Oracle releases Java 7 update 11 for zero-day flaw but concerns linger

Oracle releases Java 7 update 11 for zero-day flaw but concerns linger

Summary: Oracle has released a security update to Java on the OS X that's recommended for all users, but it doesn't mean that it's totally secure, either.

TOPICS: Apple, Software
Apple releases Java 7 update 11 patch for zero-day flaw - Jason O'Grady

A zero-day vulnerability discovered in Java last week prompted separate warnings from the US governmentApple, and Mozilla advising users not to use the software. Apple took the rare step of disabling the Java 7 plug-in on Macs where it is installed by updating its "Xprotect.plist" blacklist, part of the anti-malware built into OS X. 

Oracle released a patch for the vulnerability on Sunday and today Apple released Java 7 Update 11 which addresses the vulnerability. But we may not be out of the woods just yet. 

Although Java 7 update 11 satisfies OS X anti-malware's requirement for a minimum Java version number of 1.7.0_10-b19 the U.S. Department of Homeland Security has reiterated its warning that the Java web browser plug-in still poses risks -- even after Oracle's update 11 patch is installed.

"Unless it is absolutely necessary to run Java in Web browsers, disable it [...] even after updating to [Update 11]."

ZDNet's Zack Whitttaker reports that fixing the zero-day exploit "could take two years," quoting Rapid7 chief security officer HD Moore (via Reuters) as saying "The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop." 

Topics: Apple, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • its good advice, but don't stop there...

    every single framework and API that can be installed or is installed should be removed or disabled if you don't use it... not just Java... Use the least of what you need. Java is just an easy target to pick on at the moment.
    • @doh123

      Yes... Apple released. Oracle released on Sunday... Apple releases this through the Xprotect.plist. Please read each line. Thank you.
      • I did read it

        All it says is that Oracle's patch "satisfies the list" because it's higher than update 10. Apple didn't do anything, they didn't have to do anything.
        Michael Alan Goff
  • Apple Released???

    Although the headline and article say Apple released the update, it appears that the update was actually released by Java (Oracle). That is where the link you have entered for the "Apple released Java 7 update 11" link goes to.
  • Look at that

    Apple even gets credit for updates they don't actually make!
    Michael Alan Goff
    • And yesterday they were getting thrashed

      for not releasing an update they don't actually make.
      • + 1

      • Amazingly enough

        I thought that was stupid as well.
        Michael Alan Goff
  • I hope there is a realistic solution...

    ...because turning off Java is NOT realistic.

    I use Chrome on Win 7x64 and have set Java to ask me ~if I really wanna~ each time I visit a website with Java info/scripting/content on it. Sure, it sounds great on paper to just "use another browser" to access sites with Java...that'd be IE for me, but, um, it seems that ~every~ site I go to including Yahoo, Gmail, Youtube, almost every news site, Intellicast...almost all the sites that show up in a search engine search....dare I say "everything" (almost) requires Java for a complete experience? --like if you want to see embedded video..or just about anything...Am I missing something here? Really, what sites DON'T use any Java? I do not do banking on non-Java sites all day long, I spend FAR more time surfing and learning! What am I missing?

    It seems odd to me that there are only two pop-up Java options within Chrome: enable permanently, or not. How about just this time???

    I wish I understood this better. Here's a question: If I surf in a sandboxed browser like SandboxIE, can the malicious code when encountered, say, on my favorite porn site get out of the browser and into my OS and beyond, or not?

    If learning how to use a sandbox is the solution, then I'll teach my family (and friends) about it.

    Thanks to the brilliance and persistence of the evil-doing cretins, I have already resigned my careless freedom to the idea that security policy development and implementation is a never-ending personal responsibility. Still, I seek the simplest REALISTIC solution so that I can teach others.

    • PS - Password here

      BTW - having forgotten my password to THIS site, I found that it could not be recovered or reset without enabling Java! Is that ironic, or is there another term for that?
      • Java?

        Are you sure that you're not confusing Java with Javascript? They're 2 different things. I haven't had Java enabled in safari for years and don't run into problems.
        • OK, Javascript

          Sure, I am plenty confused (really!), but I'm learning.

          I just did some reading and see that Java is to Javascript like Ham is to Hamster, and like Car is to Carpet. That helps a lot (not).

          I thought I knew that one (Java - JRE) is for offline use; software resident on my local machine perhaps useful for a gamer or site developer or maybe an Adobe Creative Suite user? The other (Javascript) is a browser/internet/online thing.

          If this is correct, I wonder (and am further confused) why all these stories about the current building Java zero-day threat recommend disabling the browser plugin. Seems like they should have been talking about the Javascript plugin? In Chrome, it IS called the Java plugin. I suspect THEY know more about it than I do.

          I am looking for the simplest solution (and wonder, once I get the terminology straight, if a sandboxing program like SandboxIE is appropriate).

          I will probably uninstall Java from my Win7 machine and just wait to see if something (like Creative Suite) breaks and needs it.

          Thanks for asking and for your (and anyone's) help.

  • Weaning off Oracle

    I use Oracle products at work and I have been in discussions with my IT department about switching to other products. These Oracle products demand that I use JAVA. I can't simply turn it off. Forget the fact that JAVA never seems to update properly, or even work right with Oracle products right away when it is, this security issue has caused all kinds of stress at the office.

    I don't know if moving to another product is any better, but this recent snafu has influenced my decision in a negative way toward Oracle.
    BKLYN Vet