Apple issues second OS X Java update this week

Posted:
in macOS edited January 2014


Apple on Thursday rolled out its second Java update for OS X in less than a week via Software Update.



Java for OS X 2012-002 appeared on Software Update just two days after version 2012-001 was released on Tuesday. Apple also released Java for Mac OS X 10.6 Update 7 earlier in the week.



It's not immediately clear, however, how the most recent update differs from the earlier version, as Apple's links for more detail and information point to the same page as the old update. Java for OS X 2012-001 resolved multiple vulnerabilities in Java, the most serious of which could "allow and untrusted Java applet to execute arbitrary code outside the Java sandbox."



On Wednesday, a Russian antivirus company revealed that an estimated 600,000 Macs had been infected by a "Flashback" trojan that exploited the Java vulnerability to turn the computers into bots. The majority of the infected computers were located in the U.S.











The virus was first discovered by a security firm last September. F-SEcure has posted a tutorial on how to detect and removethe threat.









[ View article on AppleInsider ]


«1

Comments

  • Reply 1 of 28
    Well something must've gone wrong, or there was an oversight. Hopefully it was of the unremarkable variety.
  • Reply 2 of 28
    Again, is it a "trojan" or a "virus"? Get your terms together.
  • Reply 3 of 28
    After I installed the earlier Java update, my MBP would no longer output a signal to my external monitor at home (mini DP to DVI), but it was outputting fine to my external monitor at work.



    I just installed this second update and my external monitor at home immediately started working again.
  • Reply 4 of 28
    tyrotextyrotex Posts: 2member
    Quote:
    Originally Posted by AppleInsider View Post


    It's not immediately clear, however, how the most recent update differs from the earlier version, as Apple's links for more detail and information point to the same page as the old update.



    In fact, the "Download" button brings down 2012-001, not 2012-002. The SHA1 hash of the "new" download matches that of 2012-001. At least, that was the case an hour or so ago when I downloaded it.



    So it appears as if Apple merely changed the name of the entry on the Support Downloads page, but not the issue date or that to which it links (info or file).
  • Reply 5 of 28
    adamwadamw Posts: 114guest
    As a person whose Mac was infected under Lion by this trojan, and removed it yesterday, I sure would like to know more about why Apple included another Java update 2 days after the first one.



    Edit: Since posting, I have found what was changed by Apple in this new Java update. This is from Apple's Java mailing list:



    Java developers,



    Today we re-shipped our Java 1.6.0_31 for OS X Lion today to address a critical issue we found in Xcode and the Application Loader tool. This new "Java for OS X 2012-002" package is effectively identical to "Java for OS X 2012-001", with the exception of a few symlinks and version numbers.



    For the sake of expediency, we have re-rolled the automatic update as our standard full combo updater, with the hope that most users have not yet been presented with 2012-001. We considered creating a delta update for users who already installed 001, but that would have made the process of getting these fixes to you take longer.



    We apologize for the inconvenience, and would like to offer our thanks to the developers who caught this issue and reported it to us as quickly as they did. This issue only impacts Lion users, so Snow Leopard users have nothing to reinstall.



    Over the next few days, we will catch up with producing updated release notes, tech notes, and developer packages with the revised 002 version numbers.



    Manual download links:

    Java for OS X 2012-002: <http://support.apple.com/kb/DL1515>;

    Java for Mac OS X 10.6 Update 7: <http://support.apple.com/kb/DL1516>;
  • Reply 6 of 28
    ljocampoljocampo Posts: 657member
    I'm wondering why I haven't received this Java security update or the first one in Apple's software update. Is the Java code this updates something that needs to be installed outside of a regular Lion install?
  • Reply 7 of 28
    tyrotextyrotex Posts: 2member
    Quote:
    Originally Posted by adamw View Post


    ...

    Over the next few days, we will catch up with producing updated release notes, tech notes, and developer packages with the revised 002 version numbers.



    Manual download links:

    Java for OS X 2012-002: <http://support.apple.com/kb/DL1515>;

    ...



    That link does not work for me. As I said, it downloads 2012-001. After installation, Software Update still wants to install 002.



    Eventually, I captured 002 by copying the directory produced by Software Update (before the install completes and deletes it) - /Library/Updates/041-5436. I was then able to copy this directory to my other machines and install 002 by executing the package 041-5436.English.dist.



    I understand that the Java packagers wanted to get a release out immediately and cut a lot of corners. However, I don't believe that they should have changed the name of the 001 update on the Support Downloads page.



    If the update is only available through Software Update, they should just have pulled the 001 package from the Support Downloads page.



    I'm sure that many people will be confused (as I was) by downloading what they believed to be the 002 update from the Support Downloads page, only to have it re-install the 001 package.
  • Reply 8 of 28
    adamwadamw Posts: 114guest
    Since I found I was infected with this yesterday and removed it, I was told to download the "Little Snitch" app, which I googled and installed the 3 hour demo of. I thought my system was clean of this trojan, as I followed the F-Secure removal instructions, but it appears this trojan installs other stuff once it gets in (via the Java exploit).



    Little Snitch informed me that a file named .rserv (~/.rserv) in my Users directory on my Mac was trying to connect to cuojshtbohtnet.com or .net and several other strange sounding web sites. I denied them doing so and Googled .rserv and another program on my Mac that was doing similar attempts.



    Also watch out for a file named: com.adobe.reader.plist in user launch agents directory. It was attempting to contact these same strange websites as .rserv was. I Googled these names and found in the last few days many other Mac users are seeing this same behavior when catching these "buggers" via the "Little Snitch" app.



    Again, even though my system showed clean via the F-Secure instructions after I removed the infected files they mention, I believe I still had 2 other infected program files (same file date of March 29th also) related to this trojan that went undetected, and were only found by running this "Little Snitch" app which monitors programs trying to use your outgoing Internet connection.
  • Reply 9 of 28
    jeffdmjeffdm Posts: 12,951member
    I thought Apple got rid of Java, did I miss something?
  • Reply 10 of 28
    marvfoxmarvfox Posts: 2,275member
    Quote:
    Originally Posted by ljocampo View Post


    I'm wondering why I haven't received this Java security update or the first one in Apple's software update. Is the Java code this updates something that needs to be installed outside of a regular Lion install?



    Go to the Apple logo on the top and hit it and you will see Apple updates right there. I downloaded 2 today. i have the LION OS also.
  • Reply 11 of 28
    nkhmnkhm Posts: 928member
    Quote:
    Originally Posted by JeffDM View Post


    I thought Apple got rid of Java, did I miss something?



    Java isn't developed by apple. They stopped supplying it as part of the OSX installation, in the same way as they don't provide other third party software, such as the flash plug in. It's a third party software, and as it,s no longer essential to the OS it's not going to be included as part of the standard installation.



    I think their judgement in leaving java behind has now been justified...
  • Reply 12 of 28
    I've had Java disabled in my Safari security prefs for years (something similar to this was going around, I suspect).



    What am I missing by not having Java enabled? As far as I can tell, the sites operate quite well without Java.
  • Reply 13 of 28
    Quote:
    Originally Posted by ljocampo View Post


    I'm wondering why I haven't received this Java security update or the first one in Apple's software update. Is the Java code this updates something that needs to be installed outside of a regular Lion install?



    You haven't installed Java yet. Go to a web page that requires it and search on "java version test". Perform the test to force the download.
  • Reply 14 of 28
    dshandshan Posts: 53member
    The new Java update fixed my problem launching Stanza on Lion that started with the first update. I was about to give up on Stanza and accept it was just too old but now it's back to working fine again. Obviously the first Java update broke some existing apps and that has now been corrected.
  • Reply 15 of 28
    maltzmaltz Posts: 453member
    Quote:
    Originally Posted by linuxhead64 View Post


    You haven't installed Java yet. Go to a web page that requires it and search on "java version test". Perform the test to force the download.



    Actually, my recommendation would be to not install it at all unless you have a need for it. Especially given Apple's tendency to release updates for it weeks/months after Oracle does.
  • Reply 16 of 28
    jeffdmjeffdm Posts: 12,951member
    Quote:
    Originally Posted by nkhm View Post


    Java isn't developed by apple. They stopped supplying it as part of the OSX installation, in the same way as they don't provide other third party software, such as the flash plug in. It's a third party software, and as it,s no longer essential to the OS it's not going to be included as part of the standard installation.



    I think their judgement in leaving java behind has now been justified...



    I raised my question because I thought that Apple wasn't supporting it or including anymore, but the updates are still coming through Apple, for the latest OS.
  • Reply 17 of 28
    welshdogwelshdog Posts: 1,897member
    I know E*trade uses Java for their real time streaming quotes so I have to keep it activated in Safari. java is not quite dead just yet. I bet there are a lot of site using it legitimately.
  • Reply 18 of 28
    Quote:

    Today we re-shipped our Java 1.6.0_31 for OS X Lion today...This new "Java for OS X 2012-002" ... identical to "Java for OS X 2012-001..Java for Mac OS X 10.6 Update 7...



    WTF is with all these different naming conventions? No wonder users are confused about which is the most recent version for their system and whether they've been updated.
  • Reply 19 of 28
    ericblrericblr Posts: 172member
    I wonder where "solipsism x" and "mister me" are right now? Surely they would like to weigh in on the mac virus debacle. Perhaps they are too busy eating crow right now.
  • Reply 20 of 28
    javacowboyjavacowboy Posts: 864member
    I'm generally on Apple's side whenever some media outlet cries wolf over some imagined Apple security blunder. In the past, it's all been massively exaggerated.



    However, in this case, Apple really screwed up. They screwed up because 10 years ago they insisted on distributing their own version of Java, and then backed away from that commitment and neglected Java to the point where major updates would be a year late and security updates where months late.



    This is the case of the latter. It's one thing to delay integrating features, which is an acceptable annoyance. But delaying these sorts of security updates, especially for trojans/viruses that can bypass a user's administrative password, is grossly irresponsible.



    Until Apple can completely handover OS X Java distribution to Oracle (the Java 7 JRE will distributed by Oracle in the fall), Apple needs to be far more vigilant in applying these sorts of security updates.



    Also, Apple needs to ensure that Java is disabled by default in Safari, which I don't believe it is now.



    And, for the record, I know the "600,000" Mac botnet figure is exaggerated. That doesn't excuse Apple's neglect.
Sign In or Register to comment.