New zero-day Java exploit puts 1 billion PCs and Macs running OS X 10.6 or earlier at risk

“A new zero-day vulnerability has been discovered in all currently-supported versions of Oracle’s Java software, potentially allowing attackers to install malware on around 1 billion Macs and PCs,” Louis Goddard reports for The Verge.

“Announced on the Full Disclosure mailing list by security researcher Adam Gowdiak yesterday, the bug is present in Java 5, Java 6, and Java 7 — as Computerworld points out, it is particularly significant for users of versions of Mac OS X up to and including Snow Leopard 10.6, which come bundled with the software,” Goddard reports. “The 1 billion figure is taken from installation statistics provided by Oracle.”

Read more in the full article here.

Gregg Keizer reports for Computerworld, “Snow Leopard was the last edition where Apple bundled Java with the operating system”

“While Gowdiak said that he found the new Java bug last week — and took the weekend to create and test a proof-of-concept exploit — he only reported it to Oracle on Tuesday. In a follow-up email to Computerworld, Gowdiak said, ‘We just received confirmation of the issue from Oracle,'” Keizer reports. “The company also told him that the bug will be patched in a future Java security update, but that it did not name which. The next on Oracle’s quarterly schedule will ship Oct. 16.”

Read more in the full article here.


    1. Not necessarily. Lion and Mountain Lion didn’t come with Java bundled, but if you’ve installed it separately then you’re at risk. Apple even helps these people by automatically disabling Java for those who have it installed, but haven’t used it in the last 30 days.

      Do a Spotlight search for java. You’ll see hits for Java Preferences and numerous folders if you have it installed.

      If you want to feel completely secure, go into Java preferences and disable it, or, at minimum, go into Safari’s Preferences – Security tab and uncheck Java.

    1. MacFreek, you have heard of Google, I assume?
      In case you are unfamiliar with it, and Wikipedia, here’s what you could have found out for yourself:
      Java running on an iOS platform currently is outside the bounds of the iOS SDK Agreement. The guideline in question is rule 3.3.2, which reads and which was changed after Sept 2010:
      ‘3.3.2 — An Application may not itself install or launch other executable code by any means, including without limitation through the use of a plug-in architecture, calling other frameworks, other APIs or otherwise. No interpreted code may be downloaded or used in an Application except for code that is interpreted and run by Apple’s Documented APIs and built-in interpreter(s).’

      In 2008, Sun Microsystems announced plans to release a Java Virtual Machine (JVM) for iOS, based on the Java Platform, Micro Edition version of Java. This would enable Java applications to run on iPhone and iPod Touch.[32] Soon after the announcement, developers familiar with the SDK’s terms of agreement believed that by not allowing 3rd-party applications to run in the background (answer a phone call and still run the application, for example),[33] allowing an application to download code from another source, or allowing an application to interact with a 3rd-party application (Safari with JVM, for example), could hinder development of the JVM without Apple’s cooperation.[34]
      It is possible to install and use a J2ME stack on an iPhone, though it involves jailbreaking.[35][36]

  1. Oracle’s Java Client for OS X is a train wreck. Seriously, opening the prefpane launches an app to set up the client, which makes me wonder why did they put a prefpane in the first place. Ludicrous.

    1. All versions of Java 5, 6 and 7 (aka v1.5, 1.6 and 1.7) are affected. I don’t know if Java 4 or earlier were even tested for the sandbox security holes.

      J2SE 5.0 (v1.5) was released September 30, 2004. Mac OS X 10.4.0 was released May 4, 2004. Mac OS X 10.5.0 was released June 26, 2008. Therefore, I have to conclude that 10.4.11 IS affected. But it’s worth double-checking your system. Look here:


      If you see “1.5.0.jdk” or higher, you’re affected.

  2. From reading the original message posted to the Full Disclosure mailing list, this flaw affects the browser plugin, not the full version of Java or applications that use it.

    Quote: All tests were successfully conducted in the environment of a fully patched Windows 7 32-bit system and with the following web browser applications…

  3. Sorry MDN, but your headline is incorrect.

    At this time there is NO safe version of Java 5, 6 or 7 (aka v1.5, 1.6 and 1.7). ALL of these versions of Java are affected on ALL versions of OS X. If ANY of these versions are installed on a Mac, that Mac is at risk.

    CONCLUSION: If you have Java installed, turn it OFF while browsing the Internet, unless a specific website requires it AND you trust them. You can turn it off using the Java Preferences app in your Utilities folder, and/or in your individual web browsers.

    I have a series of detailed articles with links to data and opinions here:

    1. As I noted above, it is not clear whether Java 4 or earlier were tested for sandbox vulnerabilities. My assumption is that Mac OS X 10.4.11 on up are all affected IF Java is installed. Look in your Utilities folder. If you have the ‘Java Preferences’ app installed there, you have Java installed. Turn it off using the Java Preferences app ‘General’ tab.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.