Oracle Updates Java 7 to Address Security Vulnerability

Discussion in ' News Discussion' started by MacRumors, Jan 14, 2013.

  1. macrumors bot


    Apr 12, 2001

    On Friday, we noted that Apple had taken the rare step of using its anti-malware tools in OS X to disable existing installations of the Java 7 browser plug-in due to a major security vulnerability that was being actively exploited in the wild. Apple's anti-malware system is capable of enforcing minimum version numbers for plug-ins such as Java and Flash, and Apple simply updated its blacklist information to require that machines be running a higher version of the Java 7 plug-in than was publicly available.

    Oracle has now released Java 7 Update 11, and the release notes indicate that it does indeed address the vulnerability. The new release registers with a version string of 1.7.0_11-b21, satisfying Apple's requirement for a minimum version number of 1.7.0_10-b19.

    In addition to the fix for the vulnerability, Java 7 Update 11 also sees a change in the default security level setting from "Medium" to "High". Under the new setting, users will be warned before the Java plug-in runs any unsigned application.
    Article Link: Oracle Updates Java 7 to Address Security Vulnerability
  2. macrumors 6502

    Apr 10, 2011
  3. Shrink, Jan 14, 2013
    Last edited: Jan 14, 2013

    macrumors demi-god


    Feb 26, 2011
    New England, USA
    Sorry for the dumb question...I have "Enable Java" UNCHECKED in Safari Preferences, and intend to leave it that way.

    Should I download the Java Update anyway?:confused:

  4. macrumors 68020

    Jul 8, 2006
  5. RMo, Jan 14, 2013
    Last edited: Jan 14, 2013

    macrumors 65816

    Aug 7, 2007
    Iowa, USA
    Yes. You should either do that or uninstall Java completely, but there's no sense in leaving outdated, vulnerable, exploited-in-the-wild software on your machine, even if you have no plans to use it right now. (What if you try another browser in the future and forget about this?)

    Unchecking a preference in Safari does not mean it is "disabled" on your entire system. Leave it unchecked if you want, but at least fix the problem (or get rid of it).
  6. macrumors 6502a


    Mar 31, 2010
    Since Java updates are no longer built into OS X, how do I update Java?
  7. macrumors 6502a


    Sep 14, 2008
  8. macrumors 65816


    Feb 10, 2003
    Buckeye Country, O-H
    Do you have the Java System Pref?

    All updates run through that on my computer.
  9. macrumors 65816

    Lone Deranger

    Apr 23, 2006
    Why is it so often Java that appears to get caught out in these security vulnerabilities? :confused:
  10. macrumors 68020

    Jul 8, 2006

    Like Windows, it's widely used. It's about making the most amount of damage to the most amount of users.
  11. macrumors member

    Apr 15, 2008
    Plus1 ?

    edit I got tree'd

  12. macrumors 6502a


    May 3, 2010
    could someone please clarify this for me.

    I dont have java in system preferences. I know I am running java as I am using Adobe CS6. I have disabled java in safari.

    Am I still at risk, how should I update?
  13. macrumors 6502

    May 26, 2004
    Dekalb IL

    Would anyone care to explain how this effects Chrome users? (Chrome is still 32 bit and this update is only for 64 bit browsers)
  14. macrumors 6502


    Aug 11, 2011
    Scottsdale, AZ
    A pretty fast fix and from what I have read, a rather thorough one. This leaves the question of why it took so long to discover and deal with the messy version they pushed out during the summer. Apple's use of the kill switch was a little worrying in a way but protected the whole Mac community. All things considered, a pretty good weekend.
  15. macrumors regular

    Sep 22, 2012
    The Digital Frontier
    I think with most system built in software like Java it should be delivered via App Store if you are updated with app store, but I am not seeing it.
  16. macrumors Core


    Jan 23, 2005
    It won't come through the App Store since it is coming direct from Oracle. You will need to check for the update in the System Preferences Java pane.
  17. macrumors 6502a


    Dec 24, 2009
    No, it can't access your system if you don't use it or even have it enabled.
  18. macrumors regular


    Jan 4, 2007
    Mpls Mn
    I have the same set up - apparently there are some of us on 10.6.8 where JAVA is not shown in System Pref -
    so the answers are going to be vague where it is.

    A quick scan found mine in Utilities - It is titled Java Preferences.

    The version on file shown is Java SE6 -ver 13.8.5. / and was last opened Oct 21,12.
    The system must have messed with it - because I never do.

    I scanned the 4 tabs - there is no specific labeled 'update tab' -
    so I don't know where some are seeing this for fact.

    We'll leave it at that.
  19. macrumors newbie

    Nov 8, 2011
    I'm confused

    I have done the update and Java in System Preferences tells me I am using the latest version 7.

    However when I type 'java -version' in terminal I get

    java version "1.6.0_37"
    Java(TM) SE Runtime Environment (build 1.6.0_37-b06-434-11M3909)
    Java HotSpot(TM) 64-Bit Server VM (build 20.12-b01-434, mixed mode)

    Can anyone explain?

  20. macrumors Core


    Jan 23, 2005

    You are fine. The new version 7 you installed is just the web plugin. Go the above link and it should show 7.

    The 'java -version' command just shows what version Java virtual machine you have installed. That is used to run local apps that run on Java. Different that Java web applets.
  21. macrumors newbie

    Nov 8, 2011
    OK, thanks
  22. macrumors 68040

    Apr 6, 2007
    For those struggling

    Open system preferences. If you see a Java icon, the 'standalone' version of Oracle's Java is installed. Click that icon and it'll open up the java control panel. Check for updates and you'll get this:


    Click update now. It'll guide you through the update and hey presto you're done. If you want to make sure it worked, go back to that Java control panel and check the version. It should show as Java 7 update 10.

    If you dont have the java icon, you dont have Java installed. However some apps have it 'built in' - these will need to be updated by the app developer however likely wont be a problem.
  23. macrumors 65816

    Lone Deranger

    Apr 23, 2006
    Thanks. That makes sense.
  24. macrumors newbie

    Nov 13, 2012
    It comes down to two things:

    1. Oracle, as a corporation, has no incentive to fix security issues. It doesn't generate profit.
    2. Taking a PR beating eventually provided enough incentive - it finally lit enough of a bonfire under their nuts to fix the issue.
  25. macrumors newbie

    Jul 20, 2011
    Copenhagen, Denmark
    Back when Apple decided to leave the support for Java to Oracle, I tried to install Oracles Java Runtime (don't remember which version it was)
    But I found that for some reason suddenly Java required the use of the discrete graphics on my MBP.
    Not thinking about the security impact, I uninstalled Java and reinstalled Apples most recent Java Runtime, and happily forgot about it.

    Now with this vulnerability, I thought I better upgrade to the latest Java, but I can see that it is still forcing the discrete graphics to kick in.

    -Why is that? I cannot see a reason for it.
    -Is there a way to prevent it?


Share This Page