Go Back   MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Jan 14, 2013, 08:36 AM   #1
MacRumors
macrumors bot
 
Join Date: Apr 2001
Oracle Updates Java 7 to Address Security Vulnerability




On Friday, we noted that Apple had taken the rare step of using its anti-malware tools in OS X to disable existing installations of the Java 7 browser plug-in due to a major security vulnerability that was being actively exploited in the wild. Apple's anti-malware system is capable of enforcing minimum version numbers for plug-ins such as Java and Flash, and Apple simply updated its blacklist information to require that machines be running a higher version of the Java 7 plug-in than was publicly available.

Oracle has now released Java 7 Update 11, and the release notes indicate that it does indeed address the vulnerability. The new release registers with a version string of 1.7.0_11-b21, satisfying Apple's requirement for a minimum version number of 1.7.0_10-b19.

In addition to the fix for the vulnerability, Java 7 Update 11 also sees a change in the default security level setting from "Medium" to "High". Under the new setting, users will be warned before the Java plug-in runs any unsigned application.
Quote:
The default security level for Java applets and web start applications has been increased from "Medium" to "High". This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the "High" setting the user is always warned before any unsigned application is run to prevent silent exploitation.
Article Link: Oracle Updates Java 7 to Address Security Vulnerability
MacRumors is offline   0 Reply With Quote
Old Jan 14, 2013, 08:40 AM   #2
hamkor04
macrumors 6502
 
Join Date: Apr 2011
"Medium" to "High" isn't it awesome?
__________________
“All this has happened before, and all this will happen again.”
hamkor04 is offline   5 Reply With Quote
Old Jan 14, 2013, 08:41 AM   #3
Shrink
macrumors Demi-God
 
Shrink's Avatar
 
Join Date: Feb 2011
Location: New England, USA
Sorry for the dumb question...I have "Enable Java" UNCHECKED in Safari Preferences, and intend to leave it that way.

Should I download the Java Update anyway?

Thanks...
__________________
Two things are infinite, the universe and human stupidity; and I'm not sure about the universe. -- Albert Einstein

Last edited by Shrink; Jan 14, 2013 at 09:05 AM.
Shrink is offline   0 Reply With Quote
Old Jan 14, 2013, 08:44 AM   #4
iMikeT
macrumors 68020
 
Join Date: Jul 2006
Location: California
The internet is safe once again!
iMikeT is offline   0 Reply With Quote
Old Jan 14, 2013, 08:46 AM   #5
RMo
macrumors 6502a
 
Join Date: Aug 2007
Location: Iowa, USA
Quote:
Originally Posted by Shrink View Post
Sorry foe the dumb question...I have "Enable Java" UNCHECKED in Safari Preferences, and intend to leave it that way.

Should I download the Java Update anyway?

Thanks...
Yes. You should either do that or uninstall Java completely, but there's no sense in leaving outdated, vulnerable, exploited-in-the-wild software on your machine, even if you have no plans to use it right now. (What if you try another browser in the future and forget about this?)

Quote:
Originally Posted by bwillwall View Post
No, it can't access your system if you don't use it or even have it enabled.
Unchecking a preference in Safari does not mean it is "disabled" on your entire system. Leave it unchecked if you want, but at least fix the problem (or get rid of it).

Last edited by RMo; Jan 14, 2013 at 10:08 AM. Reason: Added reply to other question-answerer
RMo is offline   6 Reply With Quote
Old Jan 14, 2013, 08:53 AM   #6
jent
macrumors 6502a
 
Join Date: Mar 2010
Since Java updates are no longer built into OS X, how do I update Java?
jent is offline   0 Reply With Quote
Old Jan 14, 2013, 08:54 AM   #7
mathcolo
macrumors 6502a
 
mathcolo's Avatar
 
Join Date: Sep 2008
Location: Colorado
Quote:
Originally Posted by jent View Post
Since Java updates are no longer built into OS X, how do I update Java?
If you already have Java 7 installed, head to System Preferences -> Java -> and then go to the Update tab in the control panel.

Note that if the updater is broken, see this thread: http://forums.macrumors.com/showthread.php?t=1525000

Edit: For those who still only have Java SE 6 installed, head to http://www.oracle.com/technetwork/ja...ads/index.html to download v7.
__________________
13" MacBook Pro Retina - 2.6 GHz i5 - 512GB SSD - 8GB RAM
- Google Nexus 5
[Retired]13" MacBook Pro - 2.53 GHz C2D - 240GB SSD - 8GB RAM
[Retired]- Samsung Galaxy Nexus LTE
mathcolo is offline   2 Reply With Quote
Old Jan 14, 2013, 08:55 AM   #8
Sweetfeld28
macrumors 65816
 
Sweetfeld28's Avatar
 
Join Date: Feb 2003
Location: Buckeye Country, O-H
Send a message via AIM to Sweetfeld28
Do you have the Java System Pref?

All updates run through that on my computer.
__________________
Laptop: 15" Unibody MacBook Pro [Penryn], 2.53 GHz, 8 GB RAM, 250 GB HD, nVidia 9400M
Desktop: Mac Pro [Harpertown] 2.8GHz Quad, 7GB RAM, 120 GT, 24" LED Cinema Display Mobile:iPhone
Sweetfeld28 is offline   0 Reply With Quote
Old Jan 14, 2013, 09:04 AM   #9
Lone Deranger
macrumors 65816
 
Lone Deranger's Avatar
 
Join Date: Apr 2006
Why is it so often Java that appears to get caught out in these security vulnerabilities?
__________________
Lone Deranger is offline   0 Reply With Quote
Old Jan 14, 2013, 09:10 AM   #10
iMikeT
macrumors 68020
 
Join Date: Jul 2006
Location: California
Quote:
Originally Posted by Lone Deranger View Post
Why is it so often Java that appears to get caught out in these security vulnerabilities?

Like Windows, it's widely used. It's about making the most amount of damage to the most amount of users.
iMikeT is offline   6 Reply With Quote
Old Jan 14, 2013, 09:10 AM   #11
Dansk
macrumors member
 
Join Date: Apr 2008
Quote:
Originally Posted by Lone Deranger View Post
Why is it so often Java that appears to get caught out in these security vulnerabilities?
Plus1 ?


edit I got tree'd

Quote:
Originally Posted by iMikeT View Post
Like Windows, it's widely used. It's about making the most amount of damage to the most amount of users.

thanks
Dansk is offline   0 Reply With Quote
Old Jan 14, 2013, 09:25 AM   #12
clukas
macrumors 6502a
 
clukas's Avatar
 
Join Date: May 2010
could someone please clarify this for me.

I dont have java in system preferences. I know I am running java as I am using Adobe CS6. I have disabled java in safari.

Am I still at risk, how should I update?
__________________
 iMac 27 (Late 2012)  13" MacBook Pro Retina (Late 2013)  iPhone 5  iPad 4 ATV
clukas is offline   2 Reply With Quote
Old Jan 14, 2013, 09:28 AM   #13
Butler Trumpet
macrumors 6502
 
Join Date: May 2004
Location: Dekalb IL
Send a message via AIM to Butler Trumpet
Chrome?

Would anyone care to explain how this effects Chrome users? (Chrome is still 32 bit and this update is only for 64 bit browsers)
__________________
ACMT - Apple Certified Macintosh Technician
Mac OS X Certified 10.5, 10.6, 10.7, 10.8, 10.9
iOS Hardware and Software Certified
Butler Trumpet is offline   0 Reply With Quote
Old Jan 14, 2013, 09:36 AM   #14
johncrab
macrumors 6502
 
Join Date: Aug 2011
Location: Scottsdale, AZ
A pretty fast fix and from what I have read, a rather thorough one. This leaves the question of why it took so long to discover and deal with the messy version they pushed out during the summer. Apple's use of the kill switch was a little worrying in a way but protected the whole Mac community. All things considered, a pretty good weekend.
johncrab is offline   0 Reply With Quote
Old Jan 14, 2013, 09:36 AM   #15
Avatarshark
macrumors regular
 
Join Date: Sep 2012
Location: The Digital Frontier
I think with most system built in software like Java it should be delivered via App Store if you are updated with app store, but I am not seeing it.
Avatarshark is offline   0 Reply With Quote
Old Jan 14, 2013, 09:41 AM   #16
Weaselboy
macrumors G5
 
Weaselboy's Avatar
 
Join Date: Jan 2005
Quote:
Originally Posted by Avatarshark View Post
I think with most system built in software like Java it should be delivered via App Store if you are updated with app store, but I am not seeing it.
It won't come through the App Store since it is coming direct from Oracle. You will need to check for the update in the System Preferences Java pane.
Weaselboy is offline   0 Reply With Quote
Old Jan 14, 2013, 09:43 AM   #17
bwillwall
macrumors 6502a
 
Join Date: Dec 2009
Quote:
Originally Posted by Shrink View Post
Sorry for the dumb question...I have "Enable Java" UNCHECKED in Safari Preferences, and intend to leave it that way.

Should I download the Java Update anyway?

Thanks...
No, it can't access your system if you don't use it or even have it enabled.
bwillwall is offline   0 Reply With Quote
Old Jan 14, 2013, 09:53 AM   #18
Philscbx
macrumors regular
 
Join Date: Jan 2007
Location: Mpls Mn
Quote:
Originally Posted by clukas View Post
I dont have java in system preferences.
I have disabled java in safari.

how should I update?
I have the same set up - apparently there are some of us on 10.6.8 where JAVA is not shown in System Pref -
so the answers are going to be vague where it is.

A quick scan found mine in Utilities - It is titled Java Preferences.

The version on file shown is Java SE6 -ver 13.8.5. / and was last opened Oct 21,12.
The system must have messed with it - because I never do.

I scanned the 4 tabs - there is no specific labeled 'update tab' -
so I don't know where some are seeing this for fact.

We'll leave it at that.
__________________
MP3.1,8GB,4TB, MBPro13 5.5, iPad1 64G, iPhone 3gs, iTouch, PB15 1.6, ATv, Rxv3900.
Philscbx is offline   0 Reply With Quote
Old Jan 14, 2013, 10:02 AM   #19
canyelles
macrumors newbie
 
Join Date: Nov 2011
I'm confused

I have done the update and Java in System Preferences tells me I am using the latest version 7.

However when I type 'java -version' in terminal I get

java version "1.6.0_37"
Java(TM) SE Runtime Environment (build 1.6.0_37-b06-434-11M3909)
Java HotSpot(TM) 64-Bit Server VM (build 20.12-b01-434, mixed mode)

Can anyone explain?

Thanks
canyelles is offline   0 Reply With Quote
Old Jan 14, 2013, 10:08 AM   #20
Weaselboy
macrumors G5
 
Weaselboy's Avatar
 
Join Date: Jan 2005
Quote:
Originally Posted by canyelles View Post
I'm confused

I have done the update and Java in System Preferences tells me I am using the latest version 7.

However when I type 'java -version' in terminal I get

java version "1.6.0_37"
Java(TM) SE Runtime Environment (build 1.6.0_37-b06-434-11M3909)
Java HotSpot(TM) 64-Bit Server VM (build 20.12-b01-434, mixed mode)

Can anyone explain?

Thanks
http://javatester.org/version.html

You are fine. The new version 7 you installed is just the web plugin. Go the above link and it should show 7.

The 'java -version' command just shows what version Java virtual machine you have installed. That is used to run local apps that run on Java. Different that Java web applets.
Weaselboy is offline   0 Reply With Quote
Old Jan 14, 2013, 10:10 AM   #21
canyelles
macrumors newbie
 
Join Date: Nov 2011
Quote:
Originally Posted by Weaselboy View Post
http://javatester.org/version.html

You are fine. The new version 7 you installed is just the web plugin. Go the above link and it should show 7.

The 'java -version' command just shows what version Java virtual machine you have installed. That is used to run local apps that run on Java. Different that Java web applets.
OK, thanks
canyelles is offline   0 Reply With Quote
Old Jan 14, 2013, 10:14 AM   #22
rmwebs
Banned
 
Join Date: Apr 2007
For those struggling

Open system preferences. If you see a Java icon, the 'standalone' version of Oracle's Java is installed. Click that icon and it'll open up the java control panel. Check for updates and you'll get this:



Click update now. It'll guide you through the update and hey presto you're done. If you want to make sure it worked, go back to that Java control panel and check the version. It should show as Java 7 update 10.

If you dont have the java icon, you dont have Java installed. However some apps have it 'built in' - these will need to be updated by the app developer however likely wont be a problem.
rmwebs is offline   0 Reply With Quote
Old Jan 14, 2013, 10:19 AM   #23
Lone Deranger
macrumors 65816
 
Lone Deranger's Avatar
 
Join Date: Apr 2006
Quote:
Originally Posted by iMikeT View Post
Like Windows, it's widely used. It's about making the most amount of damage to the most amount of users.
Thanks. That makes sense.
__________________
Lone Deranger is offline   0 Reply With Quote
Old Jan 14, 2013, 10:19 AM   #24
mdmacfan
macrumors newbie
 
Join Date: Nov 2012
Quote:
Originally Posted by johncrab View Post
A pretty fast fix and from what I have read, a rather thorough one. This leaves the question of why it took so long to discover and deal with the messy version they pushed out during the summer. Apple's use of the kill switch was a little worrying in a way but protected the whole Mac community. All things considered, a pretty good weekend.
It comes down to two things:

1. Oracle, as a corporation, has no incentive to fix security issues. It doesn't generate profit.
2. Taking a PR beating eventually provided enough incentive - it finally lit enough of a bonfire under their nuts to fix the issue.
mdmacfan is offline   0 Reply With Quote
Old Jan 14, 2013, 10:26 AM   #25
BarryDuffman
macrumors newbie
 
Join Date: Jul 2011
Location: Copenhagen, Denmark
Back when Apple decided to leave the support for Java to Oracle, I tried to install Oracles Java Runtime (don't remember which version it was)
But I found that for some reason suddenly Java required the use of the discrete graphics on my MBP.
Not thinking about the security impact, I uninstalled Java and reinstalled Apples most recent Java Runtime, and happily forgot about it.

Now with this vulnerability, I thought I better upgrade to the latest Java, but I can see that it is still forcing the discrete graphics to kick in.

-Why is that? I cannot see a reason for it.
-Is there a way to prevent it?

br
Barry
__________________
Oh Yeah!
BarryDuffman is offline   0 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Apple Releases New Java 6 Updates With Enhanced Security, Uninstalls Apple-Provided Java Applet Plug-in MacRumors Mac Blog Discussion 49 Oct 22, 2013 09:58 AM
Oracle Releases Java 7 Update 13 to Address Security Issues, Reenable Web Plug-in on OS X MacRumors MacRumors.com News Discussion 134 Feb 17, 2013 12:40 PM
Oracle Releases Patch to Address Security Vulnerability in Java 7 MacRumors MacRumors.com News Discussion 63 Sep 5, 2012 01:02 PM
Newly-Discovered Java 7 Security Vulnerability Poses Risks to Macs MacRumors MacRumors.com News Discussion 149 Aug 30, 2012 03:16 PM
Apple Updates Java for Lion and Snow Leopard in Sync with Oracle MacRumors MacRumors.com News Discussion 34 Jun 14, 2012 11:38 PM

Forum Jump

All times are GMT -5. The time now is 01:17 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC