Newly-Discovered Java 7 Security Vulnerability Poses Risks to Macs

[itickings]

You are the only one making use of fallacious and uninformed arguments here.

Fallacious? Uninformed? Hardly. Those words probably do not mean what you think they mean...

Not that it matters, it is pretty obvious after all. You keep twisting your definitions, spewing unsubstantiated claims and presenting opinions as facts. Ergo, I'm done feeding you. It was fun while it lasted.

 

[mac.fanatic]

Terminal

java -version

When I try to check my Java version through terminal, I get a pop up and it tells me "To open "Java", you need a Java SE 6 runtime. Would you like to install one now?"

I chose "Not Now" as I'm still trying to get used to OS X and I don't exactly know what that means. Is there another way to check the Java version I have? I already disabled Java in Safari.

 

[MrJPH]

Thank you for the info, bbeagle.

http://en.wikipedia.org/wiki/JavaScript

The names JavaScript and Java are unfortunate. Originally, Netscape created a scripting language for browsers and called it LiveScript. The name was later changed to JavaScript. The final choice of name caused confusion, giving the impression that the language was a spin-off of the Java programming language, and the choice has been characterized by many as a marketing ploy by Netscape to give JavaScript the cachet of what was then the hot new web programming language, Java.

Java and JavaScript are NOT THE SAME and are NOT RELATED.

If you just disable JavaScript, you are still vulnerable. If you keep JavaScript active, but disable Java only then you are good.

 

[itickings]

When I try to check my Java version through terminal, I get a pop up and it tells me "To open "Java", you need a Java SE 6 runtime. Would you like to install one now?"

I chose "Not Now" as I'm still trying to get used to OS X and I don't exactly know what that means. Is there another way to check the Java version I have? I already disabled Java in Safari.

That means you don't have it installed...

 

[Badagri]

It’s infuriating that Adobe’s CS requires Java now otherwise I could ditch Java. Rubbing salt in the wounds I believe the Java requirement is for their software authentication/auto update mechanism and is not required for core functionality.

Have to agree there.

Ugh! I didn’t know that! Maybe I’ll stick with CS3.

All I know is when I launched CS4 it asked for Java. Wouldn't continue otherwise. As above. ^^

Yes, but having Java installed does not make it possible for anybody to run it. Your browser can run it and a malicious website could make your browser run Java ... but only if you enable Java in the browser.

Otherwise, only applications can run Java, you thus would need to download an application and run it (which normally will give you a warning about it being the first time to run this particular application). Thus, the worst this Java exploit can do additionally is a privilege escalation if something tricks you into running a downloaded application.

Also agreed. It's the route I had taken even with Leopard and newer. Though it goes back to Tiger as well. Java for app integration only.

Unchecking Open "safe" files after downloading in Safari won't hurt, though. Can't believe it was still enabled by default in ML...

That was strange considering how many years Apple has known about this. I'm also so surprised after how long they've known about it, why it's even optional. They should have taken it out like they took out RSS.

 

[D.T.]

What is JavaScript? Is that different than just plain ol' Java? I have had Java disabled, should I also JavaScript?

Two totally different things. See some posts above, but briefly: JavaScript is a browser scripting language for controlling browser HTML/style/content/interaction/etc.

Java is a language/framework for developing full standalone apps (client based), web based apps (server based, handles page generation, transactions, business logic) ... and the culprit is where Java provides a browser interface so some functions for creating "browser resident" applets and browsers can access the Java runtime.

When accessed through a browser, it's supposed to be limited or "sandboxed" (unless you grant specific rights).

The whole spin of Java as a language, is the same code can run on any platform where a Java VM is provided. So the same code I write on OSX can be deployed on Winders© or Linux without a recompile (and it provided some UI abstractions so a widget on OS A would be correctly represented on OS B).

Most of the use now is for the web applications/services space.

(OK, so not so brief ... )

 

[trunten]

Type inference. YAY!
Crippling vulnerability. Nay

 

[Lancer]

The sooner JAVA goes the better!

 

[mac.fanatic]

That means you don't have it installed...

Would this vulnerability still affect me? My school website has a Java requirement. When I disabled Java from Safari's System Preferences, the website stopped working properly. How do I not have in installed, yet be able to visit Java-enabled webpages?

 

[TwitchOSX]

So... once again... how does one check which version of Java they have on their computer?

----------

So... once again... how does one check which version of Java they have on their computer?

Nevermind. Command-Spacebar to bring the search bar down and type in Java brings up "Java Preferences" where when I click on that to open it shows Java SE 6 in installed

 

[faroZ06]

Just to emphasize, this is NOT a Mac security issue but rather a JAVA security issue which affects its host system, which includes Macs.

Nor is this a Windows virus. Macs are still impervious to Windows viruses.

So it's a Java Virtual Machine hole? (corrected)

 

[TwitchOSX]

So it's a Java Virtual Machine virus?

Uh.. what is a Macbook Bro?

 

[faroZ06]

Uh.. what is a Macbook Bro?

The cheapest/ugliest MacBook I have ever seen. Despite that title, it's still very useful and fairly fast. I am the fourth owner of that machine, which I got for free (except the HDD broke soon after I got it, so I had to replace it).

 

[munkery]

So, you can't run Java unless it is fully patched (last month) and you can't run Java if it is fully patched (this month). LOL!

Luckily for most users, this vulnerability won't be an issue because malware that doesn't include privilege escalation isn't very successful when used in automated mass malware as opposed to targeted attacks.

Flashback demonstrated this due to only 10,000 of the reportedly infected machines having the ad-click hijacking payload actively working in Safari. Also, the ability for environment variables to be loaded without password authentication, which allowed for this payload to work, has since been patched in OS X despite not overly being a successful vector for automated mass malware.

Unless you work for a critical government agency or a major company with valuable intellectual property, the likelihood of being the victim of a targeted attack is very low.

 

[faroZ06]

Notch would never have allowed this!

Did Notch make Minecraft in Java thinking that it would just be a little webpage game? Minecraft is a total piece of trash (code-wise, not content-wise).

----------

Unless you work for a critical government agency or a major company with valuable intellectual property, the likelihood of being the victim of a targeted attack is very low.

If I did, I wouldn't have Java on my computer at all (way too insecure). I'd have a Mac with a 100-character password, FileVault, encrypted DMGs that are changed to .mov or something just to be undercover, and Little Snitch blocking almost everything.

And then I'd have an actually personal computer.

 

[alphaod]

Errr… I have Java 7, but am on update 8 beta.

I'm not sure if I'm affected.

 

[Mike1984]

Another reason I've had Java disabled on my Safari for years.

********.
I've also had Java on my Macs for 7 years and NEVER gotten infected.

This is an exploit through the web browser, turn off java in Safari and you're done.

 

[talmy]

Errr… I have Java 7, but am on update 8 beta.

I'm not sure if I'm affected.

Probably. They can't patch something they didn't know about.

 

[Mike1984]

Errr… I have Java 7, but am on update 8 beta.

I'm not sure if I'm affected.

Since the exploit is from updates 0-6, assume it's possible,
and just disable Java in Safari, and your other browsers.

----------

Would this vulnerability still affect me? My school website has a Java requirement. When I disabled Java from Safari's System Preferences, the website stopped working properly. How do I not have in installed, yet be able to visit Java-enabled webpages?

For now, turn it on, only for your school site, then turn it off when you leave.
Until Oracle patches.

 

[BrunoCM]

Guys, I ran

java -version

And I got:

Java(TM) SE Runtime Environment (build 1.6.0_33-b03-424-11M3720)
Java HotSpot(TM) 64-Bit Server VM (build 20.8-b03-424, mixed mode)

However, through the java.com I got this:

Verified Java Version

Congratulations!
You have the recommended Java installed (Version 7 Update 6).

Am I in trouble?

Cheers,

 

[munkery]

Guys, I ran

java -version

And I got:

Java(TM) SE Runtime Environment (build 1.6.0_33-b03-424-11M3720)
Java HotSpot(TM) 64-Bit Server VM (build 20.8-b03-424, mixed mode)

However, through the java.com I got this:

Verified Java Version

Congratulations!
You have the recommended Java installed (Version 7 Update 6).

Am I in trouble?

Cheers,

OS X allows for multiple versions of Java to be installed.

Go to: /Applications/Utilities/Java Preferences

This utility will show you the versions of Java that you have installed and the priority each version has within the OS.

But, I believe the utility may only show versions of Java SE JDK (not JRE) installed. Java SE JDK does include Java SE JRE.

 

[Mr. Retrofire]

It’s infuriating that Adobe’s CS requires Java now otherwise I could ditch Java.

Even if, it is not a web browser, so no additional security risk.

 

[BrunoCM]

OS X allows for multiple versions of OS X to be installed.

Go to: /Applications/Utilities/Java Preferences

This utility will show you the versions of Java that you have installed and the priority each version has within the OS.

But, I believe the utility may only show versions of Java SE JDK (not JRE) installed. Java SE JDK does include Java SE JRE.

Didn't quite get that....

It does show the same that terminal option does....

Yet, the same doubt

 

[dshan]

1. It only affects Java 7 users. You have to upgraded to Java 7 directly from Oracle to get Java 7, Apple is still supplying Java 6 which is not affected by this bug.

2. Even with Java 6 from Apple after the last bunch of security problems Apple changed things so Java is disabled by default, and if re-enabled by the user it will disable itself again if not used within a given time (2 weeks?)

3. Apple doesn't install Java 6 by default on 10.7 or 10.8; unless a user encounters a Java app or applet and agrees to download Java 6 from Apple they don't have it. Even if you had Java 6 installed on OS X 10.6 and upgraded to 10.7/10.8 you won't have Java anymore and will have to download and install it again manually.

4. The exploit requires a Java applet to be downloaded and run from a webpage. If you disable the Java plugin in your browser(s) no Java applets can run in your browser and so you'll be safe from the problem while still being able to run any stand-alone Java apps from Adobe, etc. that you need to.

 

[KnightWRX]

So it's a Java Virtual Machine virus?

No, it's a security vulnerability for which there is a known version of an exploit. Someone could make a virus out of this, but that has not been announced.