Newly-Discovered Java 7 Security Vulnerability Poses Risks to Macs

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Aug 28, 2012.

  1. macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    [​IMG]

    Just two weeks after Oracle officially took over responsibility for Java on OS X with the launch of Java SE 7 Update 6, a new Java vulnerability has been discovered to pose a significant threat to systems running the software. Krebs on Security highlighted the issue yesterday, noting that it affects all versions of Java 7 on most browsers.
    The report notes that Oracle is moving to a quarterly update cycle for Java, meaning that the next regularly-scheduled update to Java SE 7 is not planned until October, but it is unclear how quickly the company will move to address the issue. In the interim, some security experts are developing an unofficial patch while users are advised to simply disable Java if they do not need it active on their systems.

    Computerworld reports that the issue does indeed affect fully-updated Macs running Java 7 on top of OS X Mountain Lion.
    Both Safari 6 and Firefox 14 have been found to be vulnerable to the issue on OS X systems.

    Apple has of course had its own issues with Java vulnerabilities, most recently with the Flashback malware that was able to infect over 600,000 Macs by taking advantage of an exploit in Java 6 that had already been patched by Oracle for most platforms but not by Apple for OS X. It is due to smaller, previous incidents similar to Flashback that Apple had already been moving to shift responsibility for Java updates to Oracle, a move that is taking place with Java 7. But while Mac users will now receive Java updates simultaneously with users on other platforms, Java remains one of the highest-profile targets for attackers seeking to compromise systems on a broad basis.

    Update: CNET noted earlier today that most Mac users are not currently susceptible to the issue, as Java 7 is not installed by default on Macs. The current version of Java installed on Mac remains Java 6 for the time being, so users would have to have manually updated to Java 7 in order for their systems to be vulnerable.

    Article Link: Newly-Discovered Java 7 Security Vulnerability Poses Risks to Macs
     
  2. macrumors 6502

    Joined:
    Jan 24, 2011
    #2
    wow. How many Java vulnerabilities are there?
     
  3. macrumors 68040

    neiltc13

    Joined:
    May 27, 2006
    #3
    Cue "Java sucks, why does anyone even need Java" comments...
     
  4. Prodo123, Aug 28, 2012
    Last edited: Aug 28, 2012

    macrumors 68020

    Prodo123

    Joined:
    Nov 18, 2010
    #4
    Just to emphasize, this is NOT a Mac security issue but rather a JAVA security issue which affects its host system, which includes Macs.

    Nor is this a Windows virus. Macs are still impervious to Windows viruses.
     
  5. macrumors 6502a

    Slix

    Joined:
    Mar 24, 2010
    #5
    Another reason I've had Java disabled on my Safari for years.
     
  6. macrumors 68000

    BC2009

    Joined:
    Jul 1, 2009
    #6
    Open Terminal..

    Run: java -version

    I get:

    Java(TM) SE Runtime Environment (build 1.6.0_33-b03-424-11M3720)
    Java HotSpot(TM) 64-Bit Server VM (build 20.8-b03-424, mixed mode)

    So it looks like I am good. "build 1.6" is "Java 6". I have Mountain Lion and just recently installed Java after upgrading to Mountain Lion, so I was a bit surprised that I had Java 6 and not Java 7.
     
  7. macrumors member

    Bahamut Eos

    Joined:
    Mar 29, 2008
    Location:
    Los Angeles
    #7
    How can we tell what version of Java we have installed?
     
  8. macrumors 6502

    techpr

    Joined:
    Sep 9, 2008
    Location:
    San Juan, PR
    #8
    So Java is the new Flash :rolleyes:
     
  9. M87
    macrumors 65816

    Joined:
    Jul 18, 2009
    #9
    Same. I was worried because amazon's music manager app required me to install Java a week or so ago, but I have version 6 as well.
     
  10. macrumors 6502

    techpr

    Joined:
    Sep 9, 2008
    Location:
    San Juan, PR
    #10
    Terminal

    java -version
     
  11. macrumors 68020

    bbeagle

    Joined:
    Oct 19, 2010
    Location:
    Buffalo, NY
    #11
    Technically, you can have several versions of java on your machine. This shows the DEFAULT version of java, which is what your browser will generally use unless you change it.

    Your default version could be 1.6 (Java 6), but another program might install and use 1.7 (Java 7) if it wants to.
     
  12. macrumors 6502

    Joined:
    Mar 3, 2008
    #12
    what kind of actual risk are we talking about?
     
  13. macrumors 6502a

    TsunamiTheClown

    Joined:
    Apr 28, 2011
    Location:
    Fiery+Cross+Reef
    #13
    Read "the bag has been officially passed" ...
     
  14. D.T., Aug 28, 2012
    Last edited: Aug 28, 2012

    macrumors 68040

    D.T.

    Joined:
    Sep 15, 2011
    Location:
    Vilano Beach, FL
    #14
    *edit* Those appear to be links.
     
  15. macrumors 6502a

    soloer

    Joined:
    Sep 27, 2004
    Location:
    Omaha
    #15
    That's odd. I thought a couple weeks ago an update to Java bringing it up to 7 had appeared in Software Update. I'll have to check when I get home.
     
  16. macrumors 6502a

    Joined:
    Nov 12, 2003
    #16
    It’s infuriating that Adobe’s CS requires Java now otherwise I could ditch Java. Rubbing salt in the wounds I believe the Java requirement is for their software authentication/auto update mechanism and is not required for core functionality.
     
  17. macrumors regular

    Joined:
    Oct 4, 2011
    #17
    "manually updated to Java 7 in order for their systems to be vulnerable."

    can "in order to" be used for something that one does not want?
     
  18. macrumors 6502

    Joined:
    Feb 26, 2010
    Location:
    Hawaii
    #18
    Agree, Kinda


    Java had provided a lot of issues for our organization. We cannot patch due to java limitations on some programs (not being able to use anything higher then Java 6 update 25 for instance)

    Top it off they bundle crapware like toolbars and google items, which affect computers.

    overall, not the great platform its advertised to be, at least not on the desktop
     
  19. macrumors 68020

    bbeagle

    Joined:
    Oct 19, 2010
    Location:
    Buffalo, NY
    #19
    Just because you have Java installed on your machine for a certain piece of software doesn't necessarily make you vulnerable.

    The vulnerabilities are coming from the web browser, where a web site will try to run bad java code that your browser allows. Simply disable Java in your web browser, or use an older version, and you're safe when you surf the web - despite some other software requiring Java to run.

    (Note: JavaScript and Java are two different things)
     
  20. macrumors G5

    nagromme

    Joined:
    May 2, 2002
    #20
    Ugh! I didn’t know that! Maybe I’ll stick with CS3.


    This reassures me, but Adobe having One More Thing I have to keep active on my machine bugs me anyway—and I’ll always be waiting for some exploit that’s not browser-based. I like to keep it simple, Adobe.
     
  21. macrumors 6502

    Joined:
    Feb 26, 2010
    Location:
    Hawaii
    #21
    Same here, installed with CS6 MC
     
  22. macrumors 68040

    xgman

    Joined:
    Aug 6, 2007
    #22
    well hopefully this will be patched soon.
     
  23. macrumors 68020

    bbeagle

    Joined:
    Oct 19, 2010
    Location:
    Buffalo, NY
    #23
    The current version of Java 7 allows java code itself to disable the security preferences of the Java sandbox. (It's supposed to ask you 'Can I write files to your c: directory?' but the hack lets the code NOT ask the user these questions, and just go 'yes - I'm allowed').

    Basically, the java code now can do anything java can do WITHOUT asking you permission, like create files, rename or delete files and execute anything on your box.
     
  24. macrumors 68030

    Joined:
    Jul 30, 2003
    #24
    Yes, but having Java installed does not make it possible for anybody to run it. Your browser can run it and a malicious website could make your browser run Java ... but only if you enable Java in the browser.

    Otherwise, only applications can run Java, you thus would need to download an application and run it (which normally will give you a warning about it being the first time to run this particular application). Thus, the worst this Java exploit can do additionally is a privilege escalation if something tricks you into running a downloaded application.
     
  25. macrumors member

    david803sc

    Joined:
    Jul 11, 2008
    Location:
    Lake Wylie, SC
    #25
    How do I remove?

    I had enabled Java on Mountain Lion and upgraded to the newest version, how do I disable java or remove it?
     

Share This Page