Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Oracle Updates Java 7 to Address Security Vulnerability

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,490
30,728



java_logo_new-150x275.jpg
On Friday, we noted that Apple had taken the rare step of using its anti-malware tools in OS X to disable existing installations of the Java 7 browser plug-in due to a major security vulnerability that was being actively exploited in the wild. Apple's anti-malware system is capable of enforcing minimum version numbers for plug-ins such as Java and Flash, and Apple simply updated its blacklist information to require that machines be running a higher version of the Java 7 plug-in than was publicly available.

Oracle has now released Java 7 Update 11, and the release notes indicate that it does indeed address the vulnerability. The new release registers with a version string of 1.7.0_11-b21, satisfying Apple's requirement for a minimum version number of 1.7.0_10-b19.

In addition to the fix for the vulnerability, Java 7 Update 11 also sees a change in the default security level setting from "Medium" to "High". Under the new setting, users will be warned before the Java plug-in runs any unsigned application.
The default security level for Java applets and web start applications has been increased from "Medium" to "High". This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the "High" setting the user is always warned before any unsigned application is run to prevent silent exploitation.
Click to expand...

Article Link: Oracle Updates Java 7 to Address Security Vulnerability
 
Article Link
https://www.macrumors.com/2013/01/14/oracle-updates-java-7-to-address-security-vulnerability/
Shrink

Shrink

macrumors G3
Feb 26, 2011
8,929
1,727
New England, USA
Sorry for the dumb question...I have "Enable Java" UNCHECKED in Safari Preferences, and intend to leave it that way.

Should I download the Java Update anyway?:confused:

Thanks...
 
Last edited:
RMo

RMo

macrumors 65816
Aug 7, 2007
1,253
281
Iowa, USA
Shrink said:
Sorry foe the dumb question...I have "Enable Java" UNCHECKED in Safari Preferences, and intend to leave it that way.

Should I download the Java Update anyway?:confused:

Thanks...
Click to expand...

Yes. You should either do that or uninstall Java completely, but there's no sense in leaving outdated, vulnerable, exploited-in-the-wild software on your machine, even if you have no plans to use it right now. (What if you try another browser in the future and forget about this?)

bwillwall said:
No, it can't access your system if you don't use it or even have it enabled.
Click to expand...

Unchecking a preference in Safari does not mean it is "disabled" on your entire system. Leave it unchecked if you want, but at least fix the problem (or get rid of it).
 
Last edited:
jent

jent

macrumors 6502a
Mar 31, 2010
893
568
Since Java updates are no longer built into OS X, how do I update Java?
 
M

mathcolo

macrumors 6502a
Sep 14, 2008
860
16
Boston
clukas

clukas

macrumors 6502a
May 3, 2010
990
401
could someone please clarify this for me.

I dont have java in system preferences. I know I am running java as I am using Adobe CS6. I have disabled java in safari.

Am I still at risk, how should I update?
 
johncrab

johncrab

macrumors 6502
Aug 11, 2011
341
0
Scottsdale, AZ
A pretty fast fix and from what I have read, a rather thorough one. This leaves the question of why it took so long to discover and deal with the messy version they pushed out during the summer. Apple's use of the kill switch was a little worrying in a way but protected the whole Mac community. All things considered, a pretty good weekend.
 
Weaselboy

Weaselboy

Moderator
Staff member
Jan 23, 2005
34,133
15,596
California
Avatarshark said:
I think with most system built in software like Java it should be delivered via App Store if you are updated with app store, but I am not seeing it.
Click to expand...

It won't come through the App Store since it is coming direct from Oracle. You will need to check for the update in the System Preferences Java pane.
 
bwillwall

bwillwall

Suspended
Dec 24, 2009
1,031
802
Shrink said:
Sorry for the dumb question...I have "Enable Java" UNCHECKED in Safari Preferences, and intend to leave it that way.

Should I download the Java Update anyway?:confused:

Thanks...
Click to expand...

No, it can't access your system if you don't use it or even have it enabled.
 
Philscbx

Philscbx

macrumors regular
Jan 4, 2007
174
0
Mpls Mn
clukas said:
I dont have java in system preferences.
I have disabled java in safari.

how should I update?
Click to expand...
I have the same set up - apparently there are some of us on 10.6.8 where JAVA is not shown in System Pref -
so the answers are going to be vague where it is.

A quick scan found mine in Utilities - It is titled Java Preferences.

The version on file shown is Java SE6 -ver 13.8.5. / and was last opened Oct 21,12.
The system must have messed with it - because I never do.

I scanned the 4 tabs - there is no specific labeled 'update tab' -
so I don't know where some are seeing this for fact.

We'll leave it at that.
 
C

canyelles

macrumors member
Nov 8, 2011
69
95
I'm confused

I have done the update and Java in System Preferences tells me I am using the latest version 7.

However when I type 'java -version' in terminal I get

java version "1.6.0_37"
Java(TM) SE Runtime Environment (build 1.6.0_37-b06-434-11M3909)
Java HotSpot(TM) 64-Bit Server VM (build 20.12-b01-434, mixed mode)

Can anyone explain?

Thanks
 
Weaselboy

Weaselboy

Moderator
Staff member
Jan 23, 2005
34,133
15,596
California
canyelles said:
I'm confused

I have done the update and Java in System Preferences tells me I am using the latest version 7.

However when I type 'java -version' in terminal I get

java version "1.6.0_37"
Java(TM) SE Runtime Environment (build 1.6.0_37-b06-434-11M3909)
Java HotSpot(TM) 64-Bit Server VM (build 20.12-b01-434, mixed mode)

Can anyone explain?

Thanks
Click to expand...

http://javatester.org/version.html

You are fine. The new version 7 you installed is just the web plugin. Go the above link and it should show 7.

The 'java -version' command just shows what version Java virtual machine you have installed. That is used to run local apps that run on Java. Different that Java web applets.
 
R

rmwebs

macrumors 68040
Apr 6, 2007
3,140
0
For those struggling

Open system preferences. If you see a Java icon, the 'standalone' version of Oracle's Java is installed. Click that icon and it'll open up the java control panel. Check for updates and you'll get this:

kUz2j.png


Click update now. It'll guide you through the update and hey presto you're done. If you want to make sure it worked, go back to that Java control panel and check the version. It should show as Java 7 update 10.

If you dont have the java icon, you dont have Java installed. However some apps have it 'built in' - these will need to be updated by the app developer however likely wont be a problem.
 
M

mdmacfan

macrumors newbie
Nov 13, 2012
7
0
johncrab said:
A pretty fast fix and from what I have read, a rather thorough one. This leaves the question of why it took so long to discover and deal with the messy version they pushed out during the summer. Apple's use of the kill switch was a little worrying in a way but protected the whole Mac community. All things considered, a pretty good weekend.
Click to expand...

It comes down to two things:

1. Oracle, as a corporation, has no incentive to fix security issues. It doesn't generate profit.
2. Taking a PR beating eventually provided enough incentive - it finally lit enough of a bonfire under their nuts to fix the issue.
 
B

BarryDuffman

macrumors member
Jul 20, 2011
47
11
Copenhagen, Denmark
Back when Apple decided to leave the support for Java to Oracle, I tried to install Oracles Java Runtime (don't remember which version it was)
But I found that for some reason suddenly Java required the use of the discrete graphics on my MBP.
Not thinking about the security impact, I uninstalled Java and reinstalled Apples most recent Java Runtime, and happily forgot about it.

Now with this vulnerability, I thought I better upgrade to the latest Java, but I can see that it is still forcing the discrete graphics to kick in.

-Why is that? I cannot see a reason for it.
-Is there a way to prevent it?

br
Barry
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom