New in OS X: Get MacRumors Push Notifications on your Mac

Resubscribe Now Close

Oracle Releases Patch to Address Security Vulnerability in Java 7

Earlier this week, we reported on a newly-disclosed vulnerability in Java SE 7 that could pose a risk for users on a wide variety of platforms, including OS X. While the real-world threat to Mac users stemming from the vulnerability is very low given that a Mac-specific exploit for the vulnerability has not been seen and only a small fraction of Mac users have manually installed Java SE 7, the incident has served as another reminder the Mac users can be vulnerable malicious attacks.

Although Oracle was reportedly warned of the issue months ago and apparently did not take significant action to protect users until it became public, the company has now moved quickly to address the problem with today's announcement regarding the release of Java SE 7 Update 7. The release addresses the specific vulnerability disclosed earlier this week as well as several others, and the company has also released Java SE 6 Update 35 to address a separate issue with the earlier version.
If successfully exploited, these vulnerabilities can provide a malicious attacker the ability to plant discretionary binaries onto the compromised system, e.g. the vulnerabilities can be exploited to install malware, including Trojans, onto the targeted system. Note that this malware may in some instances be detected by current antivirus signatures upon its installation.
The updated versions of Java are available though Oracle's Java download page.

Top Rated Comments

(View all)

27 months ago

So.... that means that we will get it in about a month and a half when Apple releases it?


You haven't been paying attention. Apple is not releasing any Java updates ever again. They all go through Oracle now.
Rating: 8 Votes
27 months ago

plugging up the sinking ship, sad really - java comes in quite handy, i'm guessing it will eventually phased out from the apple environment.

sounds like someone who has no understanding of Java or how powerful it really is.
Rating: 8 Votes
27 months ago
plugging up the sinking ship, sad really - java comes in quite handy, i'm guessing it will eventually phased out from the apple environment.
Rating: 4 Votes
27 months ago

plugging up the sinking ship, sad really - java comes in quite handy, i'm guessing it will eventually phased out from the apple environment.


Which is ironic, because Java has built-in protection against buffer overflows whereas C, C++, and Objective-C (Cocoa) are all vulnerable. While clunky (though it's gotten better) and ugly, Java was always a pretty safe environment.
Rating: 3 Votes
27 months ago
The Mac version of the Oracle release will update it self if you launch the control panel (from System Preferences) - mine just asked me to update when I looked at it.
Rating: 2 Votes
27 months ago

plugging up the sinking ship, sad really - java comes in quite handy, i'm guessing it will eventually phased out from the apple environment.


Sounds just like Flash...
Rating: 2 Votes
27 months ago

Well according to this page (http://www.oracle.com/technetwork/java/javase/downloads/index.html) on Oracles site, there is no 6-35 update for Mac, just WinBlows, Linux & Solaris. Lucky us I guess. :confused:


WinBlows? Did you think that one up all by yourself?
Rating: 1 Votes
27 months ago

WinBlows? Did you think that one up all by yourself?

Huh? Wot? It's been in use as an endearing reference since 1995 (at least) to the best of my knowledge. You don't think for something to still be so commonly used nearly 20 years later that there's not some truth to it do you? Do a simple search here throughout the forums, you'll be surprised as to how frequently it's still used.
Rating: 1 Votes
27 months ago

Again, you've missed the point. Developers need to setup J2EE environnements to write software for it on a Mac. They will have to install things. Installing these additional tools and frameworks can just install the required J2SE portions as well for development. It doesn't matter if a JRE for J2SE is not available anymore on Macs, you'll get them in your JBoss or Glassfish installation or whatever else you're using.

And in the end, you're deploying to an outside server anyhow. As long as your IDE can provide syntax highlighting and code completion for J2SE/J2EE, the code doesn't even need to run locally. Hitting build should deploy to an application server, it doesn't matter if that is running locally or on a Linux server somewhere on your LAN. As long as those have the proper classes installed, it'll work.

IE, J2SE availability on Mac is a non-issue for J2EE development work. It doesn't matter what happens to J2SE on Mac. J2EE developers that want to use a Mac will always be able to do it through their own setups.



That's just plainly wrong. You need J2SE installed to do J2EE development.

Show me a Java developer that uses a Mac that doesn't have a JDK installed on their Machine. How is their IDE going to work. Every Java IDE required Java to run.

The simple matter is, if you don't have Java installed, you can't write Java code.

JBoss and GlassFish do not ship JDKs or JREs with them. In fact I believe it's against Oracle's TOS to ship a JDK, consumers have to download it themselves.
Rating: 1 Votes
27 months ago

New patch already has another vulnerability: http://www.pcadvisor.co.uk/news/security/3378919/researchers-find-critical-vulnerability-in-java-7-patch-hours-after-release/

Remove the browser plugin from /Library/Internet-Plugins


Yes. Even as a Java developer, I have always disabled the Java Plug-in. In fact, most Java developers I know consider Java Applets to be the biggest mistake of Java.

When people are bashing Java as being insecure, they're really bashing Java Applets that run through the Java plug-in, in the browser.

For instance, if you were to run Ruby or Python in the browser it would be FAR more insecure than running Java in a sandbox. But then again, we shouldn't be running Java in the browser to begin with.

As a general runtime, Java is basically one of the best out there. Apple's WebObjects runs on the JVM. The iTunes Music Store is server-side Java, etc.

I understand that people have a really hard time separating these things in their heads but the Java plug-in in your browser is not the same thing as JavaScript or even Java.

Java is a runtime. The browser plugin brings a sandboxed version of that runtime into the browser. As a long time Java developer I can tell you that Java applets are crapshoots, and you should probably delete the Java plug-in from your browser at this point. And that will protect you from all these future vulnerabilities.

You don't actually need to remove Java from your machine all-together to protect yourself. If the Java plug-in is removed from your browser, problem solved. But you're not exposing yourself by running Minecraft.
Rating: 1 Votes

[ Read All Comments ]