Warnings | Patch from Oracle | Mac OS X | Disabling Java in browsers

There was a rash of posts Friday Jan. 11, 2013 about a Java Runtime Environment (JRE) vulnerability following the CERT (Computer Emergency Readiness Team) announcement.
Security Alert addresses security issues CVE-2013-0422 (US-CERT Alert TA13-010A - Oracle Java 7 Security Manager Bypass Vulnerability) and another vulnerability affecting Java running in web browsers.

These only affect the java plugin running in browsers.
They do not affect Java running on servers, standalone Java desktop applications or embedded Java applications or Java script which runs in browsers but is something different.

Oracle's Java 7, ALL versions (v1.7 update 10, aka 7u10, on down), is the affected version. It is being exploited in-the-wild on Linux, Windows and UNIX.
A new Trojan horse in Windows called Mal/JavaJar-B has been found that exploits this security hole.

Anti-virus, anti-malware programs that everyone should have on their computer, usually handle most risks, so circulating warning emails is usually unnecessary.
But this is apparently a serious computer system flaw exploit, so it may infiltrate your computer unless you know that your internet security program is one that actually blocks this kind of exploit, which many people don't have (because this level of protection is usually not in free anti-virus programs)

The exploit has been described by Sophos as a zero-day attack since it has been found being actively used in malware before developers have had a chance to investigate and patch it.

The malware has currently been seen attacking Windows, Linux and Unix systems, and while so far has not focused on Mac OS X, may be able to do so given OS X is largely similar to Unix and Java is cross-platform.

Jan., 11, 2013
Hackers have discovered a weakness in Java 7 security that could allow the installation of malicious software and malware on machines that could increase the chance of identity theft, or the unauthorized participation in a botnet that could bring down networks.
See Homeland Security warns to disable Java amid zero-day flaw | ZDNet
Also reviews.cnet.com/8301-13727_7-57563567-263/new-malware-exploiting-java-7-in-windows-and-unix-systems/

Jan., 11, 2013
The Department of Homeland Security's United States Computer Emergency Readiness Team (US-CERT) has issued an alert that an unspecified vulnerability in Java can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

The vulnerability affects Java 7 Update 10 and earlier versions. US-CERT reports it is currently unaware of a practical solution to this problem. It recommends working around the flaw by disabling Java in web browsers.

The Oracle Java Runtime Environment (JRE) 1.7 enables users to run Java applications in a browser or as standalone programs. Oracle has made the JRE available for multiple operating systems.

See major-vulnerability-found-in-java | www.securityinfowatch.com

Disable Java runtime
Note: Java runtime is different than Java Script. Java Script is OK.
See Java vs. JavaScript

Jan. 13, 2013 - Oracle Security Alert for CVE-2013-0422
These vulnerabilities affect Java running in web browsers; They are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications.

The fixes in this Alert include a change to the default Java Security Level setting from "Medium" to "High". With the "High" setting, the user is always prompted before any unsigned Java applet or Java Web Start application is run.
Java Version 7 Update 11 fixes the problem. www.java.com/en/download/index.jsp

Instructions for Mac OS X
From Khürt Williams <khurt@islandinthenet.com> CISSP (Certified Information Systems Security Professional) The vulnerability only affects the Java plugin for web browsers.
See below for disabling in browsers.
If you disabled Java in Safari then you were fine. See below for instructions.
Apple did this for you already. Apple used its built-in XProtect system to disable ALL versions of Java 7.
NOTE: Java does not ship with Mountain Lion so unless you installed it, there is nothing to do.

suspect code is at "/System/Library/Java/JavaVirtualMachines/1.7.0.jdk"
All I had on OS X 10.8.2 (Mountain Lion) was 1.6.0.jdk
Get info said it was version 14.5.0 which, "Displays Java applet content, or a placeholder if Java is not installed."
Apple has acted proactively to block the Java browser plug-in on Mac machines with OS X 10.6 Snow Leopard or higher. Is your Mac at risk? Maybe. It is possible that your Mac does not even have Java installed. Apple stopped including Java by default with Lion. However, if you have run into any websites or software that needs Java, it may have prompted you to install it.

If you disable Java in whichever browser(s) you use regularly, you can continue to use your web browser without worrying about this exploit. If you find a website that uses Java, you can turn it on, do what you need to do, and then turn it off again.

See a-reasonable-response-to-java-security-problems/ | www.tuaw.com

You can remove it or disable it.

Disable Java in Mac OS X browsers:
Disable it with Java Preferences utility from the terminal app.
sudo /usr/libexec/java_home

Disable java in Safari
Safari > Preferences > Security
 Un-check "Enable java"

Disable java in Google Chrome
Chrome > Preferences > Settings > Show Advanced Settings ... (at the bottom)
Click "Content Settings" under Privacy
Click "Disable Individual Plug-ins" under Plug-ins

Disable Java in Firefox 17
Tools > Add-ons > Plugins
Java Applet Plug-in
All I had there was Java 14.5.0 which says it "Displays Java applet content, or a placeholder if Java is not installed."
This is not the suspect code.
There was another java vulnerability in update 6 (7u6) in August.
Aug 27,2012
David Maynor, CTO of Errata Security, confirmed that the Metasploit exploit -- which was published less than 24 hours after the bug was found -- is effective against Java 7 installed on OS X Mountain Lion.

Although the exploits now circulating in the wild have been aimed only at Windows users, it's possible that Macs could also be targeted.
See Macs_at_risk_from_super_dangerous_Java_zero_day | www.computerworld.com

Return to Virus, Spyware and Security

last updated 15 Jan 2013