Oracle's fix for zero-day Java flaw to be available 'shortly' [update: released]

Posted:
in macOS edited January 2014
In response to the discovery of a Java 7 flaw that prompted Apple to disable the software in OS X, Oracle issued a statement saying it is currently working on a fix and will release the patch soon.

Java Logo


Oracle released the statement late Friday following a U.S. Department of Homeland Security recommendation that all Java 7 users disable or uninstall the software until a patch was issued, reports Reuters. Taking action on its own, Apple quietly disabled the plugin through its OS X anti-malware system shortly after hearing of the exploit.

A timeline as to when the fix will be pushed out is unknown as Oracle offered only a vague answer saying, "A fix will be available shortly."

The U.S. Department of Homeland Security said that Java's most-recent vulnerability is being "attacked in the wild, and is reported to be incorporated into exploit kits."

For its part, Oracle noted in its statement that the flaw only affects the most up-to-date version of Java 7 and Java software designed to run in Internet browsers.

Java and Apple have had a rocky relationship over the past few years, including a move to drop the Java runtime from OS X 10.7 Lion's default installation when the OS debuted in 2010. Another flaw in Oracle's internet plugin was responsible for the most widespread Mac malware ever when the "Flashback" trojan reportedly affected some 600,000 OS X machines in April 2012.

Apple continued efforts to deprecate Java from OS X over the past year, culminating in the company's final official in-house Java update issued in May 2012. From that point, all responsibility for future updates was handed over to Oracle.

Update: Oracle on Sunday released a fix to a Java 7 flaw discovered on Friday. Users can download the release here.

From the release notes:
The fixes in this Alert include a change to the default Java Security Level setting from "Medium" to "High". With the "High" setting, the user is always prompted before any unsigned Java applet or Java Web Start application is run.
«13

Comments

  • Reply 1 of 45
    It would be nice if Apple put out an update for older OS'es that would make it easy for novice users to completely remove Java from their Macs. (Not to be confused with the Apple update that disabled the Safari Java plugin.)

    While Lion and Mountain Lion don't contain Java, the OS Software Update automatically offers to install Java for the user when a Java app attempts to launch. There really needs to be a user setting to block that.
  • Reply 2 of 45


    Good News!


     


    Older versionv of the Mac OS do not update V. 7 of Java. This problem is limited to the most up-to-date version of Java as stated by Oracle.

  • Reply 3 of 45

    Quote:

    Originally Posted by imagladry View Post


    Older versionv of the Mac OS do not update V. 7 of Java. This problem is limited to the most up-to-date version of Java as stated by Oracle.



     


    THIS security problem is in Java 7.


     


    Last year there was a similar security with Java 6.


     


    And other security issues in versions past.......

  • Reply 4 of 45
    gctwnlgctwnl Posts: 276member

    Quote:

    Originally Posted by imagladry View Post


    Good News!


     


    Older versionv of the Mac OS do not update V. 7 of Java. This problem is limited to the most up-to-date version of Java as stated by Oracle.



     


    Maybe not so, previous versions of Java are mentioned here too:


     


    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422

  • Reply 5 of 45


    I think the update is out. v7.10

  • Reply 6 of 45
    v7.10 is the old version. New one is a beta right now.
  • Reply 7 of 45

    Quote:


    While Lion and Mountain Lion don't contain Java, the OS Software Update automatically offers to install Java for the user when a Java app attempts to launch. There really needs to be a user setting to block that.



     


    There is... it's called the cancel button.


     


     


     


    On another note...


     


    There's nothing wrong with having Java on your machine... if you're running desktop apps from trusted sources (such as Eclipse), it's a perfectly valid application platform.


     


    The issue is browser based apps from untrusted sources that run automatically.  An argument could (and should) be made that developers should be using alternatives when building browser based apps.  HTML5 and straight up traditional web applications like those developed with frameworks like ExtJS are the way to go... even if the vast majority of application logic is already written in Java, it should be run on the server side, not the client.  The security issues with browser based applets are not acceptable... unfortunate as there's a lot of efficiencies in the development process and some reduced functionality that we lose out on because of it.


     


    Once new technologies like JavaFX are fully baked, these questions become more difficult as you'll have a much more robust Java application platform, even for browser based apps.  Unfortunately... the underlying security issues we repeatedly have to deal with in Java mean JavaFX is still only viable for full desktop applications from trusted sources.

  • Reply 8 of 45
    jragostajragosta Posts: 10,473member
    bobringer wrote: »
    There is... it's called the cancel button.



    On another note...

    There's nothing wrong with having Java on your machine... if you're running desktop apps from trusted sources (such as Eclipse), it's a perfectly valid application platform.

    The issue is browser based apps from untrusted sources that run automatically.  An argument could (and should) be made that developers should be using alternatives when building browser based apps.  HTML5 and straight up traditional web applications like those developed with frameworks like ExtJS are the way to go... even if the vast majority of application logic is already written in Java, it should be run on the server side, not the client.  The security issues with browser based applets are not acceptable... unfortunate as there's a lot of efficiencies in the development process and some reduced functionality that we lose out on because of it.

    Once new technologies like JavaFX are fully baked, these questions become more difficult as you'll have a much more robust Java application platform, even for browser based apps.  Unfortunately... the underlying security issues we repeatedly have to deal with in Java mean JavaFX is still only viable for full desktop applications from trusted sources.

    I agree completely with the bolded - particularly with the diversification of platforms out there.

    OS X is taking an increased share of desktop systems. iOS is growing. Android is growing. You now have WIndows RT added to the Windows 8 platform. Add in Kindle (forked Android), RIM, etc, etc, etc and creating native apps for every platform (even using a tool like Java) becomes very complex and difficult to test. Writing a front end for each app with the app itself running on a server makes far more sense for web-based apps.
  • Reply 9 of 45
    gazoobeegazoobee Posts: 3,754member

    Quote:

    Originally Posted by OriginalMacRat View Post



    It would be nice if Apple put out an update for older OS'es that would make it easy for novice users to completely remove Java from their Macs. (Not to be confused with the Apple update that disabled the Safari Java plugin.)



    While Lion and Mountain Lion don't contain Java, the OS Software Update automatically offers to install Java for the user when a Java app attempts to launch. There really needs to be a user setting to block that.


     


    I wish those who ran websites would just stop using freaking java so that we don't need to have the java web plugin at all.  This site for example.  


     


    When is the tech press going to realise that unless you're a hard core geek, you don't actually want or need java at all, for anything.  No end users, "love java," or "enjoy java interfaces."  They install it when they are asked to but no one actually goes out looking for it or wants it in any way.  It's something forced upon us by uber-geeks who think it's cool or by businesses who have been co-oerced into using it by the same geeks.  


     


    Flash, on the other hand, despite being just as crappy, and having even more problems than Java, is something that users actively want and seek out to install.   The Flash plug-in is already disallowed, but suggestions that Java be removed from browsers is typically met with abject horror from the tech press.  Java is a techie "darling" kind of thing that the industry and all the tech blog writers support, but that the public actually would rather went away entirely.  Forever. 

  • Reply 10 of 45
    jragostajragosta Posts: 10,473member
    gazoobee wrote: »
    I wish those who ran websites would just stop using freaking java so that we don't need to have the java web plugin at all.  This site for example.  

    When is the tech press going to realise that unless you're a hard core geek, you don't actually want or need java at all, for anything.  No end users, "love java," or "enjoy java interfaces."  They install it when they are asked to but no one actually goes out looking for it or wants it in any way.  It's something forced upon us by uber-geeks who think it's cool or by businesses who have been co-oerced into using it by the same geeks.  

    Flash, on the other hand, despite being just as crappy, and having even more problems than Java, is something that users actively want and seek out to install.   The Flash plug-in is already disallowed, but suggestions that Java be removed from browsers is typically met with abject horror from the tech press.  Java is a techie "darling" kind of thing that the industry and all the tech blog writers support, but that the public actually would rather went away entirely.  Forever. 

    I disagree about Flash. The only reason users actively "want and seek out" Flash is because some sties require it - just like Java. I can't imagine why anyone would want Flash for its own sake. If all Flash sites were converted to html, I doubt if anyone would bother seeking out or wanting Flash. It's essentially the same situation as Java.
  • Reply 11 of 45

    Quote:

    Originally Posted by Gazoobee View Post


     


    I wish those who ran websites would just stop using freaking java so that we don't need to have the java web plugin at all.  This site for example.



     


    What websites do you go to that actually use Java?  I can't remember the last time I went to a site that required Java... at all.


     


    I'm also not sure what tech press fawns over browser based Java like you suggest.  I sure haven't seen it...  Those of us that "do" java know where it belongs.  And we know it doesn't belong in the browser... as most web sites discovered in about 2002.


     


    Also... I don't know any users that seek out flash just for the sake of having flash on their machine.  They use flash because the sites they go to require it.  I do know a lot of users (like myself) who actively block flash unless we need to run a specific piece of embedded content.  In my opinion... this is exactly the same as Java.  Users don't want either just for the sake of having them... they use them because a site requires it.  If half the video on the internet required a java based player, users would seek out java plugins just as they do flash plugins.

  • Reply 12 of 45
    My mom just texted me and asked if she should install java on her new PC (ugh, I know). I told her not to because of this. Does it effect PCs too?
  • Reply 13 of 45

    Quote:

    Originally Posted by Gazoobee View Post


     


    I wish those who ran websites would just stop using freaking java so that we don't need to have the java web plugin at all.  This site for example.  


     


    When is the tech press going to realise that unless you're a hard core geek, you don't actually want or need java at all, for anything.  No end users, "love java," or "enjoy java interfaces."  They install it when they are asked to but no one actually goes out looking for it or wants it in any way.  It's something forced upon us by uber-geeks who think it's cool or by businesses who have been co-oerced into using it by the same geeks.  


     


    Flash, on the other hand, despite being just as crappy, and having even more problems than Java, is something that users actively want and seek out to install.   The Flash plug-in is already disallowed, but suggestions that Java be removed from browsers is typically met with abject horror from the tech press.  Java is a techie "darling" kind of thing that the industry and all the tech blog writers support, but that the public actually would rather went away entirely.  Forever. 





    The public doesn't care or gets what you just wrote.The public wants free pirated Office and if the public cannot get it, it wants free OpenOffice, which means Java.


    Your anti-javaness just proves you don't understand what you are speaking about. Java is a great technology, it just needs better security updates.


     


    Also, Apple/Microsoft has a very clear business interest in "protecting" the user from Java, with its Apple/Microsoft AppStore. Apple currently requires you (unless you know enough to disable that setting, which is not a good idea...) to control-click to install "unsigned software", and Microsoft just prevents unsigned software from launching from Metro. Obviously, the goal is to get users accustomed to the idea that they cannot run software that doesn't come from the AppStore.


     


    It's the end of a world where your computer can run whatever you want, and the beginning of one where everything must be approved by big corporations. Removing Java (or Ruby/Python/LUA or any other interpreter/VM) is an obvious step towards that.


     


    Your anti-Java argument reminds me of Microsoft-fanboys' stance. It should be enough to prove it is a dangerous position to hold.

  • Reply 14 of 45
    gazoobee wrote: »
    I wish those who ran websites would just stop using freaking java so that we don't need to have the java web plugin at all.  This site for example.  

    When is the tech press going to realise that unless you're a hard core geek, you don't actually want or need java at all, for anything.  

    Same could probably be said about Flash. Especially with the growth of tablets which aren't powerful enough to run either well (which is why Apple left them out of iOS )
  • Reply 15 of 45

    The public doesn't care or gets what you just wrote.The public wants free pirated Office

    Might shock you to find out that no, the public doesn't want pirated software. Cheap geeks yes, but the public at large actually buys legit copies

    And the fact that you can disable the setting makes your Big Brother comment basically moot in regards to Apple
  • Reply 16 of 45

    Quote:

    Originally Posted by bobringer View Post


     


    What websites do you go to that actually use Java?  I can't remember the last time I went to a site that required Java... at all.


     


    I'm also not sure what tech press fawns over browser based Java like you suggest.  I sure haven't seen it...  Those of us that "do" java know where it belongs.  And we know it doesn't belong in the browser... as most web sites discovered in about 2002.


     


    Also... I don't know any users that seek out flash just for the sake of having flash on their machine.  They use flash because the sites they go to require it.  I do know a lot of users (like myself) who actively block flash unless we need to run a specific piece of embedded content.  In my opinion... this is exactly the same as Java.  Users don't want either just for the sake of having them... they use them because a site requires it.  If half the video on the internet required a java based player, users would seek out java plugins just as they do flash plugins.





    I agree entirely with these two latter points. As for the first one, I've had several websites demand Java recently, two of which required (and shipped by mail) a piece of hardware, and two others being government.


     


    All in all, I'm very curious to see how this is going to turn out. It is, after all, a matter of civil rights much more important than the right to carry guns, whether or not people can run whatever they want on their devices, which contain their information, which pretty much defines their life. Will we surrender those rights for "ease of use" and "corporation-approved security"?


     


     


    Also, what makes Oracle's security lesser than Apple's? Isn't Larry Ellison (he's Oracle like SJ was Apple...) the guy that SJ was official photographer to the wedding of? Sounds like someone I'd trust on matters of quality, not you? Seems to me that the only good reason to scrap Oracle's Java is to prevent non-Apple-controlled software from running on Apple hardware. Next step would be preventing GCC...

  • Reply 17 of 45


    All in all, I'm very curious to see how this is going to turn out. It is, after all, a matter of civil rights much more important than the right to carry guns, whether or not people can run whatever they want on their devices,

    Can't wait to see how that argument works out for you. Something tells me that it won't go as you think it should and we won't have companies like Apple being forced to 'jailbreak' their own OS etc any time soon. Particularly when the DMCA exemptions allow you to do it yourself without risk of legal action (just at the risk that the manufacturer won't warranty their hardware if you've done it and legally doesn't have to)
  • Reply 18 of 45

    Quote:

    Originally Posted by charlituna View Post





    Might shock you to find out that no, the public doesn't want pirated software. Cheap geeks yes, but the public at large actually buys legit copies




    Might shock you to find out that most geeks actually run Apple software on Apple hardware, or legal Visual Studio on Dells. I live in three countries and work with a lot of them geeks. Also, just look at any big geek conference, at the hardware they use. I run MBA/iMac/MBP, most of my friends have the same type of hardware. I don't have one single piece of illegal software, nor do they.


     


    Most un-geeks I know however run illegal software. Some don't even understand the bloody concept, they just had family install the software for them out of that well-known store, "Bittorrent"... Most of them perfectly know their software is pirated and don't give a shit. It annoys me a lot, because I make my living out of programming and I feel it's unfair to us geeks/developers that because our business is immaterial, people feel they can just steal our work. The public, however, seems very good at finding reasons why it's ok for them to pirate.


     


    The public at large doesn't "actually buys legit copies". The public at large pirates. Real geeks "actually buy legit copies".


     


     


    Cheap geeks, well, does that really exist?  A geek is a passionate being. How could you be a passionate being and be cheap about your core interest? Would you be cheap about your parachute if you were into skydiving? Would you be cheap about your sailboat if you were into sailing? Would you be cheap about your destination if you were into travelling? Would you be cheap about your instrument if you were into music? I understand that some music geeks (say Brian May) even go so far as building their own instruments (say, a Red Special). Geeks are passionate, and geeks by definition cannot be "cheap", or they're just pretend-geeks (I'm such a geek, I even have Twitter! Yeah, sure...)


     


    I don't believe a mere second into your core argument. Geeks are passionate, geeks pay for their software. The general public that is more interested into what the software gives them access to, rather than in the software itself, doesn't give a shit and just pirates it. That's what I've seen in several countries, with multiple social classes, over 20 years.

  • Reply 19 of 45


    Originally Posted by lightknight View Post


    The public at large doesn't "actually buys legit copies". The public at large pirates. Real geeks "actually buy legit copies".



     


    This sounds entirely backwards.

  • Reply 20 of 45

    Quote:

    Originally Posted by charlituna View Post





    Can't wait to see how that argument works out for you. Something tells me that it won't go as you think it should and we won't have companies like Apple being forced to 'jailbreak' their own OS etc any time soon. Particularly when the DMCA exemptions allow you to do it yourself without risk of legal action (just at the risk that the manufacturer won't warranty their hardware if you've done it and legally doesn't have to)




    If you think that, with regards to the public at large, that's enough, you sorely misunderstand who normal people are. I'll even go further, good luck running your own software if A -you need to jailbreak your computer and B- it's as hard to jailbreak as iOS 6 is. Not to mention that Apple's possible plans of making their own chips would make that even harder.


     


    Can't wait to see how that argument works out for you, when you try to jailbreak your iMac. Oh, wait, I forgot. You're probably the type that lets others, such as those despicable "cheap geeks" do all the hard work and just reap the free results of that hard work. Good for you, that's how you get rich.

Sign In or Register to comment.