Newly-Discovered Java 7 Security Vulnerability Poses Risks to Macs

Tuesday August 28, 2012 12:40 pm PDT by Eric Slivka
Just two weeks after Oracle officially took over responsibility for Java on OS X with the launch of Java SE 7 Update 6, a new Java vulnerability has been discovered to pose a significant threat to systems running the software. Krebs on Security highlighted the issue yesterday, noting that it affects all versions of Java 7 on most browsers.
News of the vulnerability (CVE-2012-4681) surfaced late last week in a somewhat sparse blog post by FireEye, which said the exploit seemed to work against the latest version of Java 7, which is version 1.7, Update 6. This morning, researchers Andre’ M. DiMino & Mila Parkour published additional details on the targeted attacks seen so far, confirming that the zero-day affects Java 7 Update 0 through 6, but does not appear to impact Java 6 and below.

Initial reports indicated that the exploit code worked against all versions of Internet Explorer, Firefox and Opera, but did not work against Google Chrome. But according to Rapid 7, there is a Metasploit module in development that successfully deploys this exploit against Chrome (on at least Windows XP).
The report notes that Oracle is moving to a quarterly update cycle for Java, meaning that the next regularly-scheduled update to Java SE 7 is not planned until October, but it is unclear how quickly the company will move to address the issue. In the interim, some security experts are developing an unofficial patch while users are advised to simply disable Java if they do not need it active on their systems.

Computerworld reports that the issue does indeed affect fully-updated Macs running Java 7 on top of OS X Mountain Lion.
David Maynor, CTO of Errata Security, confirmed that the Metasploit exploit -- which was published less than 24 hours after the bug was found -- is effective against Java 7 installed on OS X Mountain Lion.

"This exploit works on OS X if you are running the 1.7 JRE [Java Runtime Environment]," said Maynor in an update to an earlier blog post.

JRE 1.7 includes the most-current version of Java 7, dubbed "Update 6," that was released earlier this month.
Both Safari 6 and Firefox 14 have been found to be vulnerable to the issue on OS X systems.

Apple has of course had its own issues with Java vulnerabilities, most recently with the Flashback malware that was able to infect over 600,000 Macs by taking advantage of an exploit in Java 6 that had already been patched by Oracle for most platforms but not by Apple for OS X. It is due to smaller, previous incidents similar to Flashback that Apple had already been moving to shift responsibility for Java updates to Oracle, a move that is taking place with Java 7. But while Mac users will now receive Java updates simultaneously with users on other platforms, Java remains one of the highest-profile targets for attackers seeking to compromise systems on a broad basis.

Update: CNET noted earlier today that most Mac users are not currently susceptible to the issue, as Java 7 is not installed by default on Macs. The current version of Java installed on Mac remains Java 6 for the time being, so users would have to have manually updated to Java 7 in order for their systems to be vulnerable.

[ 149 comments ]

Top Rated Comments

(View all)

Avatar
Prodo123
98 months ago
Just to emphasize, this is NOT a Mac security issue but rather a JAVA security issue which affects its host system, which includes Macs.

Nor is this a Windows virus. Macs are still impervious to Windows viruses.
Rating: 16 Votes
Avatar
dashiel
98 months ago
It’s infuriating that Adobe’s CS requires Java now otherwise I could ditch Java. Rubbing salt in the wounds I believe the Java requirement is for their software authentication/auto update mechanism and is not required for core functionality.
Rating: 10 Votes
Avatar
neiltc13
98 months ago
Cue "Java sucks, why does anyone even need Java" comments...
Rating: 7 Votes
Avatar
Slix
98 months ago
Another reason I've had Java disabled on my Safari for years.
Rating: 6 Votes
Avatar
BC2009
98 months ago
Open Terminal..

Run: java -version

I get:

Java(TM) SE Runtime Environment (build 1.6.0_33-b03-424-11M3720)
Java HotSpot(TM) 64-Bit Server VM (build 20.8-b03-424, mixed mode)

So it looks like I am good. "build 1.6" is "Java 6". I have Mountain Lion and just recently installed Java after upgrading to Mountain Lion, so I was a bit surprised that I had Java 6 and not Java 7.
Rating: 5 Votes
Avatar
r.harris1
98 months ago

Of course it is useful - if it's crap, you don't need it activated, unless you play a handful of Java games or are required by a few legacy websites to use it. Understand now?

There is nothing inflammatory in speaking the truth. Client-side Java is crap, virtually useless and a threat to your computer's security. If you don't like it, feel free to avoid such threads. I just can't stand LIES when people come here and say Java is "so important" and essential to an end user's experience.


Golly. Now I understand! Your eloquence and command of argument and language has convinced me. From now on, I'm sure those of us with Java experience infesting these Java threads will be sure to leave it to you to lead the way. :rolleyes:
Rating: 4 Votes
Avatar
50548
98 months ago

Cue "Java sucks, why does anyone even need Java" comments...


And why not? Java DOES suck and is ABSOLUTELY USELESS to 99% of ordinary users out there. Only the usual "pundits" infesting this forum (or those making money out of it) can say anything positive about it.

If you do NOT play stupid Minecraft on your Mac or use one of the few/legacy websites relying on Java, just forget about it - deactivate that crap and get on with your lives. O
Rating: 4 Votes
Avatar
bbeagle
98 months ago

Is Java and JavaScript the same thing?

Is this true that if you Disable JavaScript in your Browser, all is well ??
EVEN if you have Java 7 Update 6 Installed?


http://en.wikipedia.org/wiki/JavaScript (http://en.wikipedia.org/wiki/JavaScript)

The names JavaScript and Java are unfortunate. Originally, Netscape created a scripting language for browsers and called it LiveScript. The name was later changed to JavaScript. The final choice of name caused confusion, giving the impression that the language was a spin-off of the Java programming language, and the choice has been characterized by many as a marketing ploy by Netscape to give JavaScript the cachet of what was then the hot new web programming language, Java.

Java and JavaScript are NOT THE SAME and are NOT RELATED.

If you just disable JavaScript, you are still vulnerable. If you keep JavaScript active, but disable Java only then you are good.
Rating: 3 Votes
Avatar
bbeagle
98 months ago

Open Terminal..

Run: java -version


Technically, you can have several versions of java on your machine. This shows the DEFAULT version of java, which is what your browser will generally use unless you change it.

Your default version could be 1.6 (Java 6), but another program might install and use 1.7 (Java 7) if it wants to.
Rating: 3 Votes
Avatar
techpr
98 months ago
So Java is the new Flash :rolleyes:
Rating: 3 Votes

[ Read All Comments ]