprised that I had Java 6 and not Java 7.
Same. I was worried because amazon's music manager app required me to install Java a week or so ago, but I have version 6 as well.
__________________
I <3 
M87 is offline   0 Reply With Quote
Old Aug 28, 2012, 02:53 PM   #10
techpr
macrumors 6502
 
Join Date: Sep 2008
Location: San Juan, PR
Quote:
Originally Posted by Bahamut Eos View Post
How can we tell what version of Java we have installed?
Terminal

java -version
__________________
http://twitter.com/barcelo
techpr is offline   1 Reply With Quote
Old Aug 28, 2012, 02:55 PM   #11
bbeagle
macrumors 68000
 
bbeagle's Avatar
 
Join Date: Oct 2010
Location: Buffalo, NY
Quote:
Originally Posted by BC2009 View Post
Open Terminal..

Run: java -version
Technically, you can have several versions of java on your machine. This shows the DEFAULT version of java, which is what your browser will generally use unless you change it.

Your default version could be 1.6 (Java 6), but another program might install and use 1.7 (Java 7) if it wants to.
bbeagle is offline   3 Reply With Quote
Old Aug 28, 2012, 02:57 PM   #12
617arg
macrumors 6502
 
Join Date: Mar 2008
what kind of actual risk are we talking about?
617arg is offline   0 Reply With Quote
Old Aug 28, 2012, 02:58 PM   #13
TsunamiTheClown
macrumors 6502a
 
TsunamiTheClown's Avatar
 
Join Date: Apr 2011
Location: On the verge
Read "the bag has been officially passed" ...
__________________
hi there
TsunamiTheClown is offline   0 Reply With Quote
Old Aug 28, 2012, 03:00 PM   #14
D.T.
macrumors 68030
 
D.T.'s Avatar
 
Join Date: Sep 2011
Location: Vilano Beach, FL
*edit* Those appear to be links.

Last edited by D.T.; Aug 28, 2012 at 03:32 PM.
D.T. is offline   0 Reply With Quote
Old Aug 28, 2012, 03:01 PM   #15
SumoHamster
macrumors 6502a
 
SumoHamster's Avatar
 
Join Date: Sep 2004
Location: Omaha
That's odd. I thought a couple weeks ago an update to Java bringing it up to 7 had appeared in Software Update. I'll have to check when I get home.
SumoHamster is offline   0 Reply With Quote
Old Aug 28, 2012, 03:03 PM   #16
dashiel
macrumors 6502a
 
Join Date: Nov 2003
It’s infuriating that Adobe’s CS requires Java now otherwise I could ditch Java. Rubbing salt in the wounds I believe the Java requirement is for their software authentication/auto update mechanism and is not required for core functionality.
dashiel is offline   10 Reply With Quote
Old Aug 28, 2012, 03:05 PM   #17
koppie644
macrumors regular
 
Join Date: Oct 2011
"manually updated to Java 7 in order for their systems to be vulnerable."

can "in order to" be used for something that one does not want?
koppie644 is offline   1 Reply With Quote
Old Aug 28, 2012, 03:07 PM   #18
jontech
macrumors 6502
 
Join Date: Feb 2010
Location: Hawaii
Quote:
Originally Posted by neiltc13 View Post
Cue "Java sucks, why does anyone even need Java" comments...
Agree, Kinda


Java had provided a lot of issues for our organization. We cannot patch due to java limitations on some programs (not being able to use anything higher then Java 6 update 25 for instance)

Top it off they bundle crapware like toolbars and google items, which affect computers.

overall, not the great platform its advertised to be, at least not on the desktop
__________________
Psalm 91
jontech is offline   0 Reply With Quote
Old Aug 28, 2012, 03:07 PM   #19
bbeagle
macrumors 68000
 
bbeagle's Avatar
 
Join Date: Oct 2010
Location: Buffalo, NY
Quote:
Originally Posted by dashiel View Post
It’s infuriating that Adobe’s CS requires Java now otherwise I could ditch Java.
Just because you have Java installed on your machine for a certain piece of software doesn't necessarily make you vulnerable.

The vulnerabilities are coming from the web browser, where a web site will try to run bad java code that your browser allows. Simply disable Java in your web browser, or use an older version, and you're safe when you surf the web - despite some other software requiring Java to run.

(Note: JavaScript and Java are two different things)
bbeagle is offline   1 Reply With Quote
Old Aug 28, 2012, 03:09 PM   #20
nagromme
macrumors G5
 
nagromme's Avatar
 
Join Date: May 2002
Quote:
Originally Posted by dashiel View Post
It’s infuriating that Adobe’s CS requires Java now otherwise I could ditch Java. Rubbing salt in the wounds I believe the Java requirement is for their software authentication/auto update mechanism and is not required for core functionality.
Ugh! I didn’t know that! Maybe I’ll stick with CS3.


Quote:
Originally Posted by bbeagle View Post
Just because you have Java installed on your machine for a certain piece of software doesn't necessarily make you vulnerable.

The vulnerabilities are coming from the web browser, where a web site will try to run bad java code that your browser allows. Simply disable Java in your web browser, or use an older version, and you're safe when you surf the web - despite some other software requiring Java to run.

(Note: JavaScript and Java are two different things)
This reassures me, but Adobe having One More Thing I have to keep active on my machine bugs me anyway—and I’ll always be waiting for some exploit that’s not browser-based. I like to keep it simple, Adobe.
nagromme is offline   0 Reply With Quote
Old Aug 28, 2012, 03:10 PM   #21
jontech
macrumors 6502
 
Join Date: Feb 2010
Location: Hawaii
Quote:
Originally Posted by M87 View Post
Same. I was worried because amazon's music manager app required me to install Java a week or so ago, but I have version 6 as well.
Same here, installed with CS6 MC
__________________
Psalm 91
jontech is offline   0 Reply With Quote
Old Aug 28, 2012, 03:12 PM   #22
xgman
macrumors 68040
 
Join Date: Aug 2007
well hopefully this will be patched soon.
__________________
{2014 27" r-imac-4.0i7-295x-32gb ram-1TBSSD+External TB enclosure>Samsung840evo ssd + Segate Enterprise 5TB-UAD Apollo/Marantz/Amphion/Bowers&Wilkins Sound-Nektar P1 61}
{ipads}{iphones}{LG G3}
xgman is offline   0 Reply With Quote
Old Aug 28, 2012, 03:12 PM   #23
bbeagle
macrumors 68000
 
bbeagle's Avatar
 
Join Date: Oct 2010
Location: Buffalo, NY
Quote:
Originally Posted by 617arg View Post
what kind of actual risk are we talking about?
The current version of Java 7 allows java code itself to disable the security preferences of the Java sandbox. (It's supposed to ask you 'Can I write files to your c: directory?' but the hack lets the code NOT ask the user these questions, and just go 'yes - I'm allowed').

Basically, the java code now can do anything java can do WITHOUT asking you permission, like create files, rename or delete files and execute anything on your box.
bbeagle is offline   0 Reply With Quote
Old Aug 28, 2012, 03:13 PM   #24
manu chao
macrumors 68020
 
Join Date: Jul 2003
Quote:
Originally Posted by dashiel View Post
It’s infuriating that Adobe’s CS requires Java now otherwise I could ditch Java. Rubbing salt in the wounds I believe the Java requirement is for their software authentication/auto update mechanism and is not required for core functionality.
Yes, but having Java installed does not make it possible for anybody to run it. Your browser can run it and a malicious website could make your browser run Java ... but only if you enable Java in the browser.

Otherwise, only applications can run Java, you thus would need to download an application and run it (which normally will give you a warning about it being the first time to run this particular application). Thus, the worst this Java exploit can do additionally is a privilege escalation if something tricks you into running a downloaded application.
manu chao is offline   0 Reply With Quote
Old Aug 28, 2012, 03:15 PM   #25
david803sc
macrumors member
 
Join Date: Jul 2008
Location: Lake Wylie, SC
How do I remove?

I had enabled Java on Mountain Lion and upgraded to the newest version, how do I disable java or remove it?
__________________
3.06 GHZ iMac, Dual 24 inch Displays, 1 TB Hard Drive, NVIDIA GeForce 8800 GS, G-Tech RAID3 Firewire Dual-Drive for backups.

Mac Mini, Airport Extreme, Time Capsule, Airport Express, AppleTV.
david803sc is offline   0 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Adobe Releases 'Critical' Update for Flash After Security Vulnerability Discovered MacRumors Mac Blog Discussion 92 Feb 10, 2014 01:29 PM
Apple Again Blocks Older Versions of Java Over Vulnerability MacRumors Mac Blog Discussion 27 Sep 2, 2013 03:40 PM
Newly Discovered Mac Malware Captures and Stores Screenshots MacRumors MacRumors.com News Discussion 59 May 21, 2013 08:45 AM
Oracle Updates Java 7 to Address Security Vulnerability MacRumors MacRumors.com News Discussion 72 Jan 19, 2013 12:00 PM
Oracle Releases Patch to Address Security Vulnerability in Java 7 MacRumors MacRumors.com News Discussion 63 Sep 5, 2012 02:02 PM

Forum Jump

All times are GMT -5. The time now is 07:04 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC