Apple, Oracle move quickly to mitigate Java security flaw

A Java flaw warning announced by Homeland Security this weekend concerns mostly Windows users, as usual. However, some Macs may be vulnerable. Apple and Oracle moved to address the flaw.
Written by David Morgenstern, Contributor

The Computer Emergency Readiness Team (CERT) posted a warning about the latest flaw in Java 7 on Thursday and suggested that users disable or uninstall the Java runtime. As usual, the security hole could allow identity theft of the user or put the machine in a botnet.

Apple addressed the issue in an interesting manner, according to a report on MacRumors. It was able to disable the Java 7 plug-in on Mountain Lion and Lion systems running Java 7. Earlier systems running Java 6 are safe.

Apple has achieved this by updating its "Xprotect.plist" blacklist to require a minimum of an as-yet unreleased 1.7.0_10-b19 version of Java 7. With the current publicly-available version of Java 7 being 1.7.0_10-b18, all systems running Java 7 are failing to pass the check initiated through the anti-malware system built into OS X.

On Sunday, Oracle offered a fix in Version 7, Update 11 for the Mac and other OSes. The download for the Mac is below the Windows download on the page and is for OS X Version 7.3  and above.

Older Macs running pre-Snow Leopard OSes can disable Java in their browsers (in Safari it’s a Security preference), or better, turn it off altogether using the Java Preferences application, which can be found in the Utilities folder in Applications.

As some may recall, Apple stopped shipping Java as a part of its standard installation with OS X Lion (10.7). Oracle released Java 7 for Lion and OS X Mountain Lion (10.8) in the summer. However, these systems also support Java 6.

The latest Java security issue, as with previous similar flaws, presents more of a concern for PC users. This is because there is a possibility that Windows users can become infected just by reading a vector e-mail message in Outlook. For a Mac system to become infected, the user must perform an action such as clicking on a link in a message that connects with a remote malicious site.

People can easily test the version of Java working on their machines using Michael Horowitz's Java Tester page. If the Java plug-in is working, it will report the version and the originator, such as Apple, Oracle or Sun. If the plug-in is turned off, the page reports it as missing.

Check Out: Quick protection for older Macs from the Flashback trojan

The best answer for Java security is to turn it off. However, some useful programs and services use the runtime, such as CrashPlan Pro. That can make for a tough choice, although the risk is relatively low on the Mac. 

Editorial standards