or Connect
AppleInsider › Forums › General › General Discussion › New Java vulnerability affects Macs, could lead to more malware
New Posts  All Forums:Forum Nav:

New Java vulnerability affects Macs, could lead to more malware

post #1 of 45
Thread Starter 
Researchers announced on Monday that hackers are taking advantage of a zero-day vulnerability in Oracle's Java 7, with the newly discovered flaw able to exploit any platform, including Apple's OS X.

According to Tod Beardsley, engineering manager for open-source testing framework Metasploit, hackers can use the bug to compromise any system through a web browser running the latest Java software, reports Computerworld.

While there have yet to be reports of the new exploit affecting Macs, Errata Security confirmed the Metasploit exploit is effective against the latest Java 1.7 runtime on Apple's latest OS X 10.8 Mountain Lion.

Mac users running older versions of OS X, like Snow Leopard or Leopard, could be more vulnerable as those operating systems came bundled with Java, however the new exploit is actually in Oracle's latest software, dubbed "Update 6."

"The vulnerability is not in Java 6, it's in new functionality in Java 7," said Beardsley.

He went on to call the bug "super dangerous" and said a potential piece of malware can feasibly compromise the security of a Mac by simply having a user visit a website that is host to the attack code. This means both purpose-built malicious sites as well as those which have been hacked can compromise a system.

"What is more worrisome is the potential for this to be used by other malware developers in the near future," said antivirus vendor Intego. "Java applets have been part of the installation process for almost every malware attack on OS X this year."

Java Check
Screenshot from Java's website-based installation checker as viewed in Safari.
Source: Java


As Oracle has not yet released a patch for the exploit, Beardsley recommends users disable Java until one is pushed out.

Mac users can visit Java's site here to check if they have the 1.7 runtime installed. Alternately, the "Java Preferences" application can also be used to make sure the software is disabled.

The new flaw is the latest in a number of security holes found in Java code on OS X, including the infamous Flashback trojan that reportedly affected some 600,000 Macs worldwide. Apple released a removal tool specifically tailored for the malware, later disabling the Java runtime in subsequent versions of Safari. Java was removed from OS X when Lion was released last year, forcing users to authorize a browser request to download and install the software if an applet for the runtime appears.
post #2 of 45

I really do hate plugins smiley23.gif

 

 


Tim Cook using Galaxy Tabs as frisbees

 

Reply

 

 


Tim Cook using Galaxy Tabs as frisbees

 

Reply
post #3 of 45

As a heads up - if you remove Java 7, and try to run an app that requires Java, MacOS will prompt you if you want to install the needed runtime.

 

The one it installs (on 10.8.1 at least) is Java 6 Update 33.

post #4 of 45

Turn off Java in your preferred browser.

 

If you have to visit a site that requires Java - do it in an alternative browser.

post #5 of 45
Quote:
Originally Posted by Gustav View Post

Turn off Java in your preferred browser.

 

If you have to visit a site that requires Java - do it in an alternative browser.

The report did not indicate the problem was with Safari but Java 7. If that is the case, an alternative browser is not going to solve the problem.


Edited by waldobushman - 8/28/12 at 8:31am
post #6 of 45

Java is dead, when will people stop making Java apps? Shit, web apps are as powerful as java apps, without the security flaws or performance penalties.

post #7 of 45
Quote:
Originally Posted by Gustav View Post

Turn off Java in your preferred browser.

 

If you have to visit a site that requires Java - do it in an alternative browser.

Java and Javascript are COMPLETELY seperate, and amazingly dissimilar, the only similarity is that Java has a browser plugin. There's nothing wrong with Javascript. be sure to know the difference before you slander a perfectly fine product.

post #8 of 45

How do I determine whether I have any Java?

iSam

post #9 of 45
It is getting to the point where I am going to need to make single-purpose, read-only VMs to deal with this crap. At that point, about all that is left is host compromises and key loggers.

Had to install Java last week to run Cisco's ASDM...
post #10 of 45

Java... is this the next Flash?

/

/

/

Ten years ago, we had Steve Jobs, Bob Hope and Johnny Cash.  Today we have no Jobs, no Hope and no Cash.

Reply

Ten years ago, we had Steve Jobs, Bob Hope and Johnny Cash.  Today we have no Jobs, no Hope and no Cash.

Reply
post #11 of 45
Quote:
Originally Posted by iSam86 View Post

How do I determine whether I have any Java?

iSam

 

Maybe there's a better way, but one way is simply to go to a website that requires Java and if it tells you that Java is not installed or disabled, then that's one way to find out. In Safari preferences/security, you have to have Java enabled of course.

 

Off the top of my head, one site which I recently visited which I know requires Java is keepvid.com, it's one of the popular sites for downloading and saving youtube videos and it's also the very first Google search result when you search for that topic.

post #12 of 45
Software has critical flaw. World in shock.

When is accountability going to be enforced upon the computer industry? What other industry has so little accountability? Even the major pollution makers are watched and regulated.

http://angryartboy.blogspot.com/2012/08/still-no-accountability-in-computer.html
post #13 of 45
Quote:
Originally Posted by marcusj0015 View Post

Java is dead, when will people stop making Java apps? Shit, web apps are as powerful as java apps, without the security flaws or performance penalties.

 

Why do people always troll with uninformed assumptions? If you're not a programmer, stop telling people how much you think you know about coding.

Groupthink is bad, mkay. Think Different is the motto.
Reply
Groupthink is bad, mkay. Think Different is the motto.
Reply
post #14 of 45
Quote:
Originally Posted by marcusj0015 View Post

Java and Javascript are COMPLETELY seperate, and amazingly dissimilar, the only similarity is that Java has a browser plugin. There's nothing wrong with Javascript. be sure to know the difference before you slander a perfectly fine product.

 

You are just filled with misinformation, aren't you? That person wasn't talking about JavaScript, and Java and JavaScript are NOT both plugins. Java is a plugin (as that person stated) that can be turned off. Java and JavaScript are NOTHING alike. 

Groupthink is bad, mkay. Think Different is the motto.
Reply
Groupthink is bad, mkay. Think Different is the motto.
Reply
post #15 of 45
Quote:
Originally Posted by iSam86 View Post

How do I determine whether I have any Java?

iSam

 

No worries, dude. You'd only have this vulnerability if you went out of your way to install Java on Sun's site. The installer most people are presented with as an option after a mountain lion upgrade or having any older version of OS X is Java 6 (1.6) which is not the guilty party here. I'm thinking this is mostly a windows issue because they run some Java installer / update checker that keeps them constantly upgrading Java, and OS X historically hasn't cared to.

Groupthink is bad, mkay. Think Different is the motto.
Reply
Groupthink is bad, mkay. Think Different is the motto.
Reply
post #16 of 45
Quote:
Originally Posted by Rot'nApple View Post

Java... is this the next Flash?

/

/

/

 

^--- seriously ignorant stuff goes down in this forum

Groupthink is bad, mkay. Think Different is the motto.
Reply
Groupthink is bad, mkay. Think Different is the motto.
Reply
post #17 of 45
I just disable Java. Very few sites that I visited require Java module. If the sites really require it, like one ADSL broadband speed test I know or when I update my Java runtime, I just temporarily enable it. Simples.
post #18 of 45

Why doesn't Oracle just abandon their web plugin? The real strength of the platform is on the server side, and the client side is just giving it a bad name.

post #19 of 45

I wish there was a working uninstaller for Java. To my knowledge there isn't. And it's rather obnoxious to provide a software but not offer an uninstaller as well.

post #20 of 45

Still think macs don't need antivirus? Time to wake up and properly protect your mac. Sure you can cut off Java but there are other trojan horse that can infect your mac WITHOUT Java. I too use to be a smug Apple fanboy who thought this day would never come... so much for that, I had to "change my ways". Running Eset Cybersecurity for Mac and proud of it. 

Switching From Windows on Nov. 30th 2007
-------------------------------------
MacBook Pro 13" 2011
Reply
Switching From Windows on Nov. 30th 2007
-------------------------------------
MacBook Pro 13" 2011
Reply
post #21 of 45
Quote:
Originally Posted by internetworld7 View Post

Still think macs don't need antivirus? Time to wake up and properly protect your mac. Sure you can cut off Java but there are other trojan horse that can infect your mac WITHOUT Java. I too use to be a smug Apple fanboy who thought this day would never come... so much for that, I had to "change my ways". Running Eset Cybersecurity for Mac and proud of it. 

Haha.  Okay, whatever.

post #22 of 45
Quote:
Originally Posted by ascii View Post

Why doesn't Oracle just abandon their web plugin? The real strength of the platform is on the server side, and the client side is just giving it a bad name.

It would be a quick fix but Applets have some advanced functionality like multi-threading and it's clear to see the benefits when you can run Battlefield 3 right in your browser:

http://www.gaikai.com/

It also powers the most popular MMORPG, Runescape. This functionality can be provided as an app but we still don't have the same appification on the desktop that we do on mobile yet.

Some people still like the idea of apps being delivered completely by the browser and you'd have to question if Runescape wasn't delivered via the browser but by an app, would it be the most popular MMORPG?

On the other hand, the amount of cases where Applets are used to their potential are so few, nobody is adopting it for the vast majority of web deployment and the security risk is always going to be present. A better solution might be to have a whitelist for execution. So the applet functionality is disabled but when you visit a site that needs Java, you manually add its URL to the whitelist (no automated way of enabling via popup) and Java will only execute for the sites you decide. The same would be good for all plugins.

I think it's a good idea to draw a line between high-privileged secured code and low-privileged easily accessible code. The best place to draw the line will be debated by every company pushing their own solutions. It seems that the iOS platform has done it the best way except for the fact that Apple reserves the right to block apps beyond just security threats.
post #23 of 45

I have version 6 update 33 I just checked it. Should I download the latest one or just keep what I have now? Thanks
 

post #24 of 45

@marvfox If you wanna be in the boat of the guys with a security hole install Java 7.

post #25 of 45
Quote:
Originally Posted by waldobushman View Post

The report did indicate the problem was with Safari but Java 7. If that is the case, an alternative browser is not going to solve the problem.

 

I believe the suggestion is to have Java permanently disabled in your favorite browser of choice for everyday use - and when you run across a site which requires Java for content that you want to access - instead of changing the setting, accessing the content, then changing the setting back, either or both of which might require a browser restart, that instead you have an alternate browser installed with Java not disable by default such that you could simply switch to that browser to access the Java content then switch back to your primary browser. 

 

I use ClickToFlash - someone should write a ClickToJava plugin. 

post #26 of 45
This is a misleading article. It leaves out important facts like Java 1.7 being a manual download from Oracle.com, and that only in the last month has a non-beta version become available for Mac users. Most Mac users do not have Java 1.7 installed, and Apple continues to update the newest version of 1.6 on Lion and Mountain Lion.
post #27 of 45
Quote:
Originally Posted by iSam86 View Post

How do I determine whether I have any Java?

iSam

 

http://reviews.cnet.com/8301-13727_7-57408841-263/how-to-check-for-and-disable-java-in-os-x/

 

 

Quote:
Originally Posted by dysamoria View Post

Software has critical flaw. World in shock.
 
*SNIP URL and such*

 

No one wants to read your shitty blog.  Go pimp it somewhere else.

 

Quote:
Originally Posted by internetworld7 View Post

Still think macs don't need antivirus? Time to wake up and properly protect your mac. Sure you can cut off Java but there are other trojan horse that can infect your mac WITHOUT Java. I too use to be a smug Apple fanboy who thought this day would never come... so much for that, I had to "change my ways". Running Eset Cybersecurity for Mac and proud of it. 

 

Shilling for virus programs.  Yay.  Definitely adds to the conversation /s

post #28 of 45
Quote:
Originally Posted by AppleInsider View Post

Alternately, the "Java Preferences" application can also be used to make sure the software is disabled.

 

Some remarks:

 

1) I disabled Java long time ago and never missed it. If by chance I land on a java powered site, I just try to find another equivalent site. There must be one.

 

2) I never had to use a Java application. Do they exist?

 

3) Apple should put "Java Preference" Manager in the Preference Pane. Looking for it in the Applications/Utilities folder is awkward. 

post #29 of 45
Quote:
Originally Posted by iSam86 View Post

How do I determine whether I have any Java?

 

go to folder "Utilities" of folder "Applications", look for "Java Preferences" app and launch it. You'll know everything Java on your Mac.

post #30 of 45
Quote:
Originally Posted by Marvin View Post


It would be a quick fix but Applets have some advanced functionality like multi-threading and it's clear to see the benefits when you can run Battlefield 3 right in your browser:
http://www.gaikai.com/
It also powers the most popular MMORPG, Runescape. This functionality can be provided as an app but we still don't have the same appification on the desktop that we do on mobile yet.
Some people still like the idea of apps being delivered completely by the browser and you'd have to question if Runescape wasn't delivered via the browser but by an app, would it be the most popular MMORPG?
On the other hand, the amount of cases where Applets are used to their potential are so few, nobody is adopting it for the vast majority of web deployment and the security risk is always going to be present. A better solution might be to have a whitelist for execution. So the applet functionality is disabled but when you visit a site that needs Java, you manually add its URL to the whitelist (no automated way of enabling via popup) and Java will only execute for the sites you decide. The same would be good for all plugins.
I think it's a good idea to draw a line between high-privileged secured code and low-privileged easily accessible code. The best place to draw the line will be debated by every company pushing their own solutions. It seems that the iOS platform has done it the best way except for the fact that Apple reserves the right to block apps beyond just security threats.

 

Java is more than a server-side platform. I'll agree that web applications using a java plug-in are less than ideal, but standard web applications without Java are quite crappy in my opinion. Oracle is now pushing java user interface development using the JavaFX platform and the Netbeans platform for application development. The goal is to deliver rich UI applications to users' desktops running java as one would any Mac or IOS or Windows application, without the need to use a web browser. In addition, the JVM is becoming an execution platform for programming languages other than Java itself, while still allowing access to significant Java/JVM libraries and developer support subsystems such as developed by the Apache group. Then, there are JVM to native compilers which might give a best of all worlds solution for application development and deployment. 

 

Looking at the computing world through a developer's eyes, being able to "write once, deploy everywhere" is still the Holy Grail, and Java VM shouldn't be overlooked. However, neither Android nor iOS devices would be able to participate -- that's the rub. 

post #31 of 45
Quote:
Originally Posted by SSquirrel View Post

 

http://reviews.cnet.com/8301-13727_7-57408841-263/how-to-check-for-and-disable-java-in-os-x/

 

 

 

No one wants to read your shitty blog.  Go pimp it somewhere else.

 

 

Shilling for virus programs.  Yay.  Definitely adds to the conversation /s

Shilling for virus programs? Lol. I wonder how the over 600,000 mac owners would feel about your smug Apple fanboy comment? For the record I do not believe antivirus is mandatory for macs as it is for PC's but mac threats are truly growing and antivirus for the mac should be seriously considered.

Switching From Windows on Nov. 30th 2007
-------------------------------------
MacBook Pro 13" 2011
Reply
Switching From Windows on Nov. 30th 2007
-------------------------------------
MacBook Pro 13" 2011
Reply
post #32 of 45
Originally Posted by internetworld7 View Post
I wonder how the over 600,000 mac owners would feel about your smug Apple fanboy comment?

 

That number was never the truth. But you'd know that if you'd been paying attention. It was sheer fabrication. We don't use "fanboy".


…antivirus for the mac should be seriously considered.

 

Abject nonsense.

post #33 of 45
Quote:
Originally Posted by internetworld7 View Post

Shilling for virus programs? Lol. I wonder how the over 600,000 mac owners would feel about your smug Apple fanboy comment? For the record I do not believe antivirus is mandatory for macs as it is for PC's but mac threats are truly growing and antivirus for the mac should be seriously considered.

 

I could care less how they feel.  Your post read like an advertisement for the AV program.  You are the only one who self-identified as a fanboy.  Ther are random people (and AV companies) who say that of course we need AV on the Mac, but no one EVER does a real article about it.  We never see articles that actually test the abilities of AV programs on the Mac.  I had a sub to MaximumPC for 14 years and I saw plenty of those articles over the years and they were very detailed.  ArsTechnica did an article about Mac AV about 2 months ago, but it wasn't actually testing the protective and removal capabilities.  It basically ended up being "This one looks pretty and is easy to use, this one is less so", which accomplishes jack shit.

post #34 of 45
Quote:
Originally Posted by Marvin View Post


It also powers the most popular MMORPG, Runescape. This functionality can be provided as an app but we still don't have the same appification on the desktop that we do on mobile yet.
Some people still like the idea of apps being delivered completely by the browser and you'd have to question if Runescape wasn't delivered via the browser but by an app, would it be the most popular MMORPG?
 

We're approaching the point where the browser itself can do it without a plugin, e.g.

http://arstechnica.com/information-technology/2012/08/firefox-15-arrives-supports-compressed-textures-for-impressive-3d-gaming/

 

Not there yet, but speaking personally, it's coming faster than I expected.

post #35 of 45
Quote:
Someone should write a ClickToJava plugin.
Try ClickToPlugin, from the same developer.
post #36 of 45
Quote:
Originally Posted by marcusj0015 View Post

Java is dead, when will people stop making Java apps? Shit, web apps are as powerful as java apps, without the security flaws or performance penalties.

Riiight.  That's why many browsers pulled support for WebSockets (a web app technology) a little while back due to security issues.

 

It took me less than a week to port a fairly complex Objective-C app I'd written for iOS to Java (in order to create a compatible, browser-based version of it) due to those programming languages being so similar.  I can't imagine how long it would take to port that same code to be a web app which works as well in the multitude of web browsers out there (if it'd even be possible).

 
Reply
 
Reply
post #37 of 45
Quote:
Originally Posted by ascii View Post

Why doesn't Oracle just abandon their web plugin? The real strength of the platform is on the server side, and the client side is just giving it a bad name.

because the client side plugin also allows for some very fast back and forth with the server side. sadly, it's also, on occasion, the source of badware

Groupthink is bad, mkay. Think Different is the motto.
Reply
Groupthink is bad, mkay. Think Different is the motto.
Reply
post #38 of 45
Quote:
Originally Posted by Marvin View Post


It would be a quick fix but Applets have some advanced functionality like multi-threading and it's clear to see the benefits when you can run Battlefield 3 right in your browser:
http://www.gaikai.com/
It also powers the most popular MMORPG, Runescape. This functionality can be provided as an app but we still don't have the same appification on the desktop that we do on mobile yet.
Some people still like the idea of apps being delivered completely by the browser and you'd have to question if Runescape wasn't delivered via the browser but by an app, would it be the most popular MMORPG?
On the other hand, the amount of cases where Applets are used to their potential are so few, nobody is adopting it for the vast majority of web deployment and the security risk is always going to be present. A better solution might be to have a whitelist for execution. So the applet functionality is disabled but when you visit a site that needs Java, you manually add its URL to the whitelist (no automated way of enabling via popup) and Java will only execute for the sites you decide. The same would be good for all plugins.
I think it's a good idea to draw a line between high-privileged secured code and low-privileged easily accessible code. The best place to draw the line will be debated by every company pushing their own solutions. It seems that the iOS platform has done it the best way except for the fact that Apple reserves the right to block apps beyond just security threats.

 

http://examplesite.com wants to use Java.          [Allow] [Ignore]  

 

Something like a location request? Totally agree. 

Groupthink is bad, mkay. Think Different is the motto.
Reply
Groupthink is bad, mkay. Think Different is the motto.
Reply
post #39 of 45
Quote:
Originally Posted by internetworld7 View Post

Shilling for virus programs? Lol. I wonder how the over 600,000 mac owners would feel about your smug Apple fanboy comment? For the record I do not believe antivirus is mandatory for macs as it is for PC's but mac threats are truly growing and antivirus for the mac should be seriously considered.

you mean the ones that downloaded a mac antivirus software app that ended up being malware? I would imagine they feel betrayed and annoyed

Groupthink is bad, mkay. Think Different is the motto.
Reply
Groupthink is bad, mkay. Think Different is the motto.
Reply
post #40 of 45
Quote:
Originally Posted by waldobushman 
standard web applications without Java are quite crappy in my opinion.

They don't have to dynamically start a VM though and I've never seen an attractive or particularly useful Java Applet online.
Quote:
Originally Posted by waldobushman 
Oracle is now pushing java user interface development using the JavaFX platform and the Netbeans platform for application development.

The goal is to deliver rich UI applications to users' desktops running java as one would any Mac or IOS or Windows application, without the need to use a web browser.

Java's use of non-native UI frameworks has long been a problem for Mac users and I don't see it changing. You end up with rendering glitches, ugly appearance and unexpected behaviour. With UIs for Retina displays, gestures and hardware rendering through Apple's core frameworks, non-standard frameworks just won't hold up. It would be a stop-gap at best and the developers would be hassled to death to develop a proper Cocoa UI and then the cross-platform aspect is largely unnecessary anyway.

This happened ages ago with some Linux apps when OS X came out, they tried to use cross-platform UI frameworks and it just didn't work. I can't remember if VLC was like this but similar apps.
Quote:
Originally Posted by waldobushman 
Looking at the computing world through a developer's eyes, being able to "write once, deploy everywhere" is still the Holy Grail, and Java VM shouldn't be overlooked. However, neither Android nor iOS devices would be able to participate -- that's the rub. 

Yeah, cross-platform binaries will be a holy grail to some people but they are much easier to reverse engineer too. Obviously they can be obfuscated but then become harder to debug. The more I see cross-platform deployment, I don't think cross-platform binaries are an issue any more. Expecting your userbase to have the right VM installed would be a bigger hurdle IMO - does Java even come pre-installed on any platform now? Having to ask someone to install a VM to run your cross-platform app isn't an elegant solution.
Quote:
Originally Posted by ascii 
We're approaching the point where the browser itself can do it without a plugin. Not there yet, but speaking personally, it's coming faster than I expected.

Yes, web standards have really had a shot in the arm over the last few years and clearly driven by mobile platforms. Without Flash and Java there, there's not really much other option. I don't see big things ahead for rich web apps though, I think people will draw a line in the sand with native apps on one side and cool websites on the other.

This goes beyond functionality and into human behaviour. If I put a newspaper online and charge $1 to visit the site, you likely won't pay for it because you expect the web to be free. If I wrap that newspaper in an app and charge $1, people will buy it because it becomes a product even if it's exactly the same code. I don't see the web ever being able to monetize commercial software the way that apps can. Through advertising sure but not everybody wants to use the ad-supported model.

One example I used myself that is an exception was Runescape but I don't see that distribution model being mainstream for apps other than games. Streaming services like Gaikai clearly have a future, which is why Sony bought them.
Quote:
Originally Posted by auxio 
Riiight. That's why many browsers pulled support for WebSockets (a web app technology) a little while back due to security issues.

Native technology certainly has its own security issues - WebGL had some too - but plugins take control away from the platform operator. A user can have multiple plugins installed and have to ensure they are all up to date. In the case of Java, there's a security risk in a plugin that most people won't have ever used.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Discussion
AppleInsider › Forums › General › General Discussion › New Java vulnerability affects Macs, could lead to more malware