Re: JAVA Update.

Some information.

Java

gordonfromsaskatoon wrote:

Are there 2 different updates for JAVA?

Yes, if you installed or migrated from a system that contained Java SE 6 from Apple and later installed Java SE 7 from Oracle, then both are presently installed on your hard drive.

Are both of these necessary?

Probably not unless you are in a situation where there are compatibility issues that require the use of both.

In Safari Preferenced, I have unchecked "enable Jave" but have left "Enable Javascript" checked. If I have a problem without JAVA, then I will enable it again. Is this a safe prcedure to follow?

Yes.

Any advise on what is proper and how to ensure that Java is properly installed and secure on my computer will be very much appreciated.

Just keep everything up-to-date and you will be fine.

Not sure what prompted you to install Java 7 in the first place, but I take it you must have needed it for something.

It's possible to remove Java 7 if you don't need it, but I do not recommend attempting to remove Java 6 as there is no Apple approved way to do that and it's rather tightly integrated with your OS.

When you installed Java 7, it took over responsibility for the Java plug-in for your browsers. Should you ever find the need to revert to Java 6 for browser use, there are Apple instructions for that.

The reference Eric Root pointed you to is a little old, but still valid. A more recent article from a collaborating author is Java Updates!

Apple completely disabled Java plugin a while back due to a threat that was brought to their attention by Homland Security. Apple intended to pass updating of the Mac verision of Java onto the Java organization, now owned by Oracle, as a way to speed updates.

I had a critical web page for work designed by another company that required a Java plugin for it to function. (I have requested that they revise their site to avoid Java.) I could not file electronic documents with my updated Mac systems. I had to find an old Mac stil running Snow Leapard with an older Java plugin so I could gain access.

Two days after the warning, the Java organization provided an update - Java 7, vxx. Since then, I have been regulalry getting updates from the Java organization (Java 7, vzz) to hopefully improve security in the plugin.

What I don't need now is for Apple to send me another update for the Java Plugin that once again disables it.

Apple has not explained what happens to those of us whom are already at Java 7, vzz and getting updates from the Java organization. Is this a harmless update?

PJ\'sPal wrote:

Apple completely disabled Java plugin a while back due to a threat that was brought to their attention by Homland Security. Apple intended to pass updating of the Mac verision of Java onto the Java organization, now owned by Oracle, as a way to speed updates.

I don't exactly agree with the reason you state as Apple has publicly said they no longer believe Java to be a safe environment and seem to have eliminated it's use within OS X. Similar for the reason they no longer distribute Adobe Flash Player as part of the OS.

I had a critical web page for work designed by another company that required a Java plugin for it to function. (I have requested that they revise their site to avoid Java.)

Good move on your part. I also think that developers have been way too slow in converting from Java 6 to Java 7, as there is only one more day of public support from Oracle on 6.

Two days after the warning, the Java organization provided an update - Java 7, vxx. Since then, I have been regulalry getting updates from the Java organization (Java 7, vzz) to hopefully improve security in the plugin.

Unfortunately hope and reality are currently different. There are two new critical vulnerabilities being exploited in Java 7 that they say are not Java 6 issues.

What I don't need now is for Apple to send me another update for the Java Plugin that once again disables it.

Apple has not explained what happens to those of us whom are already at Java 7, vzz and getting updates from the Java organization. Is this a harmless update?

Your previous plug-in was disabled by the XProtect system, not a Java update. I thought it was a mistake then to not provide Lion / Mountain Lion users with the available Java 6 update and apparently many users who relied on it for a living let them know about it, as well. I believe that is the primary reason this update is being offered along with the fact that it was an update they already had in developer testing when the emergency patch came out.

As far as I know, this update will not interfer with your current setup and will allow you to switch between Java 6 and Java 7 should that ever be necessary. Instructions for doing so have been updated http://support.apple.com/kb/ht5559. All users I've dealt with, save one, either had no problem at all after installing the update or were able to get where they wanted to be using those instructions. One user managed to disable both plug-ins and the site they were trying to reach was having problems as well, which complicated their life.

I am still recommending that everybody who has Java SE 6 installed run the update in order to have the safest possible Java environment available today so that if they ever needed to revert to it in the future (hopefully for a limited period of time) it would be there and work for them. If it were easy to remove and re-install, if necessary, without damage to the OS, my advise would be different.

OK. I ran the update on my Mac Pro.

Pleased to say that Java Plugin Version 7, Update 15, the current update to Java Plugin from Java.com as of 02/27/2013, seems to still be working. The version code for this is 1.7.0.15.

Hopefully it just uninstalled the old Java Plugin version 6 that Apple previously was providing.

MacMacs0:

Thanks for your comments.

I read about the recent Java 7 plugin issues in softpedia at:

http://news.softpedia.com/news/Zero-Day-Vulnerability-Affecting-Java-7-Update-15 -and-Earlier-Versions-Identified-332157.shtml

I am still stuck using a Java Plugin for work.

I took and updated my Intego Virus barrier software today as well to their latest products introduced this year.

This included a Malware Update on 02/26.

Hopefully that will help detect something if things go really wrong.

PJ\'sPal wrote:

OK. I ran the update on my Mac Pro.

Pleased to say that Java Plugin Version 7, Update 15, the current update to Java Plugin from Java.com as of 02/27/2013, seems to still be working. The version code for this is 1.7.0.15.

Great, thanks for the feedback.

Hopefully it just uninstalled the old Java Plugin version 6 that Apple previously was providing.

No, it's still tucked away in case it's needed.

If you look in /Library/Internet Plug-Ins/ what you see looks like an alias named "JavaAppletPlugin.plugin". It's technically called a symlink and points to the Java SE 7 plug-in. Should you ever need to revert to the Java SE 6 plug-in, all that needs to be done is replace the current symlink with one pointing to that Java 6 version following the instructions I mentioned above.

PJ\'sPal wrote:

I am still stuck using a Java Plugin for work.

Understand, and you are not alone. Just be sure to uncheck the Enable Java box when you leave the work site and you should be fine.

I read about the recent Java 7 plugin issues in softpedia

The only thing I can add to that article is that I read yesterday that there may be exploits of this vulnerability in the wild.

Here's a SANS article on the subject.

--New Java Vulnerabilities

(February 25, 2013)

A pair of newly detected flaws in Oracle's Java could be exploited to allow attackers to bypass the browser plug-in's sandbox security feature. The vulnerabilities affect the most recent Java update, Java 7 Update 15, which was released on February 19. Java 6 is not affected. Experts are advising users to disable or even uninstall Java. There are also reports that an exploit for Java 7 Update 11 has been detected in the wild. Java 7 Update 13 was released on February 1.

http://arstechnica.com/security/2013/02/javas-latest-security-problems-new-flaw- identified-old-one-attacked/

http://www.computerworld.com/s/article/9237124/Researcher_unearths_two_new_Java_ zero_day_bugs?taxonomyId=17

I took and updated my Intego Virus barrier software today as well to their latest products introduced this year.

This included a Malware Update on 02/26.

Hopefully that will help detect something if things go really wrong.

It should be noted that as far as I know, none of the Mac A-V products have recognized any of the Zero-Day Java malware when it first showed up. That's why most cybersecurity experts, including Homeland Security's CERT organization recommend disabling it in your browser except when visiting trusted sites.

Of course nbc.com is trusted by most people and it was distributing Trojan malware for 24 hours late last week, before they knew about it. I don't believe it involved Java or OS X, however.

--NBC Acknowledges Site Was Serving Up Malware (February 21 & 22, 2013)

NBC has acknowledged that its NBC<dot>com website, along with websites for several of the network's programs, was serving malware for several hours on Thursday, February 21. The malware is used to steal online banking information. NBC said that user data were not compromised. The malware that infected the computers is known as Citadel.

Internet Storm Center: https://isc.sans.edu/diary/NBC+site+redirecting+to+Exploit+kit/15223

also see: https://isc.sans.edu/diary/When+web+sites+go+bad%3A+bible+.+org+compromise/15250

http://www.h-online.com/security/news/item/NBC-com-hacked-and-served-up-malware- 1808273.html

http://www.computerworld.com/s/article/9237044/NBC.com_hacked_to_serve_up_bankin g_malware?taxonomyId=17

http://www.theregister.co.uk/2013/02/22/nbc_hack/

http://money.cnn.com/2013/02/22/technology/security/nbc-com-hacked-malware/index .html

Message was edited by: MadMacs0