Java security threats: What you need to know

By Rich Mogull, Macworld |  Security, java, Mac

At this time, Oracle--which inherited Java when it acquired Sun Microsystems--has not commented on the exploits, although we now know that the company knew about the vulnerabilities since April and was planning to release a patch in its October update. Only time will tell if the company will break its quarterly patch cycle and release an emergency update sooner. (My money is on early release.)

In summary, we have at least two exploitable vulnerabilities affecting anything running the latest version of Java, both are being used in active attacks, and one is bundled with one of the most popular bad-guy toolkits on the market (BlackHole) and a very popular (and free) security testing tool. You can't patch either one.

It's the very definition of "bad".

Why most Mac users aren't at risk

All that said, there are two reasons why Macs are less at-risk than people on other platforms, despite being easy to exploit if the right conditions are in place.

The first, and most important, reason is that relatively few Macs are running the vulnerable version of Java. Any operating system running JRE 1.7 is affected, but the attack doesn't work against JRE 1.6. That last one is the version that Mac users have installed (assuming they use Java at all).

The only way to update from Java 6 (1.6)--the last version supported by Apple--to Java 7 is by manually downloading and installing it from Oracle. And apparently few Mac users have done so: For example, according to a representative of Crashplan, the online backup service that uses Java for its client app, none of that company's users (who must have Java installed) are using the vulnerable version.

The second reason you don't have to worry, even if you do have Java 7 installed, is that Apple by default disabled Java applet support in Web browsers in its most recent Java security update. Starting with OS X 10.7 Lion, Java isn't installed by default anyway. And even if you do turn on Java, OS X will turn it off again if you don't use it for a while.

Many users do install Java for websites or applications (like Crashplan) that require it. But, again, even if you did install Java, the odds are very, very good that you aren't running a vulnerable version.

What you should do

There are two simple ways to check to see if you're vulnerable to this latest threat.

This is what you want your Java Preferences to look like.


Originally published on Macworld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question