Newly-Discovered Java 7 Security Vulnerability Poses Risks to Macs

Java Web 165Just two weeks after Oracle officially took over responsibility for Java on OS X with the launch of Java SE 7 Update 6, a new Java vulnerability has been discovered to pose a significant threat to systems running the software. Krebs on Security highlighted the issue yesterday, noting that it affects all versions of Java 7 on most browsers.

News of the vulnerability (CVE-2012-4681) surfaced late last week in a somewhat sparse blog post by FireEye, which said the exploit seemed to work against the latest version of Java 7, which is version 1.7, Update 6. This morning, researchers Andre’ M. DiMino & Mila Parkour published additional details on the targeted attacks seen so far, confirming that the zero-day affects Java 7 Update 0 through 6, but does not appear to impact Java 6 and below.

Initial reports indicated that the exploit code worked against all versions of Internet Explorer, Firefox and Opera, but did not work against Google Chrome. But according to Rapid 7, there is a Metasploit module in development that successfully deploys this exploit against Chrome (on at least Windows XP).

The report notes that Oracle is moving to a quarterly update cycle for Java, meaning that the next regularly-scheduled update to Java SE 7 is not planned until October, but it is unclear how quickly the company will move to address the issue. In the interim, some security experts are developing an unofficial patch while users are advised to simply disable Java if they do not need it active on their systems.

Computerworld reports that the issue does indeed affect fully-updated Macs running Java 7 on top of OS X Mountain Lion.

David Maynor, CTO of Errata Security, confirmed that the Metasploit exploit -- which was published less than 24 hours after the bug was found -- is effective against Java 7 installed on OS X Mountain Lion.

"This exploit works on OS X if you are running the 1.7 JRE [Java Runtime Environment]," said Maynor in an update to an earlier blog post.

JRE 1.7 includes the most-current version of Java 7, dubbed "Update 6," that was released earlier this month.

Both Safari 6 and Firefox 14 have been found to be vulnerable to the issue on OS X systems.

Apple has of course had its own issues with Java vulnerabilities, most recently with the Flashback malware that was able to infect over 600,000 Macs by taking advantage of an exploit in Java 6 that had already been patched by Oracle for most platforms but not by Apple for OS X. It is due to smaller, previous incidents similar to Flashback that Apple had already been moving to shift responsibility for Java updates to Oracle, a move that is taking place with Java 7. But while Mac users will now receive Java updates simultaneously with users on other platforms, Java remains one of the highest-profile targets for attackers seeking to compromise systems on a broad basis.

Update: CNET noted earlier today that most Mac users are not currently susceptible to the issue, as Java 7 is not installed by default on Macs. The current version of Java installed on Mac remains Java 6 for the time being, so users would have to have manually updated to Java 7 in order for their systems to be vulnerable.

Top Rated Comments

Prodo123 Avatar
108 months ago
Just to emphasize, this is NOT a Mac security issue but rather a JAVA security issue which affects its host system, which includes Macs.

Nor is this a Windows virus. Macs are still impervious to Windows viruses.
Score: 16 Votes (Like | Disagree)
dashiel Avatar
108 months ago
It’s infuriating that Adobe’s CS requires Java now otherwise I could ditch Java. Rubbing salt in the wounds I believe the Java requirement is for their software authentication/auto update mechanism and is not required for core functionality.
Score: 10 Votes (Like | Disagree)
neiltc13 Avatar
108 months ago
Cue "Java sucks, why does anyone even need Java" comments...
Score: 7 Votes (Like | Disagree)
Slix Avatar
108 months ago
Another reason I've had Java disabled on my Safari for years.
Score: 6 Votes (Like | Disagree)
BC2009 Avatar
108 months ago
Open Terminal..

Run: java -version

I get:

Java(TM) SE Runtime Environment (build 1.6.0_33-b03-424-11M3720)
Java HotSpot(TM) 64-Bit Server VM (build 20.8-b03-424, mixed mode)

So it looks like I am good. "build 1.6" is "Java 6". I have Mountain Lion and just recently installed Java after upgrading to Mountain Lion, so I was a bit surprised that I had Java 6 and not Java 7.
Score: 5 Votes (Like | Disagree)
r.harris1 Avatar
108 months ago

Of course it is useful - if it's crap, you don't need it activated, unless you play a handful of Java games or are required by a few legacy websites to use it. Understand now?

There is nothing inflammatory in speaking the truth. Client-side Java is crap, virtually useless and a threat to your computer's security. If you don't like it, feel free to avoid such threads. I just can't stand LIES when people come here and say Java is "so important" and essential to an end user's experience.


Golly. Now I understand! Your eloquence and command of argument and language has convinced me. From now on, I'm sure those of us with Java experience infesting these Java threads will be sure to leave it to you to lead the way. :rolleyes:
Score: 4 Votes (Like | Disagree)

Top Stories

m1 chip macbook air pro

Kuo: Redesigned MacBooks With Apple Silicon to Launch in Second Half of 2021

Tuesday November 24, 2020 7:53 pm PST by
Apple plans to release additional MacBook models with Apple Silicon in the second half of 2021, according to analyst Ming-Chi Kuo, as part of the company's two-year transition away from Intel processors across its Mac lineup. In a research note today, obtained by MacRumors, Kuo said that these MacBook models will feature a new design. Kuo did not specify which models these will be, but he...
2020 apple shopping event

Apple Offering Up to $150 Gift Card With Select Products on Black Friday Through Cyber Monday

Monday November 23, 2020 2:53 am PST by
Apple has announced its annual four-day shopping event, offering customers up to a $150 Apple Store gift card with the purchase of select products between Black Friday and Cyber Monday in the United States. The gift card values in the United States are as follows: $150 for 16-inch MacBook Pro $150 for 21.5-inch iMac $50 for 13-inch MacBook Pro $50 for MacBook Air $50 for iPhone SE,...
app store christmas icon

Apple Shutting Down App Store Connect From December 23 to December 27

Monday November 23, 2020 10:14 am PST by
Apple shuts down App Store Connect for a week around the holidays each year in an effort to give App Store staff time off from work. This year, App Store Connect will be unavailable from December 23 to December 27. With App Store Connect unavailable, Apple will not accept new apps or app updates, so all pricing changes and new app submissions need to be locked in before those dates for...
Target November Deals 1

Black Friday Spotlight: Target Begins Week-Long Sale With Deals on iPhone 12, Powerbeats Pro, and More

Monday November 23, 2020 8:07 am PST by
We've been tracking early Black Friday deals in our dedicated Black Friday Roundup, and in an effort to prepare our readers for the big shopping event we're highlighting sales store-by-store in the lead-up to November 27. Note: MacRumors is an affiliate partner with Target. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running....
mac mini macbook pro macbook air

Apple M1 Hands-On Comparison: MacBook Air vs. MacBook Pro vs. Mac Mini

Monday November 23, 2020 3:40 pm PST by
Apple's M1 Macs are out in the wild now, but ahead of the holidays, you might still be trying to figure out which one to pick up, either for yourself or as a gift for someone else. We've got all three of the new Macs available, so we thought we'd give MacRumors readers a hands-on overview of each machine in our latest YouTube video. Subscribe to the MacRumors YouTube channel for more videos. ...
max tech xcode benchmark m1 macbook

Video Demos Performance Differences Between 8GB and 16GB Apple M1 MacBook Pro

Monday November 23, 2020 2:54 pm PST by
All of the M1 Mac models use the same M1 chip, so the upgrade options are limited to SSD storage space and RAM. We haven't seen many comparisons that demonstrate the difference between a machine with 8GB RAM and the upgraded 16GB RAM option, but Max Tech today shared a video highlighting the performance between an 8GB MacBook Pro and a 16GB MacBook Pro. The video includes a series of...
new mac mini logicpro screen

M1 Macs Able to Run Up to Six External Displays Using DisplayLink

Tuesday November 24, 2020 6:53 am PST by
It is possible to run up to six external displays from the M1 Mac mini, and five external displays from the M1 MacBook Air and MacBook Pro, with the aid of DisplayPort adapters, according to YouTuber Ruslan Tulupov. This far exceeds Apple's specified limits on external displays with the M1 Macs. Apple's host of new M1 Macs are not capable of supporting as many external displays as their...
iPads black friday 20 sale feature

Apple Black Friday 2020: Best iPad Deals

Tuesday November 24, 2020 8:51 am PST by
Although we're still a few days away from the official launch of Black Friday, we've known for a few weeks that many retailers would be kicking off discounts ahead of November 27. Because of this trend, today we're tracking discounts across Apple's lineup of iPads, including the 10.2-inch iPad and 2020 iPad Pro. More sales are likely to appear as the week progresses, and when they do we'll update ...
13 16 inch macbook pro air trio

Reliable Leaker Suggests Redesigned MacBooks in 2021 Will Include Both Apple Silicon and Intel Models

Wednesday November 25, 2020 9:15 am PST by
Reliable leaker known as "L0vetodream" has today suggested on Twitter that redesigned MacBooks coming in the second half of 2021 will include models with both Apple Silicon chips and Intel processors. The brief Tweet came in response to a MacRumors article from earlier today, which outlined a report from Ming-Chi Kuo claiming that Apple plans to release redesigned MacBook models with Apple ...
ipad pro 2020 display

Black Friday Week Kicks Off With Up to $150 Savings on 2020 iPad Pro

Sunday November 22, 2020 2:37 pm PST by
As we head into Black Friday week, we're seeing some of the best deals of the season so far, with Amazon and Best Buy today discounting the latest iPad Pro models by up to $150 at the lowest prices we've ever tracked on these models. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep ...