New Java vulnerability affects Macs, could lead to more malware

Posted:
in General Discussion edited January 2014
Researchers announced on Monday that hackers are taking advantage of a zero-day vulnerability in Oracle's Java 7, with the newly discovered flaw able to exploit any platform, including Apple's OS X.

According to Tod Beardsley, engineering manager for open-source testing framework Metasploit, hackers can use the bug to compromise any system through a web browser running the latest Java software, reports Computerworld.

While there have yet to be reports of the new exploit affecting Macs, Errata Security confirmed the Metasploit exploit is effective against the latest Java 1.7 runtime on Apple's latest OS X 10.8 Mountain Lion.

Mac users running older versions of OS X, like Snow Leopard or Leopard, could be more vulnerable as those operating systems came bundled with Java, however the new exploit is actually in Oracle's latest software, dubbed "Update 6."

"The vulnerability is not in Java 6, it's in new functionality in Java 7," said Beardsley.

He went on to call the bug "super dangerous" and said a potential piece of malware can feasibly compromise the security of a Mac by simply having a user visit a website that is host to the attack code. This means both purpose-built malicious sites as well as those which have been hacked can compromise a system.

"What is more worrisome is the potential for this to be used by other malware developers in the near future," said antivirus vendor Intego. "Java applets have been part of the installation process for almost every malware attack on OS X this year."

Java Check
Screenshot from Java's website-based installation checker as viewed in Safari.
Source: Java


As Oracle has not yet released a patch for the exploit, Beardsley recommends users disable Java until one is pushed out.

Mac users can visit Java's site here to check if they have the 1.7 runtime installed. Alternately, the "Java Preferences" application can also be used to make sure the software is disabled.

The new flaw is the latest in a number of security holes found in Java code on OS X, including the infamous Flashback trojan that reportedly affected some 600,000 Macs worldwide. Apple released a removal tool specifically tailored for the malware, later disabling the Java runtime in subsequent versions of Safari. Java was removed from OS X when Lion was released last year, forcing users to authorize a browser request to download and install the software if an applet for the runtime appears.
«13

Comments

  • Reply 1 of 47


    I really do hate plugins image

  • Reply 2 of 47


    As a heads up - if you remove Java 7, and try to run an app that requires Java, MacOS will prompt you if you want to install the needed runtime.


     


    The one it installs (on 10.8.1 at least) is Java 6 Update 33.

  • Reply 3 of 47
    gustavgustav Posts: 823member


    Turn off Java in your preferred browser.


     


    If you have to visit a site that requires Java - do it in an alternative browser.

  • Reply 4 of 47

    Quote:

    Originally Posted by Gustav View Post


    Turn off Java in your preferred browser.


     


    If you have to visit a site that requires Java - do it in an alternative browser.



    The report did not indicate the problem was with Safari but Java 7. If that is the case, an alternative browser is not going to solve the problem.

  • Reply 5 of 47


    Java is dead, when will people stop making Java apps? Shit, web apps are as powerful as java apps, without the security flaws or performance penalties.

  • Reply 6 of 47

    Quote:

    Originally Posted by Gustav View Post


    Turn off Java in your preferred browser.


     


    If you have to visit a site that requires Java - do it in an alternative browser.



    Java and Javascript are COMPLETELY seperate, and amazingly dissimilar, the only similarity is that Java has a browser plugin. There's nothing wrong with Javascript. be sure to know the difference before you slander a perfectly fine product.

  • Reply 7 of 47


    How do I determine whether I have any Java?


    iSam

  • Reply 8 of 47
    aaarrrggghaaarrrgggh Posts: 1,568member
    It is getting to the point where I am going to need to make single-purpose, read-only VMs to deal with this crap. At that point, about all that is left is host compromises and key loggers.

    Had to install Java last week to run Cisco's ASDM...
  • Reply 9 of 47
    rot'napplerot'napple Posts: 1,839member


    Java... is this the next Flash?


    /


    /


    /

  • Reply 10 of 47
    apple ][apple ][ Posts: 8,360member

    Quote:

    Originally Posted by iSam86 View Post


    How do I determine whether I have any Java?


    iSam



     


    Maybe there's a better way, but one way is simply to go to a website that requires Java and if it tells you that Java is not installed or disabled, then that's one way to find out. In Safari preferences/security, you have to have Java enabled of course.


     


    Off the top of my head, one site which I recently visited which I know requires Java is keepvid.com, it's one of the popular sites for downloading and saving youtube videos and it's also the very first Google search result when you search for that topic.

  • Reply 11 of 47
    dysamoriadysamoria Posts: 1,913member
    Software has critical flaw. World in shock.

    When is accountability going to be enforced upon the computer industry? What other industry has so little accountability? Even the major pollution makers are watched and regulated.

    http://angryartboy.blogspot.com/2012/08/still-no-accountability-in-computer.html
  • Reply 12 of 47

    Quote:

    Originally Posted by marcusj0015 View Post


    Java is dead, when will people stop making Java apps? Shit, web apps are as powerful as java apps, without the security flaws or performance penalties.



     


    Why do people always troll with uninformed assumptions? If you're not a programmer, stop telling people how much you think you know about coding.

  • Reply 13 of 47

    Quote:

    Originally Posted by marcusj0015 View Post


    Java and Javascript are COMPLETELY seperate, and amazingly dissimilar, the only similarity is that Java has a browser plugin. There's nothing wrong with Javascript. be sure to know the difference before you slander a perfectly fine product.



     


    You are just filled with misinformation, aren't you? That person wasn't talking about JavaScript, and Java and JavaScript are NOT both plugins. Java is a plugin (as that person stated) that can be turned off. Java and JavaScript are NOTHING alike. 

  • Reply 14 of 47

    Quote:

    Originally Posted by iSam86 View Post


    How do I determine whether I have any Java?


    iSam



     


    No worries, dude. You'd only have this vulnerability if you went out of your way to install Java on Sun's site. The installer most people are presented with as an option after a mountain lion upgrade or having any older version of OS X is Java 6 (1.6) which is not the guilty party here. I'm thinking this is mostly a windows issue because they run some Java installer / update checker that keeps them constantly upgrading Java, and OS X historically hasn't cared to.

  • Reply 15 of 47

    Quote:

    Originally Posted by Rot'nApple View Post


    Java... is this the next Flash?


    /


    /


    /



     


    ^--- seriously ignorant stuff goes down in this forum

  • Reply 16 of 47
    I just disable Java. Very few sites that I visited require Java module. If the sites really require it, like one ADSL broadband speed test I know or when I update my Java runtime, I just temporarily enable it. Simples.
  • Reply 17 of 47
    asciiascii Posts: 5,941member


    Why doesn't Oracle just abandon their web plugin? The real strength of the platform is on the server side, and the client side is just giving it a bad name.

  • Reply 18 of 47


    I wish there was a working uninstaller for Java. To my knowledge there isn't. And it's rather obnoxious to provide a software but not offer an uninstaller as well.

  • Reply 19 of 47


    Still think macs don't need antivirus? Time to wake up and properly protect your mac. Sure you can cut off Java but there are other trojan horse that can infect your mac WITHOUT Java. I too use to be a smug Apple fanboy who thought this day would never come... so much for that, I had to "change my ways". Running Eset Cybersecurity for Mac and proud of it. 

  • Reply 20 of 47
    shogunshogun Posts: 360member

    Quote:

    Originally Posted by internetworld7 View Post


    Still think macs don't need antivirus? Time to wake up and properly protect your mac. Sure you can cut off Java but there are other trojan horse that can infect your mac WITHOUT Java. I too use to be a smug Apple fanboy who thought this day would never come... so much for that, I had to "change my ways". Running Eset Cybersecurity for Mac and proud of it. 



    Haha.  Okay, whatever.

Sign In or Register to comment.