Apple and Oracle issue patches for yet another Java zero-day exploit
Apple on Monday released an updated version of Java 6 to plug a hole that can lead to malicious software being installed on an affected user's Mac.
Oracle also released update 17 of Java 7 today after researchers discovered multiple new vulnerabilities in the software, one of which is being actively exploited in the wild.
From Oracle's release notes:
Most recently, Apple pushed out an update on Feb. 19 to cope with a similar vulnerability.
The latest Java update for OS X Lion and Mountain Lion weighs in at 63.84MB, while the Snow Leopard version comes in at 69.32MB. Both can be downloaded from Apple's Support Webpage or via Software Update.
Oracle also released update 17 of Java 7 today after researchers discovered multiple new vulnerabilities in the software, one of which is being actively exploited in the wild.
From Oracle's release notes:
Java has seen an alarmingly high number of exploits since the start of the year, with Apple and Oracle both being forced to issue multiple patches to deal with ongoing issues. In mid-January, Oracle pushed out an emergency fix for a vulnerability so severe that the U.S. Department of Homeland Security recommended all Java 7 users disable or uninstall the program until a solution was found. Later that month, another exploit prompted Apple to use the XProtect anti-malware feature baked into OS X to block Java 7 from running on Macs.This Security Alert addresses security issues CVE-2013-1493 (US-CERT VU#688246) and another vulnerability affecting Java running in web browsers. Due to the severity of these vulnerabilities, and the reported exploitation of CVE-2013-1493 "in the wild," Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.
Most recently, Apple pushed out an update on Feb. 19 to cope with a similar vulnerability.
The latest Java update for OS X Lion and Mountain Lion weighs in at 63.84MB, while the Snow Leopard version comes in at 69.32MB. Both can be downloaded from Apple's Support Webpage or via Software Update.
Comments
Pest Control one java at a time.
I'm going to have to quit my job so I can keep up with the updates!
Patches are a fact of life in the software industry. That being said, come on Oracle! Get with the program!
Strange fact: Even tho Android is frequently claimed as having Java at it's root, it's immune to these Java exploits. Android users are unaffected.
I thought Apple was leaving all Java "stuff" directly to Oracle from now on. Why is Apple still taking responsibility for this; and why Java 6, when Oracle is producing Java 7?
I mean... wtf
Android doesn't run a JVM. It uses java syntax back end but compiles to a custom VM for efficiency reasons, among others. So, yes, issues effecting java are distinct to systems running a JVM, but Dalvik (custom VM) has its own concerns. Any ubiquitous software will be targeted by malicious people.
Originally Posted by DeanSolecki
Why does my comment have a spoiler alert? I'd blame it on java, but this is from an iPhone.
You hit the spoiler button, is all. It dropped in blank formatting that you then fill with something you don't want to show up automatically.
It's ugly and huge, isn't it? Way larger than it needs to be.
Aww. I already had my heart set on blaming it on Java. Although now I get to blame it on cryptic ribbons.
Thanks for the explanation.
I've been doing it this way for months, works perfect, oh and get rid of Flash, another wasted resource. Have a nice Java free day!
Originally Posted by TosaMan
…first dump Java from your mac. Don't use Safari, use Google Crome as they have Java built in…
I'm confused. So use Java?
…oh and get rid of Flash, another wasted resource.
You're using Chrome. You're using Flash.
Quote:
Originally Posted by TosaMan
There is a simple fix, first dump Java from your mac. Don't use Safari, use Google Crome as they have Java built in (sandboxed). If concerned about your bookmarks then use "Xmarks"
I've been doing it this way for months, works perfect, oh and get rid of Flash, another wasted resource. Have a nice Java free day!
You are mistaking Java with Flash. Chrome has Flash built in, not Java. In fact, the new Java 7 doesn't even work with Chrome (on Mac), so you actually would be dumping Java. But if you're using Chrome, you're using Flash, too. Nice try, though.
Chrome has Java built in, don't bother asking me how or why all I know is that Java is part of Google Crome. When Crome is updates so are the components that
allow Java to function within Chrome ONLY. Also Crome has it's own version of Flash, read this: http://tidbits.com/article/13545
My current version of Google Crome is: 25.0.1364.99
Bottom line is all I know it works! (Mac OSX 10.8.2)
Quote:
Originally Posted by TosaMan
There is a simple fix, first dump Java from your mac. Don't use Safari, use Google Crome as they have Java built in (sandboxed). If concerned about your bookmarks then use "Xmarks"
I've been doing it this way for months, works perfect, oh and get rid of Flash, another wasted resource. Have a nice Java free day!
Unfortunately the USPTO website uses java for its private login. Therefore, all patent attorneys have to have access to Java.
Quote:
Originally Posted by TosaMan
Chrome has Java built in, don't bother asking me how or why all I know is that Java is part of Google Crome.
Chrome does not have Java built in. You're probably using the Apple supplied Java 6 on your computer.
Don't hold your breath. The industry loves to claim exemption from accountability by claiming complexity and bugs as "normal."
Government websites are the worst of all. Just about 20 minutes ago I sent a notice to a local government website to tell them that the page I was on had a link to a Japanese page instead of my borough's website. On top of that, the text box for the subject of the message considered a comma to be a "special character", AND the length was limited to a ridiculously short character limit. And on top of that, the message text box behaved really badly on my iPhone.
I've never found government websites to be even slightly reasonable; forget sensible. Whatever the java requirement is for the USPTO site, I bet you it's about "secure log in," yet the java product itself is fundamentally insecure and a major failure point. Plus, I've yet to use a single java applet or program that didn't feel slow, look ugly, and fail to operate with any sense of normality in context to the OS it was run on and the purpose it supposedly provided.
This covers most of the relevant information. Basically, you only need java if you NEED java, and if you do, your browser will tell you, or a specific application will (otherwise, don't install the plugin.)