OS and Software > All Things Macintosh > [Security] Mac Security: New Java Driveby Appears, Protect Yours

[Security] Mac Security: New Java Driveby Appears, Protect Yours

Re: [Security] Mac Security: New Java Driveby Appears, Protect Y

If it's a true exploit it can elevate itself.

Just look at how hard IE gets raped on "limited" accounts if you follow any security forums.

reply to daveinpoway
Don't you actually have to go to Oracle to get Java 1.7?

If you go to a page that needs Java and OS X prompts for the DL and everything, it's 2012-004 which is 1.6.0.33 isn't it, not the 1.7.0.6 that you get from Oracle.

So very few OS X users would have 1.7 installed (and this exploit only works with 1.7).

reply to Mike

I'm not a programmer.

Was mac defender a pure drive-by? Did that hit Standard accounts too?

Mac Defender was user installed malware. Users were tricked into thinking it was valid security software, would download it and install it. It required user intervention and user credentials to install.

reply to daveinpoway
»www.theregister.co.uk/2012/08/27···exploit/

quote:

---

In the form in which it was discovered, the exploit only works on Windows machines, because the payload that it downloads is a Windows executable. But the hackers behind the Metasploit penetration testing software say they have studied the exploit and found that it could just as easily be used to attack machines running Linux or Mac OS X, given the appropriate payload.

---

reply to Mike

reply to howardfine

reply to daveinpoway
Been patched

»www.oracle.com/technetwork/java/···363.html

reply to daveinpoway
On behalf of the lurkers and other folk that may not understand all the implications, may I ask a few questions...

If I disable or remove Java, will [ all, most, many, some or only few ] ... web sites not work properly?
Without disabling Java, how do I know if a web site needs Java?
Is it easy to disable/enable or do I need to uninstall? If so, how?
Is this something that I can turn it off for most sites, but turn back on for the few sites that require it?
What type of sites typically require Java? (video? banking? games? adult? etc.)
Can I disable it for one user account and enable it for another?
Will this correcting update show up with Software Update... (pre-ML) or App Store/Updates (post ML), or will I need to go to Java/Oracle's site to get the update?
I'm very confused with the various products at Java's site...what is the product that the average user would need (assuming they need it for sites that they must visit).

Thanks!

I'm not a programmer but it seems the difference to note is understanding the difference between java and javascript. Logic says that javascript is just a subset of Java but it isn't. While sharing the same name they're about as similar as toy and Toyota. They're completely different animals.

Java is the biggie, a runtime that allows a java program to run like any other program on the system. You can sort of think of the Java runtime as a mini-operating system able to run Java programs. This can make Java very powerful but also is significant security risk. If Java is enabled in the browser, I think it can allow a stand alone execution of a java program that can get "out of the browser" via the runtime....I think. Basically a vulnerability in the runtime is the hole a hostile java program uses to get control of the system.

This is different than javascript which can only run within the browser which these days is typically sandboxed so anything running IN the browser can't get OUT of the browser. There is no access to the system, no bridge between the browser and system like the one created by Java runtime.

Javascript is a powerful scripting language and used for a lot of small features within websites like menus or popup features. Disabling javascript can and for me greatly degrades website functionality. Meanwhile, Java, can usually be disabled with no reduced functionality of web browsing. Some "applets" won't function like the DSLR speed test that is written using Java but those are getting rarer these days. Recently those Java type applets are now written in Adobe Flash (like the speedtest.net speed tests or the newer DSLR Flash speed test).

So for me, I disabled Java in the browser but do run javascript with no impact on my browsing.

In general, browsers these days are VERY secure. It seems it is always these 3rd party add ons that are the vectors for attack, Oracle Java (not Netscape javascript), Adobe PDF, Adobe Flash, Apple Quicktime, etc.

reply to haroldo
If I disable or remove Java, will [ all, most, many, some or only few ] ... web sites not work properly?

I don't even have Java on my Mac, never had a problem. On my other Macs I have it disabled. The only site to give me a problem was this site trying to do a tweak test.

Something like Photoshop now requires Java. So some people are SOL.

It does? While I have Java runtime 1.6 installed it's disabled in the java panel (term reports no java to invoke) and PS CS6 runs fine. But I don't have any 3rd part PS add ons just the add ons included with CS6.

OS X 10.7 and 10.8 will prompt you to install Java JRE when you launch PS 5.5 or PS 6.

I did it two times yesterday on two different machines.

No part of CS6 has JRE dependency including the installers. It's a "bug" in Lion and the workaround from Adobe at this time is to let it install. JRE can be disabled after install and CS6 apps will launch fine. An active JRE is not required for CS6 on the Mac.