Java 7 Security Vulnerability Discovered, Here’s How To Protect Yourself
A new potentially dangerous Java security vulnerability has been discovered that could allow malicious code to run on a Java-enabled computer, be it a Mac or Windows PC. Most Mac users will be safe from the vulnerability because OS X Mountain Lion does not include Java by default, and OS X Lion includes an older version of Java that is not vulnerable to the exploit. That said, if you have recently updated Java or installed it manually in OS X Mountain Lion, you’ll want to double-check which version you have. Yes, Oracle will release an update to resolve the issue, but for the time being take a few basic steps to protect yourself by disabling Java either system-wide or in your web browser of choice.
- Java SE 7 (1.7) is vulnerable
- Java SE 6 (1.6) or lower is safe
Here is exactly how to check if you are vulnerable, plus how to disable Java and protect yourself.
Check Which Version of Java is Installed (If Any)
There are two easy ways to determine which version of Java is installed in OS X, one is using the GUI and the other uses the command line.
Check Version of Java Installed Using Java Preferences
- Open the Applications folder and then open Utilities
- Double-click on “Java Preferences”
- Find the Java version under Name and Version, ie: Java SE 6
If you don’t have Java Preferences installed, that means you don’t have Java installed either, which indicates you are safe. If you see “Java SE 6” you are also safe, if you see “Java SE 7” you need to act.
Check Version of Java Installed Using Terminal
- Launch Terminal, found in /Applications/Utilities/
- Type the following command exactly
- If you see java version “1.7” you need to act, if you see java version “1.6” or lower, you are safe
Protecting Yourself: Disable Java System-Wide in Mac OS X
You may recall that disabling Java was the number one tip we suggested when protecting a Mac against viruses and trojans, that’s because the majority of security problems that have effected Macs lately come from Java. If you haven’t done that yet, here’s how to do it now:
- Open “Java Preferences” from /Applications/Utilities/
- Uncheck “Enable applet plug-in and Web Start applications”
- Uncheck “ON” next to Java SE
Disable Java Per Web Browser in OS X
If you don’t want to disable Java everywhere because you need it for something like Eclipse or Minecraft, disable it on the web browser you use instead.
Disable Java in Safari
- Pull down the Safari menu and select “Preferences”
- Click the “Security” tab and uncheck the box next to “Enable Java”
Disable Java in Chrome
- Type “chrome://plugins/” into the URL bar, locate Java and click disable
Disable Java in Firefox
- Open Firefox Preferences and under the “General” tab click “Manage Add-ons…”
- Select “Plugins” and find Java (and/or Java Applet), click the Disable button
These are the recommended tips to take to protect yourself, and though they’re geared towards Mac OS X you should find that disabling Java in web browsers is the same in Windows too.
We’ll post an update when an updated version of Java is released that addresses the security issue.
Thanks to @dannygoesrah for the reminder, don’t forget to follow us on Twitter too!
Update: Oracle has released a fix for the JE7 vulnerability, you can get it directly from Oracle here.
Note that if you installed the Java Runtime Environment via the terminal (by typing “java -version”) you get version 1.6.0_33 from Apple. None of the 1.6.0_xx versions are vulnerable to CVE-2012-4681.
You would have had to go download the Oracle JDK version 1.7 and install it manually (versions 0 through 6 are affected; http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html)
1.7u7 is already out (http://www.oracle.com/technetwork/java/javase/downloads/jdk7u7-downloads-1836413.html),
In Safari, you can click Preferences, and then the Security tab (uncheck “Enable Java”).
But yeah if you don’t need it, don’t bother installing Java. Same with Flash. They are historically broken.
> “that’s because the majority of security problems that have effected Macs lately come from Java.”
The word you’re looking for is “affected.”
Other than that, great article.
Oh, no! I’m scared! :'(
On a serious note this may spell the end of Java and Flash on the desktop. People just had enough of this.
All browsers are affected including Chrome. I believe this exploit escapes sandbox.
Since installing M.L. I have’nt had a need for Java. What is it used for these days?
Brazilian banks still require Java Applets for, guess what, security. i want to bash my head against the wall every time I see this.
Adobe CS also requires you to have Java.
Is it safer to use Google Chrome than another web browser?
Thinking about that GC puts itself in a sandbox enviroment.