Apple, Oracle move quickly to mitigate Java security flaw

Summary:A Java flaw warning announced by Homeland Security this weekend concerns mostly Windows users, as usual. However, some Macs may be vulnerable. Apple and Oracle moved to address the flaw.

The Computer Emergency Readiness Team (CERT) posted a warning about the latest flaw in Java 7 on Thursday and suggested that users disable or uninstall the Java runtime. As usual, the security hole could allow identity theft of the user or put the machine in a botnet.

Apple addressed the issue in an interesting manner, according to a report on MacRumors. It was able to disable the Java 7 plug-in on Mountain Lion and Lion systems running Java 7. Earlier systems running Java 6 are safe.

Apple has achieved this by updating its "Xprotect.plist" blacklist to require a minimum of an as-yet unreleased 1.7.0_10-b19 version of Java 7. With the current publicly-available version of Java 7 being 1.7.0_10-b18, all systems running Java 7 are failing to pass the check initiated through the anti-malware system built into OS X.

On Sunday, Oracle offered a fix in Version 7, Update 11 for the Mac and other OSes. The download for the Mac is below the Windows download on the page and is for OS X Version 7.3  and above.

Older Macs running pre-Snow Leopard OSes can disable Java in their browsers (in Safari it’s a Security preference), or better, turn it off altogether using the Java Preferences application, which can be found in the Utilities folder in Applications.

As some may recall, Apple stopped shipping Java as a part of its standard installation with OS X Lion (10.7). Oracle released Java 7 for Lion and OS X Mountain Lion (10.8) in the summer. However, these systems also support Java 6.

The latest Java security issue, as with previous similar flaws, presents more of a concern for PC users. This is because there is a possibility that Windows users can become infected just by reading a vector e-mail message in Outlook. For a Mac system to become infected, the user must perform an action such as clicking on a link in a message that connects with a remote malicious site.

People can easily test the version of Java working on their machines using Michael Horowitz's Java Tester page. If the Java plug-in is working, it will report the version and the originator, such as Apple, Oracle or Sun. If the plug-in is turned off, the page reports it as missing.

Check Out: Quick protection for older Macs from the Flashback trojan

The best answer for Java security is to turn it off. However, some useful programs and services use the runtime, such as CrashPlan Pro. That can make for a tough choice, although the risk is relatively low on the Mac. 

Topics: Apple, Operating Systems, Oracle, Security, Windows

About

David Morgenstern has covered the Mac market and other technology segments for 20 years. In the recent past, he founded Ziff-Davis' Storage Supersite, served as news editor for Ziff Davis Internet and held several executive editorial positions at eWEEK. In the 1990s, David was editor of Ziff Davis' award-winning MacWEEK news publication a... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.