Apple Kills Java On The Mac To Fight Malware Like Flashback

[sparkyscott21]

Don’t trust the Java.

Apple released a small Java update for OS X users this Wednesday. The update effectively removed the Java applet plug-in that typically comes pre-installed in all web browsers on the Mac. Why? Well, Apple has been trying to distance itself from Java for quite some time, mainly due to the fact that most malware spreads via Java vulnerabilities.

Take the recent Flashback trojan, for example. Millions of Macs were comprised because hackers were able to exploit a security vulnerability in Java on the browser. You could visit a bad site with a corrupt Java applet and get infected. After this week’s update, Java is no longer included in browsers like Safari.

If you absolutely need Java for a certain website, then Apple allows you to download it directly from Oracle. It’s a good tradeoff because Apple gets to distant itself from the dangerous platform while also leaving room for “power” users to install Java anyway.

From Apple:

"This update uninstalls the Apple-provided Java applet plug-in from all web browsers. To use applets on a web page, click on the region labeled “Missing plug-in” to go download the latest version of the Java applet plug-in from Oracle.

Please quit any web browsers and Java applications before installing this update."

Check for updates in the Mac App Store to grab this one if you haven’t already. By cutting ties with Java, we hopefully won’t see something like Flashback again.

10-19-12

Source

[Ads]

[sparkyscott21]

A major security breach in Oracle’s Java 7 browser plugin earlier this month caused Apple to remotely disable Java for all OS X Safari users. Oracle updated Java to address the security issues but after a short delay, Apple has again remotely blocked Java on OS X, as reported by French site MacGeneration.

In early January, the U.S. Department of Homeland Security issued an urgent warning to computer users that a serious exploit had been found in the popular Java plugin. Java had already been the source of several past OS X vulnerabilities so the Cupertino company proactively disabled the plugin in Safari rather than risk another security crisis.

Apple used OS X’s built-in “Xprotect” anti-malware system that was introduced in 2009 with OS X 10.6 Snow Leopard. The company configured the system so that a minimum version number of Java had to be installed in order for it run automatically. As a precaution, Apple set the version number to one that did not yet exist.

A few days after the news broke, Oracle released an update to address the vulnerabilities, and changed the version number so that Xprotect would no longer block it. Unfortunately, MacRumors points out that security researchers found that Oracle only addressed one of the two vulnerabilities, leaving the plug-in a still serious security threat.

In response, Apple today again updated Xprotect to block the current version of Java, 1.7.0_11-b21, by setting a minimum version number of 1.7.0_11-b22.

For those interested in learning more about the Java exploit TMO’s John Martellaro has a detailed explanation of the risks and instructions on how users can check to see if they are vulnerable.

Those using software that relies on the desktop version of Java, which is separate from the browser plugin, need not take further action at this time. Those applications, such as CrashPlan, are still functional and there are no known vulnerabilities for that configuration.

1-31-13

www.macobserver.com

[sparkyscott21]

Oracle has released Java 7 Update 13. In an announcement, Oracle explains that the update was originally slated to go live February 19th, but that it was pushed out early because of "active exploitation in the wild of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers." In all the code fixes 50 security holes; 44 of these are said to have been browser-only.

Apple recently blocked Java in OS X for a second time following concerns that Update 11 still had serious gaps. That may have caused problems for some Mac users however, since it broke any websites or apps based on the software. With the launch of Update 13, MacNN can confirm that Java has resumed working in OS X.

2-1-13

Source

[sparkyscott21]

Another week, another Java exploit: Computerworld notes that Oracle has once again updated the Java VM for all platforms to fend off a prospective exploit. The update is technically the scheduled February critical updates release, but the delivery was pushed up.

Unfortunately, while Mac users on OS X 10.7 Lion and 10.8 Mountain Lion can upgrade their JVMs using Oracle's installer for Java 7, Snow Leopard (10.6.8) machines are out of luck. Oracle's Java 7 installer won't run, and as of yesterday Apple's supplied Java 6 is blocked by Apple's own XProtect malware shield -- it won't do applets in Safari or Firefox until it's patched.

There are some hacky workarounds for either disabling/modifying the XProtect manifest (not recommended) or getting Java 7 to install on 10.6.8 (also not recommended) -- but if you need to run Java in the browser on 10.6.8, there aren't many better options.

2-1-13

www.tuaw.com