Newly-Discovered Java 7 Security Vulnerability Poses Risks to Macs

Java Web 165Just two weeks after Oracle officially took over responsibility for Java on OS X with the launch of Java SE 7 Update 6, a new Java vulnerability has been discovered to pose a significant threat to systems running the software. Krebs on Security highlighted the issue yesterday, noting that it affects all versions of Java 7 on most browsers.

News of the vulnerability (CVE-2012-4681) surfaced late last week in a somewhat sparse blog post by FireEye, which said the exploit seemed to work against the latest version of Java 7, which is version 1.7, Update 6. This morning, researchers Andre’ M. DiMino & Mila Parkour published additional details on the targeted attacks seen so far, confirming that the zero-day affects Java 7 Update 0 through 6, but does not appear to impact Java 6 and below.

Initial reports indicated that the exploit code worked against all versions of Internet Explorer, Firefox and Opera, but did not work against Google Chrome. But according to Rapid 7, there is a Metasploit module in development that successfully deploys this exploit against Chrome (on at least Windows XP).

The report notes that Oracle is moving to a quarterly update cycle for Java, meaning that the next regularly-scheduled update to Java SE 7 is not planned until October, but it is unclear how quickly the company will move to address the issue. In the interim, some security experts are developing an unofficial patch while users are advised to simply disable Java if they do not need it active on their systems.

Computerworld reports that the issue does indeed affect fully-updated Macs running Java 7 on top of OS X Mountain Lion.

David Maynor, CTO of Errata Security, confirmed that the Metasploit exploit -- which was published less than 24 hours after the bug was found -- is effective against Java 7 installed on OS X Mountain Lion.

"This exploit works on OS X if you are running the 1.7 JRE [Java Runtime Environment]," said Maynor in an update to an earlier blog post.

JRE 1.7 includes the most-current version of Java 7, dubbed "Update 6," that was released earlier this month.

Both Safari 6 and Firefox 14 have been found to be vulnerable to the issue on OS X systems.

Apple has of course had its own issues with Java vulnerabilities, most recently with the Flashback malware that was able to infect over 600,000 Macs by taking advantage of an exploit in Java 6 that had already been patched by Oracle for most platforms but not by Apple for OS X. It is due to smaller, previous incidents similar to Flashback that Apple had already been moving to shift responsibility for Java updates to Oracle, a move that is taking place with Java 7. But while Mac users will now receive Java updates simultaneously with users on other platforms, Java remains one of the highest-profile targets for attackers seeking to compromise systems on a broad basis.

Update: CNET noted earlier today that most Mac users are not currently susceptible to the issue, as Java 7 is not installed by default on Macs. The current version of Java installed on Mac remains Java 6 for the time being, so users would have to have manually updated to Java 7 in order for their systems to be vulnerable.

Top Rated Comments

Prodo123 Avatar
117 months ago
Just to emphasize, this is NOT a Mac security issue but rather a JAVA security issue which affects its host system, which includes Macs.

Nor is this a Windows virus. Macs are still impervious to Windows viruses.
Score: 16 Votes (Like | Disagree)
dashiel Avatar
117 months ago
It’s infuriating that Adobe’s CS requires Java now otherwise I could ditch Java. Rubbing salt in the wounds I believe the Java requirement is for their software authentication/auto update mechanism and is not required for core functionality.
Score: 10 Votes (Like | Disagree)
neiltc13 Avatar
117 months ago
Cue "Java sucks, why does anyone even need Java" comments...
Score: 7 Votes (Like | Disagree)
Slix Avatar
117 months ago
Another reason I've had Java disabled on my Safari for years.
Score: 6 Votes (Like | Disagree)
BC2009 Avatar
117 months ago
Open Terminal..

Run: java -version

I get:

Java(TM) SE Runtime Environment (build 1.6.0_33-b03-424-11M3720)
Java HotSpot(TM) 64-Bit Server VM (build 20.8-b03-424, mixed mode)

So it looks like I am good. "build 1.6" is "Java 6". I have Mountain Lion and just recently installed Java after upgrading to Mountain Lion, so I was a bit surprised that I had Java 6 and not Java 7.
Score: 5 Votes (Like | Disagree)
r.harris1 Avatar
117 months ago
Of course it is useful - if it's crap, you don't need it activated, unless you play a handful of Java games or are required by a few legacy websites to use it. Understand now?

There is nothing inflammatory in speaking the truth. Client-side Java is crap, virtually useless and a threat to your computer's security. If you don't like it, feel free to avoid such threads. I just can't stand LIES when people come here and say Java is "so important" and essential to an end user's experience.

Golly. Now I understand! Your eloquence and command of argument and language has convinced me. From now on, I'm sure those of us with Java experience infesting these Java threads will be sure to leave it to you to lead the way. :rolleyes:
Score: 4 Votes (Like | Disagree)

Top Stories

REC ASA CODE2016 20160601 205816 2745

Elon Musk Reportedly Demanded to Become Apple CEO as Part of Potential Tesla Acquisition [Update: Musk Denies]

Friday July 30, 2021 9:04 am PDT by
Tesla CEO Elon Musk reportedly once demanded that he be made Apple CEO in a brief discussion of a potential acquisition with Apple's current CEO, Tim Cook. The claim comes in a new book titled "Power Play: Tesla, Elon Musk and the Bet of the Century," as reviewed by The Los Angeles Times. According to the book, during a 2016 phone call between Musk and Cook that touched on the possibility of ...
General Apps Messages

Android iMessage Competitor Puts Pressure on Apple

Friday July 30, 2021 3:15 am PDT by
Google and the three major U.S. carriers, including Verizon, AT&T, and T-Mobile, will all support a new communications protocol on Android smartphones starting in 2022, a move that puts pressure on Apple to adopt a new cross-platform messaging standard and may present a challenge to iMessage. Verizon recently announced that it is planning to adopt Messages by Google as its default messaging...
iPhone 13 Always On Feature

iPhone 13 to Bring Over a Major Feature From the Apple Watch

Wednesday July 28, 2021 2:21 am PDT by
Apple's upcoming iPhone 13 lineup will feature an always-on display akin to the Apple Watch Series 5 and Series 6, according to recent reports. In his weekly Power On newsletter, Bloomberg journalist Mark Gurman, who often reveals accurate insights into Apple's plans, said that the iPhone 13 may feature an Apple Watch-inspired always-on mode. The Apple Watch Series 5 and Apple Watch...
duracell battery bitter coating

Apple Says Don't Buy AirTag Replacement Batteries With Bitter Coating

Wednesday July 28, 2021 11:08 am PDT by
Since AirTags were just released earlier this year and are expected to have a year-long battery life, it may be some time yet before AirTag users need a replacement battery, but when the time comes for a refresh, Apple is warning customers not to buy batteries with a bitter coating. AirTags use coin-shaped CR2032 batteries, which happen to be a size that's easy to swallow. Some battery...
a15 chip

iPhone 13 and Redesigned MacBook Pro Chip Production Hit With Gas Contamination

Friday July 30, 2021 5:44 am PDT by
The most important TSMC factory that manufactures Apple's chips destined for next-generation iPhone and Mac models has been hit by a gas contamination, according to Nikkei Asia. The factory, known as "Fab 18," is TSMC's most advanced chipmaking facility. TSMC is Apple's sole chip supplier, making all of the processors used in every Apple device with a custom silicon chip. Industry...
apple rtp land

Apple Preparing to Occupy 200,000 Square Feet of Temporary Space Ahead of New $1 Billion North Carolina Campus

Thursday July 29, 2021 9:14 am PDT by
Back in April, Apple announced a $430 billion investment over the next five years to create more than 20,000 new jobs as the company continues to expand. One significant piece of that plan is a new engineering and research center in North Carolina where Apple will be investing over $1 billion and hiring at least 3,000 employees. Assemblage of seven properties in Research Triangle Park owned by ...
Apple Leak Feature

Apple Demands Leaker Reveals Sources Under Threat of Being Reported to Police

Wednesday July 28, 2021 6:53 am PDT by
Apple has sent a cease and desist letter to a leaker based in China as part of its continuing attempts to curtail leaks of unreleased products, according to Vice. A Chinese citizen who shared images of stolen Apple prototypes on social media was sent a warning letter from Fangda Partners, Apple's law firm in China, on June 18, 2021. An extract from the letter read:You have disclosed without ...
macos monterey tidbits feature copy

Apple Releases New macOS 12 Monterey Public Beta

Wednesday July 28, 2021 10:19 am PDT by
Apple today seeded the third public beta of the macOS 12 Monterey beta to public beta testers, allowing non-developers to test the new macOS Monterey software ahead of its public release. The third beta comes two weeks after Apple released the second macOS Monterey public beta. Public beta testers can download the macOS 12 Monterey update from the Software Update section of the System...
iOS 15 General Feature Purple

Apple Releases New Public Betas of iOS 15, iPadOS 15, watchOS 8, and tvOS 15

Wednesday July 28, 2021 10:16 am PDT by
Apple today seeded the third betas of iOS and iPadOS 15 to public beta testers, allowing non-developers to download and test the new updates ahead of their fall release. The third public betas come two weeks after Apple released the second public betas. Public beta testers who have signed up for Apple's beta testing program can download the iOS and iPadOS 15 updates over the air after...
nothing ear 1 buds 1

Nothing 'Ear (1)' True Wireless Earbuds Launch to Take on AirPods Pro With ANC and Unusual Design for $99

Tuesday July 27, 2021 7:57 am PDT by
Nothing, a new brand from OnePlus founder Carl Pei, has today officially launched the "Ear (1)" true wireless earbuds after months of anticipation around the company's AirPods Pro rival. The Ear (1) features an in-ear design, Active Noise Cancelation, Bluetooth 5.2, IPX4 water resistance, and a charging case with Qi-compatible wireless charging and a USB-C port. Fast pairing is supported on...