Java Update

This comment is really meant for others who stumble on this thread. I'm not familiar with CrashPlan and don't know if it needs Java internally or through the browser (or both.) But if the latter -- and I know you will already have thought of this, that's why I said this comment is really intended for others -- set NoScript (Firefox Add-on) to set a placeholder for Java content and only click the placeholder to allow Java on CrashPlan, or the other Java sites you trust. That should minimize the risk, whatever it may be.

After doing some research, I found a plugin for Google Chrome that will put current page you are on into an Internet Explorer wrapper with Java 6 installed in it. Its called Rndr and I have tested it on OSX 10.8 and 10.6.8 and it appears to launch any java plugin or .jnlp webstart app in the browser itself.

https://chrome.google.com/webstore/detail/rndr/aeanibohjlokjdpopecapcfaacnhdifi

WZZZ wrote:

This comment is really meant for others who stumble on this thread. I'm not familiar with CrashPlan and don't know if it needs Java internally or through the browser (or both.)

It is a Java application. No browser involved.

Have there been any active exploits for Java applications in OS X, not drive-bys through the browser, i.e. not web exploits? I've only heard of web exploits.

WZZZ wrote:

Have there been any active exploits for Java applications in OS X, not drive-bys through the browser, i.e. not web exploits? I've only heard of web exploits.

None that I've heard of and there is nothing like that listed on Thomas' MMG. They all seem to involve only the first phase of a drive-by. I believe all the recommendations to avoid Java completely are driven by the shear number of vulnerabilities that keep cropping up. The thinking is that sooner or later somebody will come up with an exploit to take advantage of them on a Mac.

Well, all I can say is I'm very glad I had Java disabled in Firefox (and NoScript), only enabling it per occasion, for several years even before the Flashback arrived. And that was because of the well publicized notoriety of Java browser attacks. Whether or not that notoriety was truly deserved seems to be another question -- one that you have raised -- but it saved my hide.

WZZZ wrote:

Well, all I can say is I'm very glad I had Java disabled in Firefox (and NoScript), only enabling it per occasion, for several years even before the Flashback arrived. And that was because of the well publicized notoriety of Java browser attacks. Whether or not that notoriety was truly deserved seems to be another question -- one that you have raised -- but it saved my hide.

I may not have been entirely clear with my answer, but I was referring to the advise to completely disable Java on a Mac or not install it at all.

I have been recommending that Java be disabled in browsers for a very long time and practice that myself. Luckily I don't currently need to visit any web site that requires it, so it's always off. In the case of Flashback, it was my PPC CPU that prevented me from being infected (I tried several times to find it on purpose).

Got it 🙂

New Java update, at least it seems for Snow and above.

http://support.apple.com/kb/DL1573

About Java for Mac OS X 10.6 Update 11

Java for Mac OS X 10.6 Update 11 delivers improved security, reliability, and compatibility by updating Java SE 6 to 1.6.0_37.

On systems that have not already installed Java for Mac OS X 10.6 update 9 or later, this update will configure web browsers to not automatically run Java applets. Java applets may be re-enabled by clicking the region labeled "Inactive plug-in" on a web page. If no applets have been run for an extended period of time, the Java web plug-in will deactivate.

WZZZ wrote:

New Java update, at least it seems for Snow and above.

Well, sort of new. That's the one that created the issues we've been discussing here all along and it's only for Snow.

http://support.apple.com/kb/DL1572 is similar for Lion and ML.

Thought you'd be interested in this, if you haven't already heard about it.

http://blogs.computerworld.com/application-security/21173/ugly-side-latest-java- updates

WZZZ wrote:

Thought you'd be interested in this, if you haven't already heard about it.

Thanks, I had not read it.

Here's one from ArsTechnica

http://arstechnica.com/information-technology/2012/10/ars-asks-is-using-java-on- a-desktop-worth-the-security-risks/

and a rant from Derek Currie, who drops by the forum occassionally

http://mac-security.blogspot.com/2012/10/oracle-java-for-mac-fails-installing.ht ml

Good rant! I wouldn't be a happy camper either.

This worked for me!

Summary

An update to Java 6 for Mac OS X was release on October 16, 2012. This update changes the Java version to 1.6.0_37. This version prevents teachers from launching PowerTeacher Gradebook on a Mac OS X client.

This article describes how to update the PowerTeacher Gradebook JNLP file on the PowerSchool server to allow PowerTeacher Gradebook to launch successfully for teachers using Mac OS X.

Client Environments

Windows Operating System

• JRE 6 (Java 1.6)
• JRE 7 (Java 1.7)

Macintosh Operating System

• OS X 10.5 - JRE 6 (Java 1.6 up to 1.6.0_37)
• OS X 10.6 - JRE 6 (Java 1.6 up to 1.6.0_37)
• OS X 10.7 - JRE 6 (Java 1.6 up to 1.6.0_35) & JRE 7 (Java 1.7)
• OS X 10.8 - JRE 6 (Java 1.6 up to 1.6.0_35) & JRE 7 (Java 1.7)

Workaround

The following workaround requires that the teacher's client machine meets the above requirements for OS and Java compatibility.

1. Locate the following file on your PowerSchool server:

   \Program Files\PowerSchool\application\components\powerschool-gradebook-<version>\WEB-IN F\classes\com\pearson\powerschool\gradebook\servlet\gradebook.jnlp

2. Make a backup copy of this file and save it in a different location. This will allow you to revert your changes if an issue is encountered with the following steps.
3. Open the JNLP file in a text editor.
4. Locate the following on line 16:

   <resources>

5. Change the value to:

   <resources arch="">

6. Save the file.

The above workaround should not require a server restart. If your server is in an array configuration, apply the above workaround on each node used for PowerTeacher Gradebook.

Can you give us the source of this please?