Newly-Discovered Java 7 Security Vulnerability Poses Risks to Macs

Just two weeks after Oracle officially took over responsibility for Java on OS X with the launch of Java SE 7 Update 6, a new Java vulnerability has been discovered to pose a significant threat to systems running the software. Krebs on Security highlighted the issue yesterday, noting that it affects all versions of Java 7 on most browsers.

News of the vulnerability (CVE-2012-4681) surfaced late last week in a somewhat sparse blog post by FireEye, which said the exploit seemed to work against the latest version of Java 7, which is version 1.7, Update 6. This morning, researchers Andre’ M. DiMino & Mila Parkour published additional details on the targeted attacks seen so far, confirming that the zero-day affects Java 7 Update 0 through 6, but does not appear to impact Java 6 and below.

Initial reports indicated that the exploit code worked against all versions of Internet Explorer, Firefox and Opera, but did not work against Google Chrome. But according to Rapid 7, there is a Metasploit module in development that successfully deploys this exploit against Chrome (on at least Windows XP).

The report notes that Oracle is moving to a quarterly update cycle for Java, meaning that the next regularly-scheduled update to Java SE 7 is not planned until October, but it is unclear how quickly the company will move to address the issue. In the interim, some security experts are developing an unofficial patch while users are advised to simply disable Java if they do not need it active on their systems.

Computerworld reports that the issue does indeed affect fully-updated Macs running Java 7 on top of OS X Mountain Lion.

David Maynor, CTO of Errata Security, confirmed that the Metasploit exploit -- which was published less than 24 hours after the bug was found -- is effective against Java 7 installed on OS X Mountain Lion.

"This exploit works on OS X if you are running the 1.7 JRE [Java Runtime Environment]," said Maynor in an update to an earlier blog post.

JRE 1.7 includes the most-current version of Java 7, dubbed "Update 6," that was released earlier this month.

Both Safari 6 and Firefox 14 have been found to be vulnerable to the issue on OS X systems.

Apple has of course had its own issues with Java vulnerabilities, most recently with the Flashback malware that was able to infect over 600,000 Macs by taking advantage of an exploit in Java 6 that had already been patched by Oracle for most platforms but not by Apple for OS X. It is due to smaller, previous incidents similar to Flashback that Apple had already been moving to shift responsibility for Java updates to Oracle, a move that is taking place with Java 7. But while Mac users will now receive Java updates simultaneously with users on other platforms, Java remains one of the highest-profile targets for attackers seeking to compromise systems on a broad basis.

Update: CNET noted earlier today that most Mac users are not currently susceptible to the issue, as Java 7 is not installed by default on Macs. The current version of Java installed on Mac remains Java 6 for the time being, so users would have to have manually updated to Java 7 in order for their systems to be vulnerable.

Top Rated Comments

(View all)
Avatar
99 months ago
Just to emphasize, this is NOT a Mac security issue but rather a JAVA security issue which affects its host system, which includes Macs.

Nor is this a Windows virus. Macs are still impervious to Windows viruses.
Score: 16 Votes (Like | Disagree)
Avatar
99 months ago
It’s infuriating that Adobe’s CS requires Java now otherwise I could ditch Java. Rubbing salt in the wounds I believe the Java requirement is for their software authentication/auto update mechanism and is not required for core functionality.
Score: 10 Votes (Like | Disagree)
Avatar
99 months ago
Cue "Java sucks, why does anyone even need Java" comments...
Score: 7 Votes (Like | Disagree)
Avatar
99 months ago
Another reason I've had Java disabled on my Safari for years.
Score: 6 Votes (Like | Disagree)
Avatar
99 months ago
Open Terminal..

Run: java -version

I get:

Java(TM) SE Runtime Environment (build 1.6.0_33-b03-424-11M3720)
Java HotSpot(TM) 64-Bit Server VM (build 20.8-b03-424, mixed mode)

So it looks like I am good. "build 1.6" is "Java 6". I have Mountain Lion and just recently installed Java after upgrading to Mountain Lion, so I was a bit surprised that I had Java 6 and not Java 7.
Score: 5 Votes (Like | Disagree)
Avatar
99 months ago

Of course it is useful - if it's crap, you don't need it activated, unless you play a handful of Java games or are required by a few legacy websites to use it. Understand now?

There is nothing inflammatory in speaking the truth. Client-side Java is crap, virtually useless and a threat to your computer's security. If you don't like it, feel free to avoid such threads. I just can't stand LIES when people come here and say Java is "so important" and essential to an end user's experience.


Golly. Now I understand! Your eloquence and command of argument and language has convinced me. From now on, I'm sure those of us with Java experience infesting these Java threads will be sure to leave it to you to lead the way. :rolleyes:
Score: 4 Votes (Like | Disagree)

Top Stories

Seemingly Unreleased Version of Logic Pro X With Live Loops Appears on Apple's Education Site [Updated]

Sunday March 29, 2020 7:23 am PDT by Hartley Charlton
Update: Apple has replaced the Logic Pro X image with an older version. Original story follows. A seemingly unreleased version of Logic Pro X has appeared on Apple's education site, as spotted by a Reddit user. The image from Apple's education products page shows a 16-inch MacBook Pro running Logic Pro X, but with a familiar interface that looks extremely similar to GarageBand's Live Loops ...

Zoom Updates iOS App to Stop Sending Data to Facebook

Friday March 27, 2020 5:35 pm PDT by Juli Clover
Zoom, a video conferencing app that many people are using at the current time to keep in touch with coworkers while working from home, was sending data to Facebook without disclosing the data sharing to customers. As of today, Zoom has updated its iOS app to remove the SDK that was providing data to Facebook through the Login with Facebook feature, according to Motherboard, the site that...

Apple Suppliers Worried About iPhone Demand, Production Ramp-Up for New iPhones Reportedly Postponed

Friday March 27, 2020 5:56 pm PDT by Juli Clover
Most of the factories in China that supply devices and components to Apple are back to churning out products, but Apple suppliers are said to be worried about how much demand there will be for the current iPhone models and the new iPhones expected in the fall. According to Reuters, a senior official at one of Apple's major supply companies said that orders for quarter ending in March are...

2020 iPad Pro Teardown Provides Closer Look at LiDAR Scanner and Confirms Incremental Update

Saturday March 28, 2020 9:56 am PDT by Hartley Charlton
iFixit today shared a video teardown of the new iPad Pro, which Apple unveiled earlier this month. iFixit found that most of the internals of the 2020 iPad Pro are the same as the 2018 model, confirming that the device is a relatively incremental update. The most notable new feature seen inside the new iPad Pro was the LiDAR scanner, which measures the distance to surrounding objects up...

Apple Watch Series 6 Could Feature Touch ID Fingerprint Sensor, Pulse Oximetry and Sleep Tracking Support

Friday March 27, 2020 11:28 am PDT by Juli Clover
The upcoming Apple Watch Series 6 set to be released this fall could include a Touch ID fingerprint sensor built into the crown of the device, according to Israeli site The Verifier, which cites "senior sources" who have worked with its staff for a "number of years" as the source of the rumor. It's not clear how the alleged Touch ID fingerprint sensor would be implemented, as the Digital...

Bloomberg: Apple's 5G iPhone Still on Schedule for Fall Launch, But Future Products Could Be Delayed

Monday March 30, 2020 2:40 am PDT by Tim Hardwick
Apple's 5G iPhone is still on track to launch within the company's typical annual fall release schedule, according to a new Bloomberg report on filed on Monday. Signs are that Apple's Chinese-centric manufacturing -- of which Hon Hai is the linchpin -- is slowly getting back on track. The next iPhones with 5G wireless capabilities remain on schedule to launch in the fall, partly because mass...

Kuo: Apple to Launch Several Macs With Arm-Based Processors in 2021, USB4 Support Coming to Macs in 2022

Thursday March 26, 2020 8:19 pm PDT by Joe Rossignol
Apple plans to launch several Mac notebooks and desktop computers with its own custom designed Arm-based processors in 2021, analyst Ming-Chi Kuo said today in a research note obtained by MacRumors. Kuo believes that Arm-based processors will significantly enhance the competitive advantage of the Mac lineup, allow Apple to refresh its Mac models without relying on Intel's processor roadmap,...

Top Stories: Hands-On With 2020 iPad Pro and MacBook Air, iOS and iPadOS 13.4 Released, iPhone 12 Delay?

Saturday March 28, 2020 6:00 am PDT by MacRumors Staff
After last week's flurry of product launches, Apple's new iPad Pro and MacBook Air have started to make their way into consumers' hands, and we've gone hands-on with both of them this week. Apple this week also released iOS and iPadOS 13.4 (as well as macOS, watchOS, and tvOS updates) with a number of new features and improvements. Subscribe to the MacRumors YouTube channel for more videos. ...

Deals: Huge Refurbished iPhone Sale Discounts iPhone 7, 8, X, XR, and XS (From $120)

Friday March 27, 2020 5:47 am PDT by Mitchel Broussard
Woot is back today with a big sale on refurbished iPhones, including markdowns on the iPhone 7, iPhone 7 Plus, iPhone 8, iPhone 8 Plus, iPhone X, iPhone XR, iPhone XS, and iPhone XS Max. Note: MacRumors is an affiliate partner with Woot. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running. As with every Woot purchase, those...

Apple Releases ProRes RAW Beta for Windows

Monday March 30, 2020 9:33 am PDT by Juli Clover
Apple today released ProRes RAW for Windows in a beta capacity (via Mark Gurman), with the software designed to allow ProRes RAW and ProRes RAW HQ video files to be watched in compatible applications on Windows machines. According to Apple, the software will let the files be played within several Adobe apps: Adobe After Effects (Beta) Adobe Media Encocder (Beta) Adobe Premiere...