Apple, Oracle move quickly to mitigate Java security flaw

Apple, Oracle move quickly to mitigate Java security flaw

Summary: A Java flaw warning announced by Homeland Security this weekend concerns mostly Windows users, as usual. However, some Macs may be vulnerable. Apple and Oracle moved to address the flaw.


The Computer Emergency Readiness Team (CERT) posted a warning about the latest flaw in Java 7 on Thursday and suggested that users disable or uninstall the Java runtime. As usual, the security hole could allow identity theft of the user or put the machine in a botnet.

Apple addressed the issue in an interesting manner, according to a report on MacRumors. It was able to disable the Java 7 plug-in on Mountain Lion and Lion systems running Java 7. Earlier systems running Java 6 are safe.

Apple has achieved this by updating its "Xprotect.plist" blacklist to require a minimum of an as-yet unreleased 1.7.0_10-b19 version of Java 7. With the current publicly-available version of Java 7 being 1.7.0_10-b18, all systems running Java 7 are failing to pass the check initiated through the anti-malware system built into OS X.

On Sunday, Oracle offered a fix in Version 7, Update 11 for the Mac and other OSes. The download for the Mac is below the Windows download on the page and is for OS X Version 7.3  and above.

Older Macs running pre-Snow Leopard OSes can disable Java in their browsers (in Safari it’s a Security preference), or better, turn it off altogether using the Java Preferences application, which can be found in the Utilities folder in Applications.

As some may recall, Apple stopped shipping Java as a part of its standard installation with OS X Lion (10.7). Oracle released Java 7 for Lion and OS X Mountain Lion (10.8) in the summer. However, these systems also support Java 6.

The latest Java security issue, as with previous similar flaws, presents more of a concern for PC users. This is because there is a possibility that Windows users can become infected just by reading a vector e-mail message in Outlook. For a Mac system to become infected, the user must perform an action such as clicking on a link in a message that connects with a remote malicious site.

People can easily test the version of Java working on their machines using Michael Horowitz's Java Tester page. If the Java plug-in is working, it will report the version and the originator, such as Apple, Oracle or Sun. If the plug-in is turned off, the page reports it as missing.

Check Out: Quick protection for older Macs from the Flashback trojan

The best answer for Java security is to turn it off. However, some useful programs and services use the runtime, such as CrashPlan Pro. That can make for a tough choice, although the risk is relatively low on the Mac. 

Topics: Apple, Operating Systems, Oracle, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Apple, Oracle move quickly to mitigate Java security flaw

    kudos to zdnet for posting blogs on security. educating the public is the best solution in mitigating these blights of modern technology.
  • Affects Mac and NOT especially Windows

    "concerns mostly Windows users, as usual"

    Statements like this are trendy, but in this case as usual it is untrue and unprofessional.
    Tim Acheson
  • Hmm...

    Security alert that supposedly only poses a real threat to Windows... Article is mostly about Mac.

    Seems legit.
    Skunk Shampoo
  • NO! Earlier systems running Java 6 are safe.

    Earlier versions are unaffected by this particular exploit, but they are still a long way from being safe!
  • Beware Oracle and moving quickly.....

    Oracle has released the second patch to fix the same zero day bug that they did in august. Maybe this will work....on new mac's ...standing on your hands while faces left?
    Oracles released the first patch within a couple days and less than a day being out it was proven that it didn't fix the issue.

    I may not be a big Apple product fan but user should be careful and still only allow java applets on sites they know and trust. Better save that sorry.
  • I am proud

    I am proud to be a Windows User because Security holes are rapidly found an corrected ...

    This is not the case for MacOS an other platforms...

    you just have to read security specialist on the web, they all see that MacOS is less secure than Windows. Simply.

    No body is interesting to find security holes in MacOS because nobody are interested in the platform... So this leave the MacOS platform to be a real sieve.

    Windows is the most secure platform, Period.
    • I'm sooooo happy that Windows is sooooooo secure, Mac is a sieve, and...

      Obviously, since Linux is not mentioned, it must be absolutely insecure, and all those banks, stock exchanges, webservers, supercomputers, weapons systems, and me are totally pwned.
  • Still, despite all the OS BS..

    The underlying component vulnerable to attack is JAVA. Any debates?
  • vps services

    Virtual Private Servers are completely independent, separate partitioned physical servers. This basically means that you will obtain improved privacy for your business, as well as enhanced speed and performance when compared with shared hosting. Advanced virtualization technology and the possibility to host several websites are only some of the various useful features offered by Limy VPS.
  • Irony

    The irony is that even though U.S. Homeland Security has told everyone to uninstall or disable Java, you need Java to file documents electronically with the U.S. Courts. In fact, the government's EM/ECF system for filing documents is the only online service that I have been unable to use without Java. Unfortunate, since I'm a lawyer.