Apple issues second OS X Java update this week
Apple on Thursday rolled out its second Java update for OS X in less than a week via Software Update.
Java for OS X 2012-002 appeared on Software Update just two days after version 2012-001 was released on Tuesday. Apple also released Java for Mac OS X 10.6 Update 7 earlier in the week.
It's not immediately clear, however, how the most recent update differs from the earlier version, as Apple's links for more detail and information point to the same page as the old update. Java for OS X 2012-001 resolved multiple vulnerabilities in Java, the most serious of which could "allow and untrusted Java applet to execute arbitrary code outside the Java sandbox."
On Wednesday, a Russian antivirus company revealed that an estimated 600,000 Macs had been infected by a "Flashback" trojan that exploited the Java vulnerability to turn the computers into bots. The majority of the infected computers were located in the U.S.
The virus was first discovered by a security firm last September. F-SEcure has posted a tutorial on how to detect and removethe threat.
[ View article on AppleInsider ]
Comments
I just installed this second update and my external monitor at home immediately started working again.
It's not immediately clear, however, how the most recent update differs from the earlier version, as Apple's links for more detail and information point to the same page as the old update.
In fact, the "Download" button brings down 2012-001, not 2012-002. The SHA1 hash of the "new" download matches that of 2012-001. At least, that was the case an hour or so ago when I downloaded it.
So it appears as if Apple merely changed the name of the entry on the Support Downloads page, but not the issue date or that to which it links (info or file).
Edit: Since posting, I have found what was changed by Apple in this new Java update. This is from Apple's Java mailing list:
Java developers,
Today we re-shipped our Java 1.6.0_31 for OS X Lion today to address a critical issue we found in Xcode and the Application Loader tool. This new "Java for OS X 2012-002" package is effectively identical to "Java for OS X 2012-001", with the exception of a few symlinks and version numbers.
For the sake of expediency, we have re-rolled the automatic update as our standard full combo updater, with the hope that most users have not yet been presented with 2012-001. We considered creating a delta update for users who already installed 001, but that would have made the process of getting these fixes to you take longer.
We apologize for the inconvenience, and would like to offer our thanks to the developers who caught this issue and reported it to us as quickly as they did. This issue only impacts Lion users, so Snow Leopard users have nothing to reinstall.
Over the next few days, we will catch up with producing updated release notes, tech notes, and developer packages with the revised 002 version numbers.
Manual download links:
Java for OS X 2012-002: <http://support.apple.com/kb/DL1515>;
Java for Mac OS X 10.6 Update 7: <http://support.apple.com/kb/DL1516>;
...
Over the next few days, we will catch up with producing updated release notes, tech notes, and developer packages with the revised 002 version numbers.
Manual download links:
Java for OS X 2012-002: <http://support.apple.com/kb/DL1515>;
...
That link does not work for me. As I said, it downloads 2012-001. After installation, Software Update still wants to install 002.
Eventually, I captured 002 by copying the directory produced by Software Update (before the install completes and deletes it) - /Library/Updates/041-5436. I was then able to copy this directory to my other machines and install 002 by executing the package 041-5436.English.dist.
I understand that the Java packagers wanted to get a release out immediately and cut a lot of corners. However, I don't believe that they should have changed the name of the 001 update on the Support Downloads page.
If the update is only available through Software Update, they should just have pulled the 001 package from the Support Downloads page.
I'm sure that many people will be confused (as I was) by downloading what they believed to be the 002 update from the Support Downloads page, only to have it re-install the 001 package.
Little Snitch informed me that a file named .rserv (~/.rserv) in my Users directory on my Mac was trying to connect to cuojshtbohtnet.com or .net and several other strange sounding web sites. I denied them doing so and Googled .rserv and another program on my Mac that was doing similar attempts.
Also watch out for a file named: com.adobe.reader.plist in user launch agents directory. It was attempting to contact these same strange websites as .rserv was. I Googled these names and found in the last few days many other Mac users are seeing this same behavior when catching these "buggers" via the "Little Snitch" app.
Again, even though my system showed clean via the F-Secure instructions after I removed the infected files they mention, I believe I still had 2 other infected program files (same file date of March 29th also) related to this trojan that went undetected, and were only found by running this "Little Snitch" app which monitors programs trying to use your outgoing Internet connection.
I'm wondering why I haven't received this Java security update or the first one in Apple's software update. Is the Java code this updates something that needs to be installed outside of a regular Lion install?
Go to the Apple logo on the top and hit it and you will see Apple updates right there. I downloaded 2 today. i have the LION OS also.
I thought Apple got rid of Java, did I miss something?
Java isn't developed by apple. They stopped supplying it as part of the OSX installation, in the same way as they don't provide other third party software, such as the flash plug in. It's a third party software, and as it,s no longer essential to the OS it's not going to be included as part of the standard installation.
I think their judgement in leaving java behind has now been justified...
What am I missing by not having Java enabled? As far as I can tell, the sites operate quite well without Java.
I'm wondering why I haven't received this Java security update or the first one in Apple's software update. Is the Java code this updates something that needs to be installed outside of a regular Lion install?
You haven't installed Java yet. Go to a web page that requires it and search on "java version test". Perform the test to force the download.
You haven't installed Java yet. Go to a web page that requires it and search on "java version test". Perform the test to force the download.
Actually, my recommendation would be to not install it at all unless you have a need for it. Especially given Apple's tendency to release updates for it weeks/months after Oracle does.
Java isn't developed by apple. They stopped supplying it as part of the OSX installation, in the same way as they don't provide other third party software, such as the flash plug in. It's a third party software, and as it,s no longer essential to the OS it's not going to be included as part of the standard installation.
I think their judgement in leaving java behind has now been justified...
I raised my question because I thought that Apple wasn't supporting it or including anymore, but the updates are still coming through Apple, for the latest OS.
Today we re-shipped our Java 1.6.0_31 for OS X Lion today...This new "Java for OS X 2012-002" ... identical to "Java for OS X 2012-001..Java for Mac OS X 10.6 Update 7...
WTF is with all these different naming conventions? No wonder users are confused about which is the most recent version for their system and whether they've been updated.
However, in this case, Apple really screwed up. They screwed up because 10 years ago they insisted on distributing their own version of Java, and then backed away from that commitment and neglected Java to the point where major updates would be a year late and security updates where months late.
This is the case of the latter. It's one thing to delay integrating features, which is an acceptable annoyance. But delaying these sorts of security updates, especially for trojans/viruses that can bypass a user's administrative password, is grossly irresponsible.
Until Apple can completely handover OS X Java distribution to Oracle (the Java 7 JRE will distributed by Oracle in the fall), Apple needs to be far more vigilant in applying these sorts of security updates.
Also, Apple needs to ensure that Java is disabled by default in Safari, which I don't believe it is now.
And, for the record, I know the "600,000" Mac botnet figure is exaggerated. That doesn't excuse Apple's neglect.