Oracle Updates Java 7 to Address Security Vulnerability

[munkery]

Quote:

Originally Posted by Solomani

Ahh... I do not see any Java icon/panel in System Preferences. Stock OSX Mountain Lion 10.8.2 pre-installed in my iMac December 2012. I suppose this means I do not see the Java control panel because I never manually installed a full version from Oracle to begin with?

Yes, you have to manually install Java to see the preference pane.

Quote:

P.S. -- and I'm sure that as far as the Safari Java plug-in, Apple will likely just update that in the next incremental OSX Update (Mountain Lion 10.8.3?)

No, Apple is no longer supplying Java in OS X updates.

[MacSince'85]

For those of us stuck on Leopard due to hardware limitations, are we at risk running Java 6?

[Shrink]

Quote:

Originally Posted by Solomani

Can we expect Apple to automatically provide the Updated Java to us via the Software Update control panel (sometime soon)? Or do ALL Mac users have to download it manually?

I'm a bit confused on Apple's Modus Operandi when it comes to Java now. As I understand it, they leave the updating/fixing to Oracle. So does that mean Apple is no longer allowed to distribute the updates themselves? And where do we go to Update, on Apple servers or at Oracle download servers?

I'm embarrassed to say that I recently figured out that I never even downloaded Java. So it's not an issue, and I obviously don't need it.

[designer22]

Downloaded Java 7 Update 11 DMG, but it says I need OSX Lion to use the installer....any help please? Thanks.

[carlgo]

The millions of average computer users should not have to be subjected to this nerdy mess. Far from the "It just works" mantra. Apple may not supply Java anymore, but they let it in the door and so they need to deal with it in an understandable and automatic way.

[frozencarbonite]

Quote:

Originally Posted by MacSince'85

For those of us stuck on Leopard due to hardware limitations, are we at risk running Java 6?

This is my question as well. I'm running Snow Leopard. Are we just out of luck?

According to Java's website:
"For Java versions 6 and below, Apple supplies their own version of Java. Use the Software Update feature (available on the Apple menu) to check that you have the most up-to-date version of Apple's Java for your Mac."

I ran Software Update, but no updates are available for Java 6.

[iapplelove]

Quote:

Originally Posted by AlabamaSlammer

Any advice on what i need to do?

The same thing happened to me and I decided to download and it completely deleted my java preference folder

[munkery]

Quote:

Originally Posted by MacSince'85

For those of us stuck on Leopard due to hardware limitations, are we at risk running Java 6?

If there is a risk, it can be mitigated by disabling Java in the browser.

Only enable Java in the browser during the period of time when you visit sites that require Java that you know are safe.

[syzygy123]

Does this mean that apple can at any time disable my browser plugins without my explicit consent? Is anybody else bothered by this?

[haruhiko]

Quote:

Originally Posted by syzygy123

Does this mean that apple can at any time disable my browser plugins without my explicit consent? Is anybody else bothered by this?

It means that somebody can at any time access your computer's data, log your keys, steal your passwords etc etc without your explicit consent if your buggy vulnerable java version was not disabled.

[Philscbx]

Quote:

Originally Posted by carlgo

The millions of average computer users should not have to be subjected to this nerdy mess.

Far from the "It just works" mantra.

Apple may not supply Java anymore, but they let it in the door and so they need to deal with it in an understandable and automatic way.

I'm Not touching a damn thing till I get a response back from the Site.
You go there - 5000 links -
and not one damn thing steers you to - this is what you have - this is what you need BS.

We Paid for Apple to do the work - for Fk Sakes.
And Now Oracle can't simple Fkg steer. Gee's - like being run by pact of 5 yr old exec's stuck in sandbox.

[syzygy123]

Quote:

Originally Posted by haruhiko

It means that somebody can at any time access your computer's data, log your keys, steal your passwords etc etc without your explicit consent if your buggy vulnerable java version was not disabled.

Hold on, this is a separate issue. This has nothing to do with my question. It seems to me that somebody at Apple is making decisions for me. I should have been asked! I am perfectly capable of grasping the security implications of running Java on in my browser, and I might be willing to "risk" those issues (which are extremely unlikely to happen to me, and the gains might *for me* outweigh the risks). That I something *I* get to decide. In fact, I had a client a few years ago who has asked me to maintain a Java applet for him. Does this mean that I would suddenly lose the ability to do business (testing), just beacause some egghead at Apple decided that the reputation of the OSX platform as a "safe" OS (which is an illusion, there were cases of security breaches on OSX *NOT* involving Java) is more important than my choice as a consumer?

It's things like this that really make me wonder if I have chosen my computer correctly. I can only dream that Linux develops sufficiently to be put on decent laptops and sold in stores...

[Cubytus]

Quote:

Originally Posted by Stella

No one is forcing you to use Java, just simply uninstall it and you'll not miss it.

In the mean time, I and others will quite happily using Java for desktop applications.

Please inform us of these 'better' alternatives for multiple O/S development, for desktop applications?

BTW - Java is the most used language for mobile development...

No ONE is forcing us to use Java, except when we install software that *require* Java for some functionalities, and that these software simply don't have an alternative as many properly-coded Flash-based sites have.

...And now I understand why battery life has dramatically fell when smartphones began to spread.

[munkery]

Quote:

Originally Posted by syzygy123

Hold on, this is a separate issue. This has nothing to do with my question. It seems to me that somebody at Apple is making decisions for me. I should have been asked! I am perfectly capable of grasping the security implications of running Java on in my browser, and I might be willing to "risk" those issues (which are extremely unlikely to happen to me, and the gains might *for me* outweigh the risks). That I something *I* get to decide. In fact, I had a client a few years ago who has asked me to maintain a Java applet for him. Does this mean that I would suddenly lose the ability to do business (testing), just beacause some egghead at Apple decided that the reputation of the OSX platform as a "safe" OS (which is an illusion, there were cases of security breaches on OSX *NOT* involving Java) is more important than my choice as a consumer?

It's things like this that really make me wonder if I have chosen my computer correctly. I can only dream that Linux develops sufficiently to be put on decent laptops and sold in stores...

Java is no more secure on Linux and the exploit in the wild for this Java vulnerability has Linux payloads but it does't have OS X payloads.

Apple's capacity to set minimum versions for plugins via XProtect is most likely the reason that malware developers didn't bother making OS X payloads for this vulnerability.

Java is dangerous because of its inherent purpose it isn't protected by the runtime security mitigations of the host OS but only the Java sandbox which doesn't function via the host OS sandbox and the Java sandbox recently has been circumvented fairly easily.

Mac OS X and Linux pretty much have the same runtime security mitigations at the moment.

Across all versions of each OS, Mac OS X has fewer local privilege escalation vulnerabilities than Linux namely due to the fact that Mac OS X has better access controls on interprocess communication.

No methods have been demonstrated that allow remotely bypassing the runtime security mitigations in Mac OS X since the introduction of Lion. For example, Safari running on Lion was not compromised at the last Pwn2own.

[MacMan988]

I updated Java from system preferences. But am I supposed to get an update from Apple through AppStore ? I see nothing in the App Store's update tab.

[munkery]

Quote:

Originally Posted by MacMan988

I updated Java from system preferences. But am I supposed to get an update from Apple through AppStore ? I see nothing in the App Store's update tab.

No update from Apple is required.

XProtect has a minimum version setting for Java.

Install a version of Java newer than the minimum version and Java will continue to function.

[twigman08]

Quote:

Originally Posted by Cubytus

No ONE is forcing us to use Java, except when we install software that *require* Java for some functionalities, and that these software simply don't have an alternative as many properly-coded Flash-based sites have.

...And now I understand why battery life has dramatically fell when smartphones began to spread.

I don't get what you're talking about and where the Flash-based sites come from. This makes me think you're talking about JavaScript. If so then JavaScript has almost nothing in common with Java at all besides it just has Java in it's name. It has nothing to do with Java actually.

I say this because you brought up "flash-based" sites. Java technically allows you to do things that their is no possible way Flash could do.

[MacMan988]

Quote:

Originally Posted by munkery

No update from Apple is required.

XProtect has a minimum version setting for Java.

Install a version of Java newer than the minimum version and Java will continue to function.

Thanks for the reply. But again sorry for this dumb question I'm about to ask. What is XProtect? How do I know that I have it and running?

[Weaselboy]

Quote:

Originally Posted by MacMan988

Thanks for the reply. But again sorry for this dumb question I'm about to ask. What is XProtect? How do I know that I have it and running?

It is a plist settings file that contains a list of sites/apps that Apple has blocked due to malware.

Go to this screen under System Preferences/Security & Privacy/General/Advanced and make sure you have "Automatically update safe downloads list" checked.

[Cubytus]

Quote:

Originally Posted by twigman08

I don't get what you're talking about and where the Flash-based sites come from. This makes me think you're talking about JavaScript. If so then JavaScript has almost nothing in common with Java at all besides it just has Java in it's name. It has nothing to do with Java actually.

I say this because you brought up "flash-based" sites. Java technically allows you to do things that their is no possible way Flash could do.

I am actually talking about Java, not Javascript. As some websites can't function properly with JS disabled (and Java, at times), some software don't work properly or at all with Java disabled.

Among those I use daily: Junos VPN client, LibreOffice, SPSS.

[MacMan988]

Quote:

Originally Posted by Weaselboy

It is a plist settings file that contains a list of sites/apps that Apple has blocked due to malware.

Go to this screen under System Preferences/Security & Privacy/General/Advanced and make sure you have "Automatically update safe downloads list" checked.

Thanks. That is checked.

[syzygy123]

Quote:

Originally Posted by munkery

Java is no more secure on Linux and the exploit in the wild for this Java vulnerability has Linux payloads but it does't have OS X payloads.

Apple's capacity to set minimum versions for plugins via XProtect is most likely the reason that malware developers didn't bother making OS X payloads for this vulnerability.

Java is dangerous because of its inherent purpose it isn't protected by the runtime security mitigations of the host OS but only the Java sandbox which doesn't function via the host OS sandbox and the Java sandbox recently has been circumvented fairly easily.

Mac OS X and Linux pretty much have the same runtime security mitigations at the moment.

Across all versions of each OS, Mac OS X has fewer local privilege escalation vulnerabilities than Linux namely due to the fact that Mac OS X has better access controls on interprocess communication.

No methods have been demonstrated that allow remotely bypassing the runtime security mitigations in Mac OS X since the introduction of Lion. For example, Safari running on Lion was not compromised at the last Pwn2own.

Again, my gripes aren't about security, but about control. Although I do think that overall, despite vulnerabilities that all software is bound to have, OS X is pretty secure.

[munkery]

Java still not safe. Even Java 7u11 has known vulnerabilities.

But, the default of requiring the end user to click "OK" to run unsigned and self signed applets causes exploiting these types of vulnerabilities to now involve some social engineering.

http://arstechnica.com/security/2013...atest-version/