“As noted by ZDNet, a major security vulnerability in Java 7 has been discovered, with the vulnerability currently being exploited in the wild by malicious parties,” Eric Slivka reports for MacRumors. “In response to threat, the U.S. Department of Homeland Security has recommended that users disable the Java 7 browser plug-in entirely until a patch is made available by Oracle.”
“Apple has, however, apparently already moved quickly to address the issue, disabling the Java 7 plug-in on Macs where it is already installed,” Slivka reports. “Apple has achieved this by updating its ‘Xprotect.plist’ blacklist to require a minimum of an as-yet unreleased 1.7.0_10-b19 version of Java 7. With the current publicly-available version of Java 7 being 1.7.0_10-b18, all systems running Java 7 are failing to pass the check initiated through the anti-malware system built into OS X.”
Read more in the full article here.
MacDailyNews Take: Java is the new Flash.
Related articles:
Apple makes OS X even more secure for Mac users by removing Java – October 19, 2012
Apple uninstalls Java applet plug-in from all web browsers – October 17, 2012
New zero-day Java exploit puts 1 billion PCs and Macs running OS X 10.6 or earlier at risk – September 26, 2012
Warning: New Java trojan targets Apple’s OS X along with Windows, Linux – July 11, 2012
Apple releases Java Update to remove Flashback trojan – April 12, 2012
OS X trojan variant preys on Mac users with unpatched Java – February 27, 2012
Jobs: Having Oracle, not Apple, release timely Java updates better for Mac users – October 22, 2010
Apple deprecates its release of Java for Mac OS X – October 21, 2010
“Apple has achieved this by updating its ‘Xprotect.plist’ blacklist”
So OS X is in FACT more secure than windows and not just because of the “Security through obscurity” sense.
Unfortunately, as I have verified, on 10.7.5 there have been problems at Apple’s end allowing the XProtectUpdater CLI app to download the new XProtect.plist file. I consistently ran into certificate/signature errors from Apple’s website no matter how I invoked XProtectUpdater. That’s not good.
I’ll be doing more testing Saturday, including on my 10.8 systems.
http://Mac-Security.blogspot.com
I usually disable the Java web plugin whenever I hear about something like this. Now Apple has disabled it for me, before I even heard about this problem. That’s awesome.
I wonder, hypothetically, what I would have to do to override this if i really did need to use the Java web plugin today.
I had an issue with this last night. I had to use Firefox for the live auction bidding site.
STO was always a bogus myth perpetrated by WinTards as their life support declines.
Total agreement. I’ve proven Security Through Security to be total BS on many occasions. Do some simple proportional math and you’ll find there are over 1000x more malware for Windows than Mac on a 1:1 user basis. That’s VERY bad. That’s Microsoft’s fault, not market share’s fault.
Do you think that 1 mac user is worth more because they spend more, or less because they are smarter / more computer literate to hackers?
I’ve been up and I’ve been down. My worth didn’t change one way or the other.
But we geeks know full well that technology ignorance attracts people to all sorts of worthless crap. My mom is a prime example. If not for me, she’d own a netbook as well as an Android. I think of teaching people about superior technology as a public service, an act of altruism. 🙂
Android apps are ALL developed in Java
I wish Apple had bothered to TELL its users that it was disabling all versions of Java. I spent more than an hour yesterday troubleshooting my computer’s Java issues when I couldn’t use a vendor’s Java-based proofing system to okay materials waiting to go on press. I called the vendor, they called THEIR software people, I reinstalled the Java plug-in on three different browsers.
Sigh.
I know Apple was doing the right thing. But they could have at least warned their user base!!! AAARGGGHHH!
That is a very fair point. There should be a notification.
Damn. I posted three Mac-Security articles today to keep up with the onslaught of Java horror news.
NOTE: There are assertions this afternoon that ALL versions of Java, versions 4 through 7, are affected by today’s zero-day security hole.
Therefore: There is NO safety in older versions of Java, including Java 6.
My mantra:
Just Turn Java OFF
http://Mac-Security.blogspot.com
“Java is the new Flash.”
If you think about it, Java is the OLD Flash. When the iPhone came out, no one cared that the browser didn’t support Java, because Java was already long-obsolete by then (thanks in large part to Flash).
If Apple disables my jave via the blacklist, how can I turn it back on if I need to use it?
Copy and paste this string below into “Go to Folder” under “Go” in the Finder Menu, for fast access to the XProtect.plist, then right click “Get info” on XProtect.plist to see dates for “Created” and “Modified”
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist