Skip to main content

java

See All Stories
Site default logo image

Oracle begins bundling Ask adware with Java for Mac installations by default

java-app-chrome

Image via ZDNet

Windows users are likely already familiar with the adware that’s usually bundled with Oracle’s Java software, but for Mac users that annoyance has been mostly avoided. Unfortunately, ZDNet reports that today Oracle has updated its Java installer to include the Ask toolbar on OS X.

The installation process automatically changes users’ browser homepage to the nearly useless Ask.com, which is populated by ads and mostly irrelevant results. The software also installs an Ask browser toolbar. Since these changes are made by default during Java installation, those who don’t want these “useful” changes made to their computers will need to manually deselect the option during Java installation.

The changes seem to affect both Safari and Google’s Chrome browser. It may also impact some other third-party browsers. Even if you do install the adware, it should be fairly simple to remove the toolbar through your browser’s extension manager and change your home page back.

Site default logo image

Apple releases new Java update, uninstalls Apple-provided Java applet plug-ins

Screen Shot 2013-10-15 at 2.32.21 PM

Apple has released Java for OS X 2013-005, which “delivers improved security, reliability, and compatibility for Java SE 6”. The update is available in the Mac App Store.

Of note, the updates “uninstalls the Apple-provided Java applet plug-in from all web browsers.” New Macs do not come with Java installed and newer versions of Java are released and maintained by Oracle.

Apple’s decision to cut off internal support and development stems from the decreased necessity for the platform and the fact that Mac malware usually comes from Java security holes. On Apple’s security page for the latest update, it is noted that some holes existed in the software:

Multiple vulnerabilities existed in Java 1.6.0_51, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues were addressed by updating to Java version 1.6.0_65. Further information is available via the Java website at http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html

Apple updates Safari web plugin blocker to disable new Java vulnerability

Site default logo image

java

Apple has informed AppleCare representatives and Apple Retail that it has updated the Safari web browser’s built-in plugin blocker to disable older versions of Oracle’s Java 6 and 7 software.

In recent days, a new Java vulnerability was discovered. The latest issue is described on the National Vulnerability Database:


Expand
Expanding
Close

Site default logo image

Fool me twice: Apple releases Java update for the latest Zero Day

Screen Shot 2013-03-04 at 5.38.08 PM

Following a number of reports of new zero-day vulnerabilities in the Java browser plug-in, Oracle has today released an emergency update to Java 7 as Apple updates Java SE 6 to version 1.6.0_43.

Today Oracle released Security Alert CVE-2013-1493 to address two vulnerabilities affecting Java running in web browsers (CVE-2013-1493 and CVE-2013-0809).  One of these vulnerabilities (CVE-2013-1493) has recently been reported as being actively exploited by attackers to maliciously install the McRat executable onto unsuspecting users’ machines.  Both vulnerabilities affect the 2D component of Java SE.  These vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications.  They also do not affect Oracle server-based software.  These vulnerabilities have each received a CVSS Base Score of 10.0.

Researchers from security firm FireEye warned users last week of yet another new Java zero-day vulnerability and recommended users disable Java until Oracle addresses the issue. Today, Oracle said it knew about the flaw since Feb. 1 but didn’t get around to patching it in the last release:

Though reports of active exploitation of vulnerability CVE-2013-1493 were recently received, this bug was originally reported to Oracle on February 1st 2013, unfortunately too late to be included in the February 19th release of the Critical Patch Update for Java SE

The company intended to include a fix for CVE-2013-1493 in the April 16, 2013 Critical Patch Update for Java SE (note that Oracle recently announced its intent to have an additional Java SE security release on this date in addition to those previously scheduled in June and October of 2013).  However, in light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert.

Yet another Java vulnerability discovered, researchers recommend disabling browser plug-in

Site default logo image

url-3

Following an attack on a smaller number of corporate Macs that exploited a flaw in the Java browser plug-in, researchers from security firm FireEye warned users of yet another new Java zero-day vulnerability. According to a blog post published yesterday (via IDG), browsers running Java v1.6 Update 41 and Java v1.7 Update 15 are now vulnerable to a malware attack that installs a remote access tool known as McRAT. The exploit is reportedly different from the one used to attack Facebook, Twitter, Apple, and several other companies last month. Following the earlier attack, Apple released an update to Java for users to version 1.6.0_41. These recent vulnerabilities come after several updates over the last year to Java addressing exploits.

FireEye recommended users disable Java until Oracle addresses the issue:

We have notified Oracle and will continue to work with Oracle on this in-the-wild discovery. Since this exploit affects the latest Java 6u41 and Java 7u15 versions, we urge users to disable Java in your browser until a patch has been released; alternatively, set your Java security settings to “High” and do not execute any unknown Java applets outside of your organization.

Oracle provided the instructions below for uninstalling Java on Mac:
Expand
Expanding
Close

Apple removes Java applet plugin from OS X, continuing push for plugin-free web

Site default logo image

Further pushing toward the idea of a plugin-free internet, Apple has issued an update to Java for OS X that removes the Java applet plugin. Attempting to use a Java applet through any OS X web browser will now prompt users to download the latest version directly from Java maker Oracle.

This is not the first time Apple has stopped shipping a specific browser plugin with their computers. With OS X Lion, users discovered that their Macs no longer came with Adobe’s oft-derided Flash Player plugin due to its instability and security issues. Apple has long held browser plugins in contempt, especially following the success of iOS, which hasn’t supported browser plugins at all in the past six years.

Just about every Mac Trojan/vulnerability over recent months and years has been related to outdated Java code. This move should close off those attack vectors.


Expand
Expanding
Close

Site default logo image

Former Sun employees bring Java to iOS with cross-platform SDK

Codename One is an SDK launched by former Sun employees that allow developers to create a single native mobile app for multiple platforms (iOS/Android/Windows Phone, etc.) using Java and an optional GUI builder:

“Ex-Sun employees did what Sun/Oracle failed to do since the iPhone launched. They brought Java to iOS and other mobile devices. They are getting major coverage from Forbes, DDJ,hacker news and others. They are taking a unique approach of combining a Swing-like API with a open source and SaaS based solution.”

In other Apple Java news, a recent Apple job listing is looking for a Senior Java Engineer to join the Siri Server Platform team. Candidates should have experience in Java API design and will “lead and extend the core software infrastructure, algorithms, and APIs that let Siri move, understand, plan, learn, speak, and remember.” Like most huge Server Side Applications, Siri’s backend appears to be Java-based.

Site default logo image

Apple softens its language on Virus susceptibility in wake of Flashback trojan

After Apple released a patch to a Java vulnerability that lead to the infection of roughly 600,000 Macs with the Flashback Trojan earlier this year, there were claims weeks later from security researchers that hundreds of thousands of Macs were still infected. Kaspersky’s CEO claimed Apple is “now entering the same world as Microsoft has been in for more than 10 years.” Now, as noted by PCWorld, Apple appears to be publicly changing its longstanding stance that “it doesn’t get PC viruses.” The statement on Apple’s “Why you’ll love a Mac” website now reads: “It’s built to be safe” (as you can see in the comparison screenshots above).

Another statement on the website switched from “Safeguard your data. By doing nothing” to “It’s built to be safe.” Following the Flashback incident, Kaspersky claimed in April that Apple is “ten years behind Microsoft in terms of security,” and he “expects to see more and more” malware on Macs.

Cyber criminals have now recognised that Mac is an interesting area. Now we have more, it’s not just Flashback or Flashfake. Welcome to Microsoft’s world, Mac. It’s full of malware….Apple is now entering the same world as Microsoft has been in for more than 10 years: updates, security patches and so on,” he added. “We now expect to see more and more because cyber criminals learn from success and this was the first successful one…. They will understand very soon that they have the same problems Microsoft had ten or 12 years ago”

Free app checks for the Flashback trojan infecting 600,000 Macs

Site default logo image

Over the past few weeks, security experts have warned Mac users of a new virus making its rounds called the “Flashback” trojan. Flashback is allegedly on over 600,000 Macs, which is roughly 1-percent of the 45 million out there. Flashback exploits a pair of vulnerabilities in older versions of Java. Apple may have patched it, but it is still out there and running on many machines.

How do you know if you are infected? F-Secure has a few Terminal commands to check your machine. For the many who are not adept at keeping their Java updates fresh, terminal commands are going to be even more foreign. Luckily, ArsTechnica points us to a free Flashback checker available on github. The app runs the same checks as you would in Terminal, but automates it for you.

We ran the test ourselves and were clean, but one of our readers found that he had the virus last week. It is definitely worth checking out. If your Mac does have Flashback, F-secure offers a great guide on how to remove it.


Expand
Expanding
Close

In the wake of the Flashback Trojan, Apple quietly puts out an updated Java security patch

Site default logo image

Earlier this week, Apple released a Java security update, 2012-001, to patch the Flashback vulnerability that a security company claims affected 600,000 Macs.

Late this evening, we are getting reports from readers that a new version of the Java update is becoming available via Software Update.

.

The latest update, Java for OS X 2012-002, supersedes the -001 update Apple released earlier this week, and indeed the KB article linked from the -002 update is still the -001 version (below).

Update: Apple sent a note out to its Java Community, below, with the ‘why’ (small issue they are the same but for a few symlinks and version numbers.)

Thanks Jessie!
Expand
Expanding
Close

Flashback.G trojan seen exploiting ancient Java vulnerabilities to infect Macs

Site default logo image

A new variant of the Flashback trojan horse called “Flashback.G” is reportedly out in the wild and able to exploit a pair of vulnerabilities found in an older version of Java run-time, according to a blog post by antivirus maker Intego yesterday. People running Snow Leopard and an older Java run-time are at high risk as the primary spreading method calls for maliciously crafted websites. When visiting such pages, the malware exploits a browser’s security settings and installs itself without any intervention on the user’s part.

Even if you use the latest Java run-time installation, the malware can still falsely report a Java certificate as signed by Apple (though it is reported as untrusted), duping naïve users into clicking the Continue button in the certificate window and letting the trojan infect the host system.

Upon infection, the trojan will suck personal data into the cloud, including sensitive usernames and passwords for Google, PayPal, eBay, and other popular websites. One possible sign of infection includes unexpected crashes in Safari, Skype, and other apps with embedded browser content.

So, how does one protect oneself from this nasty piece of software?


Expand
Expanding
Close

Fluent is a Sparrow-like UI for Gmail making the ‘future of email’

Site default logo image

[youtube=http://www.youtube.com/watch?v=Z07MnBf9QNY]

Fluent is a web-based workflow stream that works with existing Gmail accounts to bring a Sparrow-like user interface to email.

Users can stream email threads and replies, preview aggregated attachments in a tab, quickly reply or compose inline, archive messages, and even add a to-do list with the new design concept that claims to run on any web browser.

Sparrow is a great success as a Mac-only application, and now Fluent hopes to balance the playing field and snag users whom are in dire need of a new Gmail look and functionality. Fluent’s website specifically praises its workflow ability, multiple accounts options, and “blazing” fast search-as-you-type filter.

The streaming email UI is the work of three former Googlers who quit the Mountain View, Calif.-based Company. BusinessInsider said Cameron Adams, Dhanji Prasanna, and Jochen Bekmann left because designers were “less valuable” than engineers at Google, and they felt disconnected from Google’s culture while operating from across the world in Sydney, Australia…


Expand
Expanding
Close