Oracle Updates Java 7 to Address Security Vulnerability

Monday January 14, 2013 6:36 am PST by Eric Slivka
On Friday, we noted that Apple had taken the rare step of using its anti-malware tools in OS X to disable existing installations of the Java 7 browser plug-in due to a major security vulnerability that was being actively exploited in the wild. Apple's anti-malware system is capable of enforcing minimum version numbers for plug-ins such as Java and Flash, and Apple simply updated its blacklist information to require that machines be running a higher version of the Java 7 plug-in than was publicly available.

Oracle has now released Java 7 Update 11, and the release notes indicate that it does indeed address the vulnerability. The new release registers with a version string of 1.7.0_11-b21, satisfying Apple's requirement for a minimum version number of 1.7.0_10-b19.

In addition to the fix for the vulnerability, Java 7 Update 11 also sees a change in the default security level setting from "Medium" to "High". Under the new setting, users will be warned before the Java plug-in runs any unsigned application.
The default security level for Java applets and web start applications has been increased from "Medium" to "High". This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the "High" setting the user is always warned before any unsigned application is run to prevent silent exploitation.


[ 72 comments ]

Top Rated Comments

(View all)

Avatar
iMikeT
90 months ago

Why is it so often Java that appears to get caught out in these security vulnerabilities? :confused:



Like Windows, it's widely used. It's about making the most amount of damage to the most amount of users.
Rating: 6 Votes
Avatar
RMo
90 months ago

Sorry foe the dumb question...I have "Enable Java" UNCHECKED in Safari Preferences, and intend to leave it that way.

Should I download the Java Update anyway?:confused:

Thanks...


Yes. You should either do that or uninstall Java completely, but there's no sense in leaving outdated, vulnerable, exploited-in-the-wild software on your machine, even if you have no plans to use it right now. (What if you try another browser in the future and forget about this?)

No, it can't access your system if you don't use it or even have it enabled.


Unchecking a preference in Safari does not mean it is "disabled" on your entire system. Leave it unchecked if you want, but at least fix the problem (or get rid of it).
Rating: 6 Votes
Avatar
hamkor04
90 months ago
"Medium" to "High" isn't it awesome?
Rating: 5 Votes
Avatar
HiRez
90 months ago
When are they just going to kill this pig once and for all? Java on personal or mobile computers is simply not needed today, there are better alternatives. If they want to keep it running for enterprise, fine, but stop subjecting us to this bloated, archaic, insecure monstrosity.
Rating: 3 Votes
Avatar
SLFGNR8
90 months ago
Perplexed and need some help

Why am I experiencing the below:

[LIST=1]
* I have Mountain Lion 10.8.2.
* There is no Java in my System Preferences.
* There is no Java app in my Utilities.
* Only references to Java I can find are in my CS6 Suite app folders, allowing custom javascripts.
* Yet when I uncheck "enable java" and "enable java-script" in Safari, there are some websites, like cloud based email services that won't work until I turn them on. When java is enabled via the browsers those sites work fine.
* Even when enabled the http://javatester.org/version.html website says I have a missing plug-in when checking via Safari or with Firefox.
* My Terminal says: java version "1.6.0_37" Java(TM) SE Runtime Environment (build 1.6.0_37-b06-434-11M3909) Java HotSpot(TM) 64-Bit Server VM (build 20.12-b01-434, mixed mode)


It appears that the Oracle "fix" installs the full version of Java, which I currently don't have or need.

WHAT SHOULD MY COURSE OF ACTION BE?
Rating: 2 Votes
Avatar
clukas
90 months ago
could someone please clarify this for me.

I dont have java in system preferences. I know I am running java as I am using Adobe CS6. I have disabled java in safari.

Am I still at risk, how should I update?
Rating: 2 Votes
Avatar
mathcolo
90 months ago

Since Java updates are no longer built into OS X, how do I update Java?


If you already have Java 7 installed, head to System Preferences -> Java -> and then go to the Update tab in the control panel.

Note that if the updater is broken, see this thread: https://forums.macrumors.com/showthread.php?t=1525000

Edit: For those who still only have Java SE 6 installed, head to http://www.oracle.com/technetwork/java/javase/downloads/index.html to download v7.
Rating: 2 Votes
Avatar
munkery
89 months ago
Java still not safe. Even Java 7u11 has known vulnerabilities.

But, the default of requiring the end user to click "OK" to run unsigned and self signed applets causes exploiting these types of vulnerabilities to now involve some social engineering.

http://arstechnica.com/security/2013/01/critical-java-vulnerabilies-confirmed-in-latest-version/
Rating: 1 Votes
Avatar
MacMan988
89 months ago

It is a plist settings file that contains a list of sites/apps that Apple has blocked due to malware.

Go to this screen under System Preferences/Security & Privacy/General/Advanced and make sure you have "Automatically update safe downloads list" checked.


Thanks. That is checked.
Rating: 1 Votes
Avatar
munkery
90 months ago

Ahh... I do not see any Java icon/panel in System Preferences. Stock OSX Mountain Lion 10.8.2 pre-installed in my iMac December 2012. I suppose this means I do not see the Java control panel because I never manually installed a full version from Oracle to begin with? :confused:


Yes, you have to manually install Java to see the preference pane.

P.S. -- and I'm sure that as far as the Safari Java plug-in, Apple will likely just update that in the next incremental OSX Update (Mountain Lion 10.8.3?)


No, Apple is no longer supplying Java in OS X updates.
Rating: 1 Votes

[ Read All Comments ]