OS X and the return of Java

Discussion in 'Apple Forum' started by dante01, Aug 15, 2012.

  1. dante01

    dante01
    Distinguished Member

    Joined:
    Mar 5, 2009
    Messages:
    45,636
    Products Owned:
    1
    Products Wanted:
    0
    Trophy Points:
    166
    Ratings:
    +10,871
    Oracle Officially Launches Java SE 7 for OS X.


    Oracle has announced the release of Java SE 7 Update 6 offering full support for OS X.

    Oracle Releases New Java Updates - Java SE 7 Update 6, JavaFX 2.2 and JavaFX Scene Builder 1.0

    Apple ceased its support for Java in October 2010. Steve Jobs stated that having Apple responsible for updates generally resulted in Java for OS X being one version behind Java for other platforms, something many users had criticised Apple for. Earlier this year, the widely publicised Flashback malware was able to infect 600,000 Macs by taking advantage of a Java vulnerability that had already been patched in most versions of Java but not yet addressed by Apple.
     
    Last edited: Aug 15, 2012
  2. dante01

    dante01
    Distinguished Member

    Joined:
    Mar 5, 2009
    Messages:
    45,636
    Products Owned:
    1
    Products Wanted:
    0
    Trophy Points:
    166
    Ratings:
    +10,871
  3. dante01

    dante01
    Distinguished Member

    Joined:
    Mar 5, 2009
    Messages:
    45,636
    Products Owned:
    1
    Products Wanted:
    0
    Trophy Points:
    166
    Ratings:
    +10,871
    Note that if you only install Java SE Runtime Environment 7, it will not appear in the list of installed Java Runtime versions you see via the Apple applet (Java Preferences) in your Utilities folder. In order to rectify this you need to install the Java SE Development Kit 7. You can download the Java SE Development Kit jdk-7u6-macosx-x64.dmg here:


    Oracle Java Development Kit 7 Downloads

    A new Java control panel applet has been created to manage the JRE starting with this release. Since the actual development environment for version 7 isn't installed, the Apple "Java Preferences" utility can't show the new version installed until you install the new Development Kit.

    [​IMG]

    In the "Java Preferences" window utility you should now see the Java SE 7 runtime enabled, but likely listed below any other Java runtimes. You can enable the runtime's use either by dragging it to the top of the list and keeping all runtimes enabled, or by unchecking all but the Java SE 7 runtime. If you need to use Web applets or Web Start applications, then reorganising the list is the best option as it will allow the plug-in process to access compatible runtimes.

    [​IMG]

    You can also use terminal to check the installed version. To check that the Java version is the latest build you just installed, open the Terminal application (in the /Applications/Utilities/ folder) and run the following command:
    Code:
    java -version
    To disable the runtime, all you need to do is return to the Java Preferences application and uncheck the runtime in the General section, or reorganise the list so that another preferred runtime is ahead of it. If you instead wish to completely remove the Java 7 runtime, then go to the Macintosh HD/Library/Java/JavaVirtualMachines/ directory and remove the file called "jdk1.7.0_06.jdk". You can navigate directly to this location by double clicking the Java SE 7 entry within the Java Preferences window.

    Also note that the mininium requirements for Java SE Runtime Environment 7 state this version is only compatible with OS X 10.7.3 or higher.
     
    Last edited: Aug 16, 2012
  4. dante01

    dante01
    Distinguished Member

    Joined:
    Mar 5, 2009
    Messages:
    45,636
    Products Owned:
    1
    Products Wanted:
    0
    Trophy Points:
    166
    Ratings:
    +10,871
    Java now has its own control panel within System Preferences:

    [​IMG]

    [​IMG]

    [​IMG]

    REMEMBER, Apple no longer provide updates to Java so you need to set Java's own preferences to check for available updates from Oracle!
     
    Last edited: Aug 16, 2012
  5. dante01

    dante01
    Distinguished Member

    Joined:
    Mar 5, 2009
    Messages:
    45,636
    Products Owned:
    1
    Products Wanted:
    0
    Trophy Points:
    166
    Ratings:
    +10,871
    IMPORTANT

    Java 1.7 zero-day exploit

    Research shop FireEye identified a Java zero-day exploit this weekend that is already targeting fully patched versions of the Java JRE version 1.7 running on Windows machines. The exploit attempts to install a dropper executable (Dropper.MsPMs) on the machines it attacks. In theory, a separate dropper could be crafted to attack Mac or Linux systems, although none has yet been observed in the wild.

    Malware Intelligence Lab from FireEye - Research & Analysis of Zero-Day & Advanced Targeted Threats:Zero-Day Season is Not Over Yet

    http://www.theregister.co.uk/2012/08/27/disable_java_to_block_exploit/


    If you did install the Oracle build and you're concerned about the new exploit, you can disable the Java plugin in each of your browsers individually, or uninstall/deactivate the 1.7 build entirely. There is no evidence of a Mac payload for this exploit at this time, if you don't have a specific reason to run the new version then it's probably safest to stick with JRE 1.6 instead. In response to past exploits including Flashback, Apple's Java web plugin is now set to auto-disable when it isn't used for some time, further reducing the attack surface for Mac users.
     
  6. MartinPickering

    MartinPickering
    Well-known Member

    Joined:
    Sep 23, 2009
    Messages:
    4,953
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    136
    Location:
    Greek Island
    Ratings:
    +507
    It's worth noting that nearly all "normal" Mac users have nothing whatsoever to fear from this exploit. It's only in Java 7; Apple's on-demand Java install is still Java 6 (which does *NOT* have the vulnerability). So the only way for you to possibly be affected by this is if you went to oracle.com and downloaded Java 7 and manually installed it yourself.

    More: TUAW - The Unofficial Apple Weblog

    Note: Java and JavaScript are two totally unrelated and separate things.

    If you don't specifically need to use it while browsing, go into your browsers'* prefs and turn Java off.

    *All of your browsers, if you have more than one installed.

    Notes:

    This is a potential vulnerability, not an exploit. There is currently no Mac exploit.
    It affects only Java 7. You will know if you have specifically downloaded and installed it.

    Martin
     
    Last edited: Aug 29, 2012
  7. dante01

    dante01
    Distinguished Member

    Joined:
    Mar 5, 2009
    Messages:
    45,636
    Products Owned:
    1
    Products Wanted:
    0
    Trophy Points:
    166
    Ratings:
    +10,871
    Computerworld reports that the issue does indeed affect fully-updated Macs running Java 7 on top of OS X Mountain Lion.

    Macs at risk from 'super dangerous' Java zero-day - Computerworld

    Both Safari 6 and Firefox 14 have been found to be vulnerable to the issue on OS X systems.

    It should be noted though that that most Mac users are not currently susceptible to the issue, as Java 7 is not installed by default on Macs. The current version of Java installed on Mac remains Java 6 for the time being, so users would have to have manually updated to Java 7 in order for their systems to be vulnerable.

    Also note that having version 7 on your system doesn't make you vulnerable, it is only the web browser implimentation that opens you up to the exploit. You can easily disable Java within a browser's preferences:
    [​IMG]

    You need to do this with every browser you use though.
    [​IMG]
     
    Last edited: Aug 29, 2012
  8. MartinPickering

    MartinPickering
    Well-known Member

    Joined:
    Sep 23, 2009
    Messages:
    4,953
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    136
    Location:
    Greek Island
    Ratings:
    +507
    So what is it and what does it do to a Mac? (Open question).
     
    Last edited: Aug 30, 2012
  9. dante01

    dante01
    Distinguished Member

    Joined:
    Mar 5, 2009
    Messages:
    45,636
    Products Owned:
    1
    Products Wanted:
    0
    Trophy Points:
    166
    Ratings:
    +10,871


    It does nothing to a Mac (yet). There is no known Mac payload taking advantage of the vulnerability in the wild. It is a vulnerability that can be exploited in order to deliver a payload via a browser using Java 1.7. The vulnerability itself is within Java 1.7 and will require a patch in order to prevent the vulnerability being utilised/exploited by those wanting to do harm to other peoples computers and data.


    Errata Security: New Java 0day


    Tests have determined that Macs are not immune and they can be exploited! Waiting for the vulnerability to be exploited before doing anything about it is stupidity.

    The Java exploit has been added to Blackhole, a popular hacker's tool that bundles numerous exploits and tries each in turn until it finds one that will work against a personal computer.

    New Java 0-day added to Blackhole Exploit Kit - Security Labs

    Alternatively, Metasploit is the open-source penetration testing framework similar to Blackhole used by both legitimate researchers and criminals:

    Penetration Testing Software | Metasploit

    Reports of this being used as part of the new Java exploit may prove to be unfounded, but both the Metasploit and Blackhole tools have had the vulnerability added to them, making it not only easier for legit users to search out the vulnerability, but easier for the vulnerability to be exploited in order to deliver a payload such as malware onto the Mac OS X platform. These tools have been used by legit security researchers to exploit the vulnerabilty on a Mac with Java 1.7 installed and Java browser plugins enabled in both Safari and Firefox.


    Think of the vulnerability as a hole and it is better to plug it yourself before someone else sticks their fingers in it ;)
     
    Last edited: Aug 30, 2012
  10. dante01

    dante01
    Distinguished Member

    Joined:
    Mar 5, 2009
    Messages:
    45,636
    Products Owned:
    1
    Products Wanted:
    0
    Trophy Points:
    166
    Ratings:
    +10,871
    I also note that you misquoted me. I never said what you appear to be suggesting.

    The quote is in relation to the findings of David Maynor, CTO of Errata Security as posted on compuerworld.com and then posted as a quote here by me:


    Was your question addressed at him? If so then you need to go here and converse with him:
    Errata Security - Know for Sure
     
    Last edited: Aug 30, 2012
  11. MartinPickering

    MartinPickering
    Well-known Member

    Joined:
    Sep 23, 2009
    Messages:
    4,953
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    136
    Location:
    Greek Island
    Ratings:
    +507
    Seems to me that the only exploit is Windows-based so there's currently only a "potential vulnerability" and no Mac exploit.

    Wake me up when there is. Meanwhile, Java will (still) remain "off" in all my browsers, as it has for the last 5 years at least, unless I specifically need to turn it on for a (trusted) web site. I recommend this action to all Mac users. End of.
     
  12. dante01

    dante01
    Distinguished Member

    Joined:
    Mar 5, 2009
    Messages:
    45,636
    Products Owned:
    1
    Products Wanted:
    0
    Trophy Points:
    166
    Ratings:
    +10,871
    Strangely enough I don't think anyone has said anything different. it is just the way it has been expressed that differs. Maybe you having a lay down and a rest is a good idea?
     
  13. bpsmith

    bpsmith
    Well-known Member

    Joined:
    Jan 8, 2010
    Messages:
    7,572
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    133
    Ratings:
    +709
    Oracle has now released a patch. :)
     
  14. dante01

    dante01
    Distinguished Member

    Joined:
    Mar 5, 2009
    Messages:
    45,636
    Products Owned:
    1
    Products Wanted:
    0
    Trophy Points:
    166
    Ratings:
    +10,871
    Oracle Releases Patch to Address Security Vulnerability in Java 7


    The Java SE 7 Update 7 addresses the specific vulnerability disclosed earlier in this thread as well as several others. Oracle has also released Java SE 6 Update 35 to address a separate issue with the earlier version.

    You can download the update here:
    Java SE Downloads


    Or if you've alrady installed a version that includes the Java pref panel, you can use its update abilities to update Java on your system.

    [​IMG]
     
  15. dante01

    dante01
    Distinguished Member

    Joined:
    Mar 5, 2009
    Messages:
    45,636
    Products Owned:
    1
    Products Wanted:
    0
    Trophy Points:
    166
    Ratings:
    +10,871
    Apple yesterday started scrubbing most Macs of older Java browser plug-ins. Apple also patched Java for OS X, the second time Apple synchronised its Java security update with Oracle's, releasing its patches for OS X the same day as the Java software maker.

    Along with the Java patches, Apple beefed by OS X security by uninstalling old browser plug-ins for the software.

    The update aimed at Lion and Mountain Lion zaps plug-ins provided by Apple via Java 6 and earlier. Apple's Java update for Snow Leopard did something different: "On systems that have not already installed Java for Mac OS X 10.6 update 9 or later, this update will configure Web browsers to not automatically run Java applets," Apple stated.

    After the Lion and Mountain Lion update is applied, users who browse to websites that require Java will see the message "Missing plug-in," and can then proceed to the Oracle site to download the newest version of Java 7 and its browser plug-in.

    Many see the plug-in elimination as both a security enhancement and an attempt by Apple to push customers towards Oracle as the distributor of Java.

    Apple is still responsible for patching Java 6 and earlier, but Oracle takes care of OS X users running Java 7.

    Java for OS X 2012-006
     

Share This Page

Loading...