“Oracle has issued an emergency fix for its cross-platform Java software. Java 7 update 11 for Windows, Mac and Linux, and Java 7 Update 11 64-bit for 64-bit versions of Windows and Linux, aims to plug a number of alarming security holes that were being used for phishing attacks and other crimeware,” Nick Peers reports for BetaNews.
“While update 11 should be considered an essential update for all Java users, researchers have warned that the new build is little more than a sticking plaster for the problem, and recommend users actually disable Java from running inside web browsers,” Peers reports. “The update basically sets Java’s default security settings to “High”, which means all code from unknown sources will be flagged before running on the user’s say-so… Researchers warn that despite this new setting, the security can be bypassed by hackers able to mask their code through ‘social engineering.'”
Peers reports, “As a result, the Department of Homeland Security’s Computer Emergency Readiness Team has recommended users should actually disable Java from running in web browsers — even after applying the latest update. The warning is echoed by other experts, including Rapid 7 and Polish company Security Explorations. At the present time, Mac OS X disables Java browser plug-ins by default.”
Read more in the full article here.
MacDailyNews Take: Safari browser users should make sure Java is disabled:
Safari>Preferences>Security and uncheck “Enable Java.”
Related articles:
Oracle releases Java Version 7 Update 11 – January 14, 2013
Oracle Corp to fix Java security flaw ‘shortly’ – January 12, 2013
Apple blocks OS X Java 7 plug-in as U.S. Department of Homeland Security warns of zero day threat – January 11, 2013
Apple makes OS X even more secure for Mac users by removing Java – October 19, 2012
Apple uninstalls Java applet plug-in from all web browsers – October 17, 2012
New zero-day Java exploit puts 1 billion PCs and Macs running OS X 10.6 or earlier at risk – September 26, 2012
Warning: New Java trojan targets Apple’s OS X along with Windows, Linux – July 11, 2012
Apple releases Java Update to remove Flashback trojan – April 12, 2012
OS X trojan variant preys on Mac users with unpatched Java – February 27, 2012
Jobs: Having Oracle, not Apple, release timely Java updates better for Mac users – October 22, 2010
Apple deprecates its release of Java for Mac OS X – October 21, 2010
Why does it take so long to fix it ????!
Since when has anything to do with Java ever been fast?
I like how Apple puts the option to toggle Java under “security.”
Will disabling Java f*** up my browsing experience?
Depends on what porno sites you frequent. 😉
No, I think the delusions are doing that … Could be the Java though, if you are trying to book seats online at the Wiener Stadthalle, Vienna, Austria to see “Dead can Dance”
yeah, you can’t block the adds on MDN
YEP!!! I disabled it and got ads. I enabled it again
No ads for me when I turn off Java. I’m using AdBlocker, a Safari extension that is quite effective.
Me too, but still get adds when java-script is turned off. Strange
Don’t confuse Java with JavaScript. Two different things. This security issue affects Java only.
If you get to a “real” site that you need it just open that Preferences window and uncheck it, leave it open while you do what you have to do. Then as soon as you’re done, uncheck the Java box again. (I leave it open as a reminder so I won’t forget to uncheck it again.) Been doing that for awhile now because we have to use one site here at work that won’t work without stupid Java running.
Wow. Surely the end of client-side Java
Should I disable Java, or Java and JavaScript both?
Just Java. Most websites won’t work 100% with JavaScript disabled.
Jave is not JavaScript:
http://www.dannyg.com/ref/javavsjavascript.html
And wouldn’t you like to know the name of the idiot responsible for the naming confusion?
Requiring users to OK actions is no protection at all. Clueless users download garbage all the time and have no idea what they’ve done until someone more knowledgeable sees a suspicious download (sometimes several copies of the same one) in the user’s download folder and points it out.
I hear you on that one! I’ve seen the craziest things in a downloads folder. And as you said, multiple versions of the download to boot. Persistent aren’t they?
I use the Java plug-in for one thing: downloading YouTube videos. I make sure Java is disabled in Safari if I’m not doing that.
——RM