java Stories March 5, 2015

Oracle begins bundling Ask adware with Java for Mac installations by default

Windows users are likely already familiar with the adware that’s usually bundled with Oracle’s Java software, but for Mac users that annoyance has been mostly avoided. Unfortunately, ZDNet reports that today Oracle has updated its Java installer to include the Ask toolbar on OS X.

The installation process automatically changes users’ browser homepage to the nearly useless Ask.com, which is populated by ads and mostly irrelevant results. The software also installs an Ask browser toolbar. Since these changes are made by default during Java installation, those who don’t want these “useful” changes made to their computers will need to manually deselect the option during Java installation.

The changes seem to affect both Safari and Google’s Chrome browser. It may also impact some other third-party browsers. Even if you do install the adware, it should be fairly simple to remove the toolbar through your browser’s extension manager and change your home page back.

java Stories October 15, 2013

Apple releases new Java update, uninstalls Apple-provided Java applet plug-ins

Apple has released Java for OS X 2013-005, which “delivers improved security, reliability, and compatibility for Java SE 6”. The update is available in the Mac App Store.

Of note, the updates “uninstalls the Apple-provided Java applet plug-in from all web browsers.” New Macs do not come with Java installed and newer versions of Java are released and maintained by Oracle.

Apple’s decision to cut off internal support and development stems from the decreased necessity for the platform and the fact that Mac malware usually comes from Java security holes. On Apple’s security page for the latest update, it is noted that some holes existed in the software:

Multiple vulnerabilities existed in Java 1.6.0_51, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues were addressed by updating to Java version 1.6.0_65. Further information is available via the Java website at http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html

java Stories August 29, 2013

Apple has informed AppleCare representatives and Apple Retail that it has updated the Safari web browser’s built-in plugin blocker to disable older versions of Oracle’s Java 6 and 7 software.

In recent days, a new Java vulnerability was discovered. The latest issue is described on the National Vulnerability Database:

expand full story

java Stories March 4, 2013

Fool me twice: Apple releases Java update for the latest Zero Day

Following a number of reports of new zero-day vulnerabilities in the Java browser plug-in, Oracle has today released an emergency update to Java 7 as Apple updates Java SE 6 to version 1.6.0_43.

Today Oracle released Security Alert CVE-2013-1493 to address two vulnerabilities affecting Java running in web browsers (CVE-2013-1493 and CVE-2013-0809).  One of these vulnerabilities (CVE-2013-1493) has recently been reported as being actively exploited by attackers to maliciously install the McRat executable onto unsuspecting users’ machines.  Both vulnerabilities affect the 2D component of Java SE.  These vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications.  They also do not affect Oracle server-based software.  These vulnerabilities have each received a CVSS Base Score of 10.0.

Researchers from security firm FireEye warned users last week of yet another new Java zero-day vulnerability and recommended users disable Java until Oracle addresses the issue. Today, Oracle said it knew about the flaw since Feb. 1 but didn’t get around to patching it in the last release:

Though reports of active exploitation of vulnerability CVE-2013-1493 were recently received, this bug was originally reported to Oracle on February 1st 2013, unfortunately too late to be included in the February 19th release of the Critical Patch Update for Java SE

The company intended to include a fix for CVE-2013-1493 in the April 16, 2013 Critical Patch Update for Java SE (note that Oracle recently announced its intent to have an additional Java SE security release on this date in addition to those previously scheduled in June and October of 2013).  However, in light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert.

java Stories March 1, 2013

url-3

Following an attack on a smaller number of corporate Macs that exploited a flaw in the Java browser plug-in, researchers from security firm FireEye warned users of yet another new Java zero-day vulnerability. According to a blog post published yesterday (via IDG), browsers running Java v1.6 Update 41 and Java v1.7 Update 15 are now vulnerable to a malware attack that installs a remote access tool known as McRAT. The exploit is reportedly different from the one used to attack Facebook, Twitter, Apple, and several other companies last month. Following the earlier attack, Apple released an update to Java for users to version 1.6.0_41. These recent vulnerabilities come after several updates over the last year to Java addressing exploits.

FireEye recommended users disable Java until Oracle addresses the issue:

We have notified Oracle and will continue to work with Oracle on this in-the-wild discovery. Since this exploit affects the latest Java 6u41 and Java 7u15 versions, we urge users to disable Java in your browser until a patch has been released; alternatively, set your Java security settings to “High” and do not execute any unknown Java applets outside of your organization.

Oracle provided the instructions below for uninstalling Java on Mac: expand full story

The best 4K & 5K displays for Mac

java Stories October 17, 2012

Further pushing toward the idea of a plugin-free internet, Apple has issued an update to Java for OS X that removes the Java applet plugin. Attempting to use a Java applet through any OS X web browser will now prompt users to download the latest version directly from Java maker Oracle.

This is not the first time Apple has stopped shipping a specific browser plugin with their computers. With OS X Lion, users discovered that their Macs no longer came with Adobe’s oft-derided Flash Player plugin due to its instability and security issues. Apple has long held browser plugins in contempt, especially following the success of iOS, which hasn’t supported browser plugins at all in the past six years.

Just about every Mac Trojan/vulnerability over recent months and years has been related to outdated Java code. This move should close off those attack vectors.

expand full story

Powered by WordPress.com VIP