java Stories March 5, 2015

Oracle begins bundling Ask adware with Java for Mac installations by default

Windows users are likely already familiar with the adware that’s usually bundled with Oracle’s Java software, but for Mac users that annoyance has been mostly avoided. Unfortunately, ZDNet reports that today Oracle has updated its Java installer to include the Ask toolbar on OS X.

The installation process automatically changes users’ browser homepage to the nearly useless Ask.com, which is populated by ads and mostly irrelevant results. The software also installs an Ask browser toolbar. Since these changes are made by default during Java installation, those who don’t want these “useful” changes made to their computers will need to manually deselect the option during Java installation.

The changes seem to affect both Safari and Google’s Chrome browser. It may also impact some other third-party browsers. Even if you do install the adware, it should be fairly simple to remove the toolbar through your browser’s extension manager and change your home page back.

java Stories October 15, 2013

Apple releases new Java update, uninstalls Apple-provided Java applet plug-ins

Apple has released Java for OS X 2013-005, which “delivers improved security, reliability, and compatibility for Java SE 6”. The update is available in the Mac App Store.

Of note, the updates “uninstalls the Apple-provided Java applet plug-in from all web browsers.” New Macs do not come with Java installed and newer versions of Java are released and maintained by Oracle.

Apple’s decision to cut off internal support and development stems from the decreased necessity for the platform and the fact that Mac malware usually comes from Java security holes. On Apple’s security page for the latest update, it is noted that some holes existed in the software:

Multiple vulnerabilities existed in Java 1.6.0_51, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues were addressed by updating to Java version 1.6.0_65. Further information is available via the Java website at http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html

java Stories August 29, 2013

java

Apple has informed AppleCare representatives and Apple Retail that it has updated the Safari web browser’s built-in plugin blocker to disable older versions of Oracle’s Java 6 and 7 software.

In recent days, a new Java vulnerability was discovered. The latest issue is described on the National Vulnerability Database:

expand full story

java Stories March 4, 2013

Fool me twice: Apple releases Java update for the latest Zero Day

Following a number of reports of new zero-day vulnerabilities in the Java browser plug-in, Oracle has today released an emergency update to Java 7 as Apple updates Java SE 6 to version 1.6.0_43.

Today Oracle released Security Alert CVE-2013-1493 to address two vulnerabilities affecting Java running in web browsers (CVE-2013-1493 and CVE-2013-0809).  One of these vulnerabilities (CVE-2013-1493) has recently been reported as being actively exploited by attackers to maliciously install the McRat executable onto unsuspecting users’ machines.  Both vulnerabilities affect the 2D component of Java SE.  These vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications.  They also do not affect Oracle server-based software.  These vulnerabilities have each received a CVSS Base Score of 10.0.

Researchers from security firm FireEye warned users last week of yet another new Java zero-day vulnerability and recommended users disable Java until Oracle addresses the issue. Today, Oracle said it knew about the flaw since Feb. 1 but didn’t get around to patching it in the last release:

Though reports of active exploitation of vulnerability CVE-2013-1493 were recently received, this bug was originally reported to Oracle on February 1st 2013, unfortunately too late to be included in the February 19th release of the Critical Patch Update for Java SE

The company intended to include a fix for CVE-2013-1493 in the April 16, 2013 Critical Patch Update for Java SE (note that Oracle recently announced its intent to have an additional Java SE security release on this date in addition to those previously scheduled in June and October of 2013).  However, in light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert.

java Stories March 1, 2013

url-3

Following an attack on a smaller number of corporate Macs that exploited a flaw in the Java browser plug-in, researchers from security firm FireEye warned users of yet another new Java zero-day vulnerability. According to a blog post published yesterday (via IDG), browsers running Java v1.6 Update 41 and Java v1.7 Update 15 are now vulnerable to a malware attack that installs a remote access tool known as McRAT. The exploit is reportedly different from the one used to attack Facebook, Twitter, Apple, and several other companies last month. Following the earlier attack, Apple released an update to Java for users to version 1.6.0_41. These recent vulnerabilities come after several updates over the last year to Java addressing exploits.

FireEye recommended users disable Java until Oracle addresses the issue:

We have notified Oracle and will continue to work with Oracle on this in-the-wild discovery. Since this exploit affects the latest Java 6u41 and Java 7u15 versions, we urge users to disable Java in your browser until a patch has been released; alternatively, set your Java security settings to “High” and do not execute any unknown Java applets outside of your organization.

Oracle provided the instructions below for uninstalling Java on Mac: expand full story

java Stories October 17, 2012

Further pushing toward the idea of a plugin-free internet, Apple has issued an update to Java for OS X that removes the Java applet plugin. Attempting to use a Java applet through any OS X web browser will now prompt users to download the latest version directly from Java maker Oracle.

This is not the first time Apple has stopped shipping a specific browser plugin with their computers. With OS X Lion, users discovered that their Macs no longer came with Adobe’s oft-derided Flash Player plugin due to its instability and security issues. Apple has long held browser plugins in contempt, especially following the success of iOS, which hasn’t supported browser plugins at all in the past six years.

Just about every Mac Trojan/vulnerability over recent months and years has been related to outdated Java code. This move should close off those attack vectors.

expand full story

java Stories July 26, 2012

Former Sun employees bring Java to iOS with cross-platform SDK

Codename One is an SDK launched by former Sun employees that allow developers to create a single native mobile app for multiple platforms (iOS/Android/Windows Phone, etc.) using Java and an optional GUI builder:

“Ex-Sun employees did what Sun/Oracle failed to do since the iPhone launched. They brought Java to iOS and other mobile devices. They are getting major coverage from Forbes, DDJ,hacker news and others. They are taking a unique approach of combining a Swing-like API with a open source and SaaS based solution.”

In other Apple Java news, a recent Apple job listing is looking for a Senior Java Engineer to join the Siri Server Platform team. Candidates should have experience in Java API design and will “lead and extend the core software infrastructure, algorithms, and APIs that let Siri move, understand, plan, learn, speak, and remember.” Like most huge Server Side Applications, Siri’s backend appears to be Java-based.

java Stories June 25, 2012

Apple softens its language on Virus susceptibility in wake of Flashback trojan

After Apple released a patch to a Java vulnerability that lead to the infection of roughly 600,000 Macs with the Flashback Trojan earlier this year, there were claims weeks later from security researchers that hundreds of thousands of Macs were still infected. Kaspersky’s CEO claimed Apple is “now entering the same world as Microsoft has been in for more than 10 years.” Now, as noted by PCWorld, Apple appears to be publicly changing its longstanding stance that “it doesn’t get PC viruses.” The statement on Apple’s “Why you’ll love a Mac” website now reads: “It’s built to be safe” (as you can see in the comparison screenshots above).

Another statement on the website switched from “Safeguard your data. By doing nothing” to “It’s built to be safe.” Following the Flashback incident, Kaspersky claimed in April that Apple is “ten years behind Microsoft in terms of security,” and he “expects to see more and more” malware on Macs.

Cyber criminals have now recognised that Mac is an interesting area. Now we have more, it’s not just Flashback or Flashfake. Welcome to Microsoft’s world, Mac. It’s full of malware….Apple is now entering the same world as Microsoft has been in for more than 10 years: updates, security patches and so on,” he added. “We now expect to see more and more because cyber criminals learn from success and this was the first successful one…. They will understand very soon that they have the same problems Microsoft had ten or 12 years ago”

java Stories May 23, 2012

Jury verdict: Android did not infringe upon Oracle’s patents

It has been a good week for Google. A jury just found that Google did not violate Oracle’s patents. The full story is at 9to5Google.com

java Stories April 10, 2012

Over the past few weeks, security experts have warned Mac users of a new virus making its rounds called the “Flashback” trojan. Flashback is allegedly on over 600,000 Macs, which is roughly 1-percent of the 45 million out there. Flashback exploits a pair of vulnerabilities in older versions of Java. Apple may have patched it, but it is still out there and running on many machines.

How do you know if you are infected? F-Secure has a few Terminal commands to check your machine. For the many who are not adept at keeping their Java updates fresh, terminal commands are going to be even more foreign. Luckily, ArsTechnica points us to a free Flashback checker available on github. The app runs the same checks as you would in Terminal, but automates it for you.

We ran the test ourselves and were clean, but one of our readers found that he had the virus last week. It is definitely worth checking out. If your Mac does have Flashback, F-secure offers a great guide on how to remove it.

expand full story

java Stories April 5, 2012

Earlier this week, Apple released a Java security update, 2012-001, to patch the Flashback vulnerability that a security company claims affected 600,000 Macs.

Late this evening, we are getting reports from readers that a new version of the Java update is becoming available via Software Update.

.

The latest update, Java for OS X 2012-002, supersedes the -001 update Apple released earlier this week, and indeed the KB article linked from the -002 update is still the -001 version (below).

Update: Apple sent a note out to its Java Community, below, with the ‘why’ (small issue they are the same but for a few symlinks and version numbers.)

Thanks Jessie! expand full story

java Stories February 24, 2012

A new variant of the Flashback trojan horse called “Flashback.G” is reportedly out in the wild and able to exploit a pair of vulnerabilities found in an older version of Java run-time, according to a blog post by antivirus maker Intego yesterday. People running Snow Leopard and an older Java run-time are at high risk as the primary spreading method calls for maliciously crafted websites. When visiting such pages, the malware exploits a browser’s security settings and installs itself without any intervention on the user’s part.

Even if you use the latest Java run-time installation, the malware can still falsely report a Java certificate as signed by Apple (though it is reported as untrusted), duping naïve users into clicking the Continue button in the certificate window and letting the trojan infect the host system.

Upon infection, the trojan will suck personal data into the cloud, including sensitive usernames and passwords for Google, PayPal, eBay, and other popular websites. One possible sign of infection includes unexpected crashes in Safari, Skype, and other apps with embedded browser content.

So, how does one protect oneself from this nasty piece of software?

expand full story

java Stories February 21, 2012

Fluent is a web-based workflow stream that works with existing Gmail accounts to bring a Sparrow-like user interface to email.

Users can stream email threads and replies, preview aggregated attachments in a tab, quickly reply or compose inline, archive messages, and even add a to-do list with the new design concept that claims to run on any web browser.

Sparrow is a great success as a Mac-only application, and now Fluent hopes to balance the playing field and snag users whom are in dire need of a new Gmail look and functionality. Fluent’s website specifically praises its workflow ability, multiple accounts options, and “blazing” fast search-as-you-type filter.

The streaming email UI is the work of three former Googlers who quit the Mountain View, Calif.-based Company. BusinessInsider said Cameron Adams, Dhanji Prasanna, and Jochen Bekmann left because designers were “less valuable” than engineers at Google, and they felt disconnected from Google’s culture while operating from across the world in Sydney, Australia…

expand full story

Powered by WordPress VIP