Newly-Discovered Java 7 Security Vulnerability Poses Risks to Macs

[bbeagle]

Is Java like Flash™

From an end-user's standpoint - yes. Different ways of accomplishing the same animations, games and web page interactions through browser plug-ins.

From a developer's point of view - no. Flash is just a scripting language, that is quicker to write, and Java is a full-featured language, which is slower to write, but can in theory do more.

 

[koolmagicguy]

"manually updated to Java 7 in order for their systems to be vulnerable."

can "in order to" be used for something that one does not want?

I agree. That seemed a little weird.

 

[50548]

I'm glad to see you've installed what I believe you referred to as a "Train Wreck" of an OS.

Yes, I did. Exactly so that people like you wouldn't accuse me of commenting on an OS without installing it.

In fact, if you had cared to dig deeper you would have found a recent thread of mine where I retract my harsh comments and state that, in fact, my upgrade install of ML took place without major issues, after having waited for 10.8.1. After all, I don't think it's possible to stay behind for too long in the usual OS X upgrade cycle.

Does that make my past criticism invalid? Of course not. I still disagree with the overall iOSification of OS X, as well as the dumbing-down measures taken by Apple in apps such as Safari, Airport Utility and many others.

Apple's current strategy is still a train wreck in my view; but, at least for now, the OS itself (in my case) is not.

----------

Are you sure you quoted the correct post, or were you just blindly raging?

I perfectly well know the difference between server-side and client-side Java. And if you were wondering, I also know the difference between a Java runtime and a Java SDK. The comparison with Xcode was to point out that the reasoning in your post had more or less nothing at all to do with Java and could be applied to anything you don't understand or need.

Seriously, you are making the 99% number up. The fact that you could arbitrarily define your ordinary users to match does not make it right.

I am surely raging, but this doesn't render my previous point invalid. Client-side Java IS, indeed, useless, potentially harmful and a deadweight for ordinary users.

The 99% number is simply my way of stating that you absolutely do NOT need Java unless you rely on a few sluggish games and legacy websites.

And, to this date, NO ONE has proved me wrong in this forum about the assertions above.

 

[brack]

Helpful link if you have installed Java directly from java.com and want to remove it and restore the old one. http://www.java.com/en/download/help/mac_restore_java6.xml

 

[dashiel]

Just because you have Java installed on your machine for a certain piece of software doesn't necessarily make you vulnerable.

The vulnerabilities are coming from the web browser, where a web site will try to run bad java code that your browser allows. Simply disable Java in your web browser, or use an older version, and you're safe when you surf the web - despite some other software requiring Java to run.

(Note: JavaScript and Java are two different things)

Yes, but having Java installed does not make it possible for anybody to run it. Your browser can run it and a malicious website could make your browser run Java ... but only if you enable Java in the browser.

Otherwise, only applications can run Java, you thus would need to download an application and run it (which normally will give you a warning about it being the first time to run this particular application). Thus, the worst this Java exploit can do additionally is a privilege escalation if something tricks you into running a downloaded application.

Yes, I understand all of this, but Java is an attack vector that provides a potentially massive security hole. Remember when MacDefender escalated from specifically requiring admin access to one that installed without admin access? Java exploits are going to become increasingly more sophisticated, my point was Adobe requiring Java for a “feature” most people loathe is dangerous and annoying. I want Java off my work machines entirely, I have a local server to develop ColdFusion that’s not connected to the Internet at all, that’s the only thing I need Java for. I suspect the vast majority of CS users have even less need for Java than I do.

 

[yg17]

Golly. Now I understand! Your eloquence and command of argument and language has convinced me. From now on, I'm sure those of us with Java experience infesting these Java threads will be sure to leave it to you to lead the way.

+1

Now if you'll excuse me, I better Alt+Tab back over to Eclipse and that evil horrible outdated useless insecure legacy trainwreck called Java and get some work done.

 

[talmy]

As a regular user of Java, I've got Java 7 installed:

macbook-pro:~ tom$ java -version
java version "1.7.0_06"
Java(TM) SE Runtime Environment (build 1.7.0_06-b24)
Java HotSpot(TM) 64-Bit Server VM (build 23.2-b09, mixed mode)

However it's easy to switch back using Java Preferences app as shown in the screenshots. Just change the order, or uncheck the "on" box until Oracle fixes the problem.

macbook-pro:~ tom$ java -version
java version "1.6.0_33"
Java(TM) SE Runtime Environment (build 1.6.0_33-b03-424-11M3720)
Java HotSpot(TM) 64-Bit Server VM (build 20.8-b03-424, mixed mode)

This changes applications but I don't know what happens for applets embedded in web pages (I don't use them). I'd expect they would be the same.

 

[morespce54]

Cue "Java sucks, why does anyone even need Java" comments...

Ok...

So Java is the new Flash

Dargn. You beat me!

 

[C.G.B. Spender]

A security hole in a 3rd party software. Colour me amazed.

 

[itickings]

I am surely raging, but this doesn't render my previous point invalid. Client-side Java IS, indeed, useless, potentially harmful and a deadweight for ordinary users.

The 99% number is simply my way of stating that you absolutely do NOT need Java unless you rely on a few sluggish games and legacy websites.

And, to this date, NO ONE has proved me wrong in this forum about the assertions above.

Well, it kind of does since you are not addressing my objections. Every application is useless, potentially harmful and a deadweight for those that do not need it, so that argument does not do anything to support the "Java is crap" claim. Combine that with some unsubstantiated claims and making stuff up, and you are not off to a very convincing argument. You are just raging without any real content, so of course you won't feel proven wrong no matter what.

You are acting like Java is being forced down your (and everyone's) throat, when Java is not even installed per default anymore. We are gradually approaching a situation where only those that have had a need for it have it installed. You should be happy!

And for the record - I have a need for a Java runtime on some computers, even though they are not servers or for gaming, and Java is disabled in the browsers. Just running local software. There are more applications than "sluggish games and legacy websites" in the world.

 

[BMNB1tch]

Larry Ellison would have never let this happen... oh wait

 

[Jeffois]

As a non-programmer, regular-Joe kinda Mac user, I'm unclear regarding my exposure here...

I understand that on Java 6, I should be OK for now.

But in general, as a user of CrashPlan and Moneydance, both of which I understand to be Java-based, can I simply disable Java within my browsers, and happily ignore these types of threats when they inevitably pop up again in the future, for whatever version of Java might be the source of vulnerability?

Forgetting your opinion of either or both of those pieces of software, what's my general exposure? Should I be looking at the alternatives to these apps due to the fact that they're written in this language?

Thanks!

 

[talmy]

But in general, as a user of CrashPlan and Moneydance, both of which I understand to be Java-based, can I simply disable Java within my browsers, and happily ignore these types of threats when they inevitably pop up again in the future, for whatever version of Java might be the source of vulnerability?

Yes. The problem comes from being able to run Java programs from an unscrupulous website, not from running legitimate programs.

 

[itickings]

Forgetting your opinion of either of both of those pieces of software, what's my general exposure? Should I be looking at the alternatives to these apps due to the fact that they're written in this language?

If you have Java disabled in your browsers, and don't run random downloaded stuff, the general exposure from having Java installed is quite low.

Unchecking Open "safe" files after downloading in Safari won't hurt, though. Can't believe it was still enabled by default in ML...

 

[r.harris1]

I am surely raging, but this doesn't render my previous point invalid. Client-side Java IS, indeed, useless, potentially harmful and a deadweight for ordinary users.

The 99% number is simply my way of stating that you absolutely do NOT need Java unless you rely on a few sluggish games and legacy websites.

And, to this date, NO ONE has proved me wrong in this forum about the assertions above.

I could make the statement that Lawyers (say) are, "indeed, useless, potentially harmful and a deadweight for ordinary society." We could go back and forth all day, you telling me how useful a lawyer can be, me telling you how useless they are. While amusing and diverting, it isn't really worth discussing or "proving". Like my little lawyer joke, you're making a blanket statement. You've tightened up your wording over time, which is good to see, but really, going to the effort to "prove" against a broad statement isn't worth anyone's time, I would think.

Not everyone needs Java on their Macs (and I believe it is still true that it isn't downloaded unless an "ordinary" user wants/needs it), but there are in fact many thousands (or more) of us who use it on our Macs all the time. When you jump into a thread for a product you don't use and say "it's all crap, get rid of it", you're missing a lot of the finer points, the major one being that there are lots of people who use it every day to make a living and maybe, just maybe, we want to know about these vulnerabilities so we can make an informed decision.

 

[duervo]

Larry Ellison would have never let this happen... oh wait

Scott McNealy would've never let this happen!

 

[jkichline]

Actually...

So Java is the new Flash

Actually, Java is the ORIGINAL Flash. Applets were on their way to making epileptic seizure causing ads and consuming all known computing and battery resources well before Flash was unleashed to an unaware populous.

 

[Joe-Diver]

I don't have it on mine...


MacBook-Pro:~ root# java -version
java version "1.6.0_33"
Java(TM) SE Runtime Environment (build 1.6.0_33-b03-424-11M3720)
Java HotSpot(TM) 64-Bit Server VM (build 20.8-b03-424, mixed mode)

 

[50548]

Well, it kind of does since you are not addressing my objections. Every application is useless, potentially harmful and a deadweight for those that do not need it, so that argument does not do anything to support the "Java is crap" claim. Combine that with some unsubstantiated claims and making stuff up, and you are not off to a very convincing argument. You are just raging without any real content, so of course you won't feel proven wrong no matter what.

You are the only one making use of fallacious and uninformed arguments here. Java is not and has never been an "app" per se. It's, among other things, a runtime environment/Internet plug-in replete with security vulnerabilities and whose negative reputation on Macs is second only to Flash.

Therefore, I am not even beginning to talk about a specific "app" that you can delete at will and replace with a better alternative. I am talking about an addition to your computer that is supposed to improve cross-platform usability and development, as well as enable Internet functionality just like Flash has always advertised.

Thankfully, client-side Java is, TODAY, a useless piece of software whose potential troubles FAR outweigh its purported advantages. I have been using Apple computers since the late 80s, and I can assure you that Java has been deactivated on my Mac at least since 2006 without any impact on my daily computing/Internet routine.

You are acting like Java is being forced down your (and everyone's) throat, when Java is not even installed per default anymore. We are gradually approaching a situation where only those that have had a need for it have it installed. You should be happy!

My sole purpose here is to tell ordinary users out there that, barring some very specific uses, they do NOT need to install Java or worry about its multiple security holes. Once more: for the end user, Java is crap, a deadweight, a useless bloat.

And for the record - I have a need for a Java runtime on some computers, even though they are not servers or for gaming, and Java is disabled in the browsers. Just running local software. There are more applications than "sluggish games and legacy websites" in the world.

Too bad you do; in any case, I am glad you just run "local", offline software. No need to worry about the plethora of security holes over the Internet wild west.

 

[keysofanxiety]

Notch would never have allowed this!

 

[jamojamo]

Found this for those who want to disable it in Safari and who are not experts at Java (I just prefer an ounce of prevention despite the back and forth on the relative worth of Java which I have no opinion on.)

http://www.maclife.com/article/howtos/how_disable_java_your_mac_web_browser

 

[Jeffois]

Thanks for the info guys. Helpful, now I know what to do.

One thought though: Steve Wozniak would never have let this happen.

 

[TwitchOSX]

And I'll know which version of Java I'm running right now HOW?

10.8

 

[f00f]

Java is still extremely relevant in Enterprise software, unfortunately.

Java (as in the JVM called by /usr/bin/java) can be disabled via Java Preferences.app (even for 1.7). When all JVMs are unchecked, an execution of /usr/bin/java will return "Unable to locate a Java Runtime to invoke.". Likewise an execution of /usr/libexec/java_home -v 1.6 (or -v 1.7) will return "Unable to find any JVMs matching version 1.6" (or 1.7). (see man page for java_home; it's useful in shell profiles)

However, $JAVA_HOME (and perhaps $JRE_HOME?) in the environment will override anything explicitly checked or unchecked in Java Preferences.app. So even if all JVMs are unchecked in the Preferences, if JAVA_HOME is set, an execution of /usr/bin/java will run that JVM.

So in summary, for the super-paranoid:

• Have no $JAVA_HOME or $JRE_HOME in your environment (~/.MacOSX/environment.plist, ~/.bash_profile, etc)
• Uncheck all JVMs in Java Preferences.app
• Disable Java in your browser

EDIT: IIRC, Java 1.6 (from Apple) needs to be installed in order to run Java Preferences.app (which is in Utilities). It'll ask you to install 1.6 if you attempt to run Java Preferences.app and 1.6 is not already installed. If it's not already installed, chances are pretty damn good you don't have 1.7 either and don't need to worry about this vulnerability.

 

[MrJPH]

Terminal

java -version

How can we tell what version of Java we have installed?

Or, while you're in your Utilities folder, instead of doing that in Terminal, simply open Java Preferences and see.

What is JavaScript? Is that different than just plain ol' Java? I have had Java disabled, should I also JavaScript?