Discussion:
Homeland Security: Diable Java
(too old to reply)
Alan Browne
2013-01-12 17:46:47 UTC
Permalink
http://www.chicagotribune.com/business/technology/chi-homeland-security-urges-computer-users-to-disable-java-20130111,0,5686660.story

Latest Java "flaw":http://www.kb.cert.org/vuls/id/625617
--
"There were, unfortunately, no great principles on which parties
were divided – politics became a mere struggle for office."
-Sir John A. Macdonald
Patty Winter
2013-01-12 18:16:08 UTC
Permalink
I did disable Java on my Macs some time ago, but out of curiosity,
have there been any exploits that have taken control of Macs? Is
the danger just from executables (which I imagine are always .exe
files), or is even just access to a browser dangerous?


Patty
Lewis
2013-01-13 04:58:44 UTC
Permalink
Post by Patty Winter
I did disable Java on my Macs some time ago, but out of curiosity,
have there been any exploits that have taken control of Macs? Is
the danger just from executables (which I imagine are always .exe
files), or is even just access to a browser dangerous?
Browser access to Java is dangerous, period. There is no protection.

*NO* *ONE* should be running Java in the browser as it is impossible to
secure. People should only be running trusted java code on their
computer, and even there, think twice.

I run Serviio 1.0.1 on one machine. I would drop it for Plex, but Plex's
DLNA server is utter crap.
--
They were the observers of the operation of the universe, its clerks,
its auditors. They saw to it that things spun and rocks fell. And they
believed that for a thing to exist it had to have a position in time and
space. Humanity had arrived as a nasty shock. Humanity practically was
things that didn't have a position in time and space, such as
imagination, pity, hope, history and belief. Take those away and all you
had was an ape that fell out of trees a lot. --The Thief of Time
JF Mezei
2013-01-13 06:35:34 UTC
Permalink
Post by Lewis
I run Serviio 1.0.1 on one machine. I would drop it for Plex, but Plex's
DLNA server is utter crap.
I use isadora for DLNA server.


aqs far as Java, it is quite rare that I have to enable it on the
browser, but those times are on legit sites (NASA or some speedtest etc).
Lewis
2013-01-13 14:14:30 UTC
Permalink
Post by JF Mezei
Post by Lewis
I run Serviio 1.0.1 on one machine. I would drop it for Plex, but Plex's
DLNA server is utter crap.
I use isadora for DLNA server.
Is it worth $25? Serviio works very well, and is free.
--
What if there were no hypothetical questions?
Wes Groleau
2013-01-13 09:06:17 UTC
Permalink
*NO* *ONE* should be running Java in the browser as it is impossible to
secure. People should only be running trusted java code on their
computer, and even there, think twice.
First sentence: It wasn't always. I can remember when I had a list of
things I could allow or deny Java rights to, independently of each
other. (And nobody with any sense would have ever allowed any of them.)

Second: True but a little misleading. Running Java code outside of the
browser is no more dangerous than running C or Smalltalk or Ada outside
of a browser. (OK, so there is a slight difference between Ada and the
most error-prone language ever, but whether you trust the source is the
main thing)
--
Wes Groleau

"What progress we are making! In the Middle Ages, they would have
burnt me; nowadays they are content with burning my books.”
— Sigmund Freud, 1933
"He was never to know that even that was only an illusory progress,
that ten years later they would have burned his body as well.”
— Ernest Jones, 1953
Michelle Steiner
2013-01-12 18:32:49 UTC
Permalink
Post by Alan Browne
http://www.chicagotribune.com/business/technology/chi-homeland-security-urges-
computer-users-to-disable-java-20130111,0,5686660.story
Latest Java "flaw":http://www.kb.cert.org/vuls/id/625617
<http://appleinsider.com/articles/13/01/11/zero-day-flaw-prompts-apple-to-bl
ock-java-7-from-os-x>

Apple has disabled the Java 7 plugin on Macs through its OS X anti-malware
system, in order to protect users from a potentially serious security issue.

Apple's updated security measures block Java 7 in OS X. Screenshot via
MacRumors.

The newly discovered zero-day flaw in Java 7 is so serious that the U.S.
Department of Homeland Security has warned users to disable or uninstall it.

"We are currently unaware of a practical solution to this problem," the
departments' Computer Emergency Readiness Team said. "This vulnerability is
being attacked in the wild, and is reported to be incorporated into exploit
kits. Exploit code for this vulnerability is also available."

But Apple has already taken measures to protect OS X users by quietly
disabling the Java 7 plug-in, according to MacRumors. This was accomplished
by updating the OS X "Xprotect.plist" file to require users to have
installed an unreleased version of Java, "1.7.0_10-b19."

Last year, Apple stopped building its own in-house Java updates, handing
responsibility over to Oracle. The company also dropped Java from the
default installation of OS X 10.7 Lion in 2010.

Java was a part of what was the most serious malware threat to the Mac,
dubbed "Flashback." That trojan was estimated to have infected 600,000 Macs
worldwide last year, before Oracle and Apple released Java patches to
remove the malware.
--
The 2012 elections are over; let the 2016 campaigning begin!
gtr
2013-01-12 19:03:24 UTC
Permalink
Post by Michelle Steiner
Java was a part of what was the most serious malware threat to the Mac,
dubbed "Flashback." That trojan was estimated to have infected 600,000 Macs
worldwide last year, before Oracle and Apple released Java patches to
remove the malware.
What software could one run to expose this infection?
Jolly Roger
2013-01-13 00:06:30 UTC
Permalink
Post by gtr
Post by Michelle Steiner
Java was a part of what was the most serious malware threat to the Mac,
dubbed "Flashback." That trojan was estimated to have infected 600,000 Macs
worldwide last year, before Oracle and Apple released Java patches to
remove the malware.
What software could one run to expose this infection?
Browser-based software that uses Java.
--
Send responses to the relevant news group rather than email to me.
E-mail sent to this address may be devoured by my very hungry SPAM
filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google
Groups. Use a real news client if you want me to see your posts.

JR
gtr
2013-01-13 06:56:15 UTC
Permalink
Post by Jolly Roger
Post by gtr
Post by Michelle Steiner
Java was a part of what was the most serious malware threat to the Mac,
dubbed "Flashback." That trojan was estimated to have infected 600,000 Macs
worldwide last year, before Oracle and Apple released Java patches to
remove the malware.
What software could one run to expose this infection?
Browser-based software that uses Java.
I meant expose the presence of Flashback to me.
David Empson
2013-01-13 08:51:24 UTC
Permalink
Post by gtr
Post by Jolly Roger
Post by gtr
Post by Michelle Steiner
Java was a part of what was the most serious malware threat to the Mac,
dubbed "Flashback." That trojan was estimated to have infected 600,000
Macs worldwide last year, before Oracle and Apple released Java
patches to remove the malware.
What software could one run to expose this infection?
Browser-based software that uses Java.
I meant expose the presence of Flashback to me.
Do you mean how you can detect if you have already been infected by
Flashback?

If you have an Intel Mac running Mac OS X 10.5 or later, updated to the
latest minor version (i.e. 10.5.8, 10.6.8, 10.7.5 or 10.8.2) and have
all security updates installed, the system detects known variants of
Flashback and would have told you if you were infected, and removed the
infection.

Intel Macs running 10.5 or later but not updated to the latest minor
version and security updates are vulnerable without any warning unless
you are running up-to-date antivirus software.

Intel Macs running 10.5 might also be vulnerable to new variants of
Flashback which Apple's detector doesn't recognise. Disabling the Java
plugin in your web browser is strongly recommended.

PowerPC Macs running 10.5.x are theoretically vulnerable to Flashback
but were not affected because the payload was implemented as Intel-only
code which didn't run on PowerPC systems. In principle, the malware
developers could also affect PowerPC Macs by writing the payload as
universal code (or detecting the platform and delivering a
PowerPC-specific payload instead of an Intel-specific payload). The only
protection against this potential vulnerability is to disable Java in
your web browser and/or run up-to-date antivirus software. Apple's
Flashback protection security updates for 10.5 were only released for
Intel Macs.

Intel and PowerPC Macs running 10.4.x (or PowerPC Macs running 10.3.x or
earlier) are not vulnerable to last year's widespread version of
Flashback, because it relied on a later Java version which was never
released for 10.4.x.

This latest Java exploit is likely to target Intel Macs. I don't know at
this stage whether they have come up with a new infection mechanism
which gets around existing Flashback detection code. PowerPC Macs might
be immune simply because nobody has bothered to write a PowerPC payload
yet.

There is a somewhat confused story as to which Java versions are
vulnerable to this new problem. Oracle has said they are working on a
fix, and claim that only Java 1.7 was vulnerable.

<http://www.reuters.com/article/2013/01/13/us-usa-java-security-idUSBRE9
0B0EX20130113>

On the other hand, according to vulnerability tracking sites like
US-CERT, Java 1.4.2 and later are vulnerable.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422

If US-CERT is right, then in principle Mac OS X 10.3 and later could be
affected by this vulnerability in Java.

We don't know if anyone has tested Java 1.4.1 or earlier: in principle
those versions might also be vulnerable, in which case even older
versions of Mac OS X might be at risk.

To be sure you cannot be infected, disable the Java plugin in your web
browser.

This won't help if you are already infected.
--
David Empson
***@actrix.gen.nz
JF Mezei
2013-01-13 09:10:05 UTC
Permalink
Post by David Empson
PowerPC Macs running 10.5.x are theoretically vulnerable to Flashback
but were not affected because the payload was implemented as Intel-only
code which didn't run on PowerPC systems.
Wouldn't java apps distributed over internet be built with java byte
code that is platform independent ?

Or is you talking about the bug only happening on intel based java run
time environment ?
David Empson
2013-01-13 09:39:42 UTC
Permalink
Post by JF Mezei
Post by David Empson
PowerPC Macs running 10.5.x are theoretically vulnerable to Flashback
but were not affected because the payload was implemented as Intel-only
code which didn't run on PowerPC systems.
Wouldn't java apps distributed over internet be built with java byte
code that is platform independent ?
Flashback used a two stage infection mechanism.

The initial stage was a Java applet, which was run in your web browser
simply by visiting a compromised or malicious web site, or any site
which fetched ads from elsewhere if the miscreants managed to compromise
the ad server. (You were only vulnerable if you had the Java plugin
enabled: if not, the Java code never got executed.)

Once the vulnerability was exploited to get out of the Java sandbox, the
Java code downloaded a native code component and installed it in a way
which allowed it to run automatically, then it invoked that part.

After the native code component was running, the Java code was not
needed any more.

Subsequently the native code component made contact with command &
control servers to receive instructions, download new pieces of code
and/or upload information grabbed from the computer.
Post by JF Mezei
Or is you talking about the bug only happening on intel based java run
time environment ?
No. Java on PowerPC Macs (at least in 10.5) had (and still has) the same
vulnerability, and if an infected web site was visited, the same
sequence was used. The only reason nothing else happened is that the
downloaded code was Intel native and couldn't run on a PowerPC Mac.

I expect the only reason PowerPC Macs haven't been infected (as far as
we know) is that none of the malware authors have bothered or care about
going to the trouble of targetting older Macs, which represent a small
proportion of the already small proportion of Macs compared to all
potential targets (Windows + Macs + Linux).
--
David Empson
***@actrix.gen.nz
JF Mezei
2013-01-13 11:07:06 UTC
Permalink
Post by David Empson
Flashback used a two stage infection mechanism.
Thanks. So the Java portion was platform indepedent but resulted in the
download of non java platform dependent executable application.

Does Firefox, running on an account with "admin" group have the ability
to deposit files in system directories without user entering admin
password ?

I take it Safari would have the same behaviour in terms of where it can
create files ?
David Empson
2013-01-13 13:31:37 UTC
Permalink
Post by JF Mezei
Post by David Empson
Flashback used a two stage infection mechanism.
Thanks. So the Java portion was platform indepedent but resulted in the
download of non java platform dependent executable application.
Does Firefox, running on an account with "admin" group have the ability
to deposit files in system directories without user entering admin
password ?
I take it Safari would have the same behaviour in terms of where it can
create files ?
In either case it would have been the Java applet having escaped the
Java sandbox that was able to create and modify files anywhere it liked,
not the browser creating files on behalf of the Java applet.

The host browser is mostly irrelevant, unless it implements its own
sandbox around applets and the Java malware was unable to escape from
that sandbox as well as Java's built-in sandbox.
--
David Empson
***@actrix.gen.nz
JF Mezei
2013-01-13 19:48:27 UTC
Permalink
Post by David Empson
In either case it would have been the Java applet having escaped the
Java sandbox that was able to create and modify files anywhere it liked,
not the browser creating files on behalf of the Java applet.
But does the Java or Browser environment operate within operating system
user privileges, or do they elevate privs to admin and gain the ability
to write anywhere on system ?
David Empson
2013-01-13 21:19:07 UTC
Permalink
Post by JF Mezei
Post by David Empson
In either case it would have been the Java applet having escaped the
Java sandbox that was able to create and modify files anywhere it liked,
not the browser creating files on behalf of the Java applet.
But does the Java or Browser environment operate within operating system
user privileges, or do they elevate privs to admin and gain the ability
to write anywhere on system ?
From memory, I think at least one variant of the Flashback downloaded
code prompted for administration privileges: if you entered your
password, it wrote the persistent payload in a system-wide location, so
it would be active for any user account. If you didn't enter your
password, it wrote the payload in a user-specific location so only that
user account was affected.

In general terms I think it would be difficult for a Java-based exploit
to gain root privileges without obtaining authorisation from the user,
unless it was able to invoke another known security hole in some other
system component.
--
David Empson
***@actrix.gen.nz
Paul Sture
2013-01-13 22:09:24 UTC
Permalink
Post by JF Mezei
Post by David Empson
Flashback used a two stage infection mechanism.
Thanks. So the Java portion was platform indepedent but resulted in the
download of non java platform dependent executable application.
Does Firefox, running on an account with "admin" group have the ability
to deposit files in system directories without user entering admin
password ?
I take it Safari would have the same behaviour in terms of where it can
create files ?
IIRC Flashback took a different path if it found it was running in an
admin account. That alone is enough to tell me to use a non-admin
account for general browsing and email work.
--
Paul Sture
Paul Sture
2013-01-13 22:05:25 UTC
Permalink
Post by David Empson
Flashback used a two stage infection mechanism.
The initial stage was a Java applet, which was run in your web browser
simply by visiting a compromised or malicious web site, or any site
which fetched ads from elsewhere if the miscreants managed to compromise
the ad server. (You were only vulnerable if you had the Java plugin
enabled: if not, the Java code never got executed.)
One web site I regularly use has suffered from compromised ad servers
several times in the last three years. This usually happens in the dead
of night when nobody is around to notice. I don't know if this is a
deliberate tactic used by the perpetrators or simply reflects the time
zone they work in.

Since those compromises started happening I only visit that particular
site from Firefox using the NoScript and Adblock Plus add-ons. When I
was using a corporate Windows PC to access that site I made sure I
closed the browsers down before I left the office.
--
Paul Sture
gtr
2013-01-13 16:39:24 UTC
Permalink
On 2013-01-13 08:51:24 +0000, David Empson said:

Man thanks for the avalanche of information.
Post by David Empson
This latest Java exploit is likely to target Intel Macs. I don't know at
this stage whether they have come up with a new infection mechanism
which gets around existing Flashback detection code. PowerPC Macs might
be immune simply because nobody has bothered to write a PowerPC payload
yet.
In any case, no program one can run to find out if there are
viruses/infections/vulnerabilities?
Jolly Roger
2013-01-13 17:45:24 UTC
Permalink
Post by gtr
Man thanks for the avalanche of information.
Post by David Empson
This latest Java exploit is likely to target Intel Macs. I don't know at
this stage whether they have come up with a new infection mechanism
which gets around existing Flashback detection code. PowerPC Macs might
be immune simply because nobody has bothered to write a PowerPC payload
yet.
In any case, no program one can run to find out if there are
viruses/infections/vulnerabilities?
Have you tried searching Google or similar for phrases like "Mac detect
Flashback"? ; )
--
Send responses to the relevant news group rather than email to me.
E-mail sent to this address may be devoured by my very hungry SPAM
filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google
Groups. Use a real news client if you want me to see your posts.

JR
gtr
2013-01-13 19:42:36 UTC
Permalink
Post by Jolly Roger
Post by gtr
Man thanks for the avalanche of information.
Post by David Empson
This latest Java exploit is likely to target Intel Macs. I don't know at
this stage whether they have come up with a new infection mechanism
which gets around existing Flashback detection code. PowerPC Macs might
be immune simply because nobody has bothered to write a PowerPC payload
yet.
In any case, no program one can run to find out if there are
viruses/infections/vulnerabilities?
Have you tried searching Google or similar for phrases like "Mac detect
Flashback"? ; )
Yes, and find a lot of people marketing a lot of stuff that google can
find for me. I find more valid the information from people on usenet,
yourself included, that can answer direct questions rather than giving
me 500 articles that may or may not be of any value.

I've also tried to hammer a nail with a screwdriver, and loosen a screw
with my thumbnail and find these are not the best choice of tools.
Jolly Roger
2013-01-13 20:53:19 UTC
Permalink
Post by gtr
Post by Jolly Roger
Post by gtr
Man thanks for the avalanche of information.
Post by David Empson
This latest Java exploit is likely to target Intel Macs. I don't know at
this stage whether they have come up with a new infection mechanism
which gets around existing Flashback detection code. PowerPC Macs might
be immune simply because nobody has bothered to write a PowerPC payload
yet.
In any case, no program one can run to find out if there are
viruses/infections/vulnerabilities?
Have you tried searching Google or similar for phrases like "Mac detect
Flashback"? ; )
Yes, and find a lot of people marketing a lot of stuff that google can
find for me. I find more valid the information from people on usenet,
yourself included, that can answer direct questions rather than giving
me 500 articles that may or may not be of any value.
I've also tried to hammer a nail with a screwdriver, and loosen a screw
with my thumbnail and find these are not the best choice of tools.
Well I could transcribe what is on the net here for you, but I don't
feel like it.
--
Send responses to the relevant news group rather than email to me.
E-mail sent to this address may be devoured by my very hungry SPAM
filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google
Groups. Use a real news client if you want me to see your posts.

JR
gtr
2013-01-14 01:53:35 UTC
Permalink
Post by Jolly Roger
Post by gtr
Post by Jolly Roger
Have you tried searching Google or similar for phrases like "Mac detect
Flashback"? ; )
Yes, and find a lot of people marketing a lot of stuff that google can
find for me. I find more valid the information from people on usenet,
yourself included, that can answer direct questions rather than giving
me 500 articles that may or may not be of any value.
I've also tried to hammer a nail with a screwdriver, and loosen a screw
with my thumbnail and find these are not the best choice of tools.
Well I could transcribe what is on the net here for you, but I don't
feel like it.
I guess I didn't make myself clear: Google, well known to be all things
to all people, doesn't give me what I want.
Jolly Roger
2013-01-14 02:02:23 UTC
Permalink
Post by gtr
Post by Jolly Roger
Post by gtr
Post by Jolly Roger
Have you tried searching Google or similar for phrases like "Mac detect
Flashback"? ; )
Yes, and find a lot of people marketing a lot of stuff that google can
find for me. I find more valid the information from people on usenet,
yourself included, that can answer direct questions rather than giving
me 500 articles that may or may not be of any value.
I've also tried to hammer a nail with a screwdriver, and loosen a screw
with my thumbnail and find these are not the best choice of tools.
Well I could transcribe what is on the net here for you, but I don't
feel like it.
I guess I didn't make myself clear: Google, well known to be all things
to all people, doesn't give me what I want.
You asked for a program you could run to find out if you have Flashback.
The very first Google hit for "mac detect flashback" gives you a couple
alternatives:

<>

That's just the first hit. Subsequent hits (many of them) have similar
information in them. Hard to imagine you couldn't find what you needed...
--
Send responses to the relevant news group rather than email to me.
E-mail sent to this address may be devoured by my very hungry SPAM
filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google
Groups. Use a real news client if you want me to see your posts.

JR
Jolly Roger
2013-01-14 02:07:33 UTC
Permalink
Post by Jolly Roger
Post by gtr
Post by Jolly Roger
Post by gtr
Post by Jolly Roger
Have you tried searching Google or similar for phrases like "Mac detect
Flashback"? ; )
Yes, and find a lot of people marketing a lot of stuff that google can
find for me. I find more valid the information from people on usenet,
yourself included, that can answer direct questions rather than giving
me 500 articles that may or may not be of any value.
I've also tried to hammer a nail with a screwdriver, and loosen a screw
with my thumbnail and find these are not the best choice of tools.
Well I could transcribe what is on the net here for you, but I don't
feel like it.
I guess I didn't make myself clear: Google, well known to be all things
to all people, doesn't give me what I want.
You asked for a program you could run to find out if you have Flashback.
The very first Google hit for "mac detect flashback" gives you a couple
<>
That's just the first hit. Subsequent hits (many of them) have similar
information in them. Hard to imagine you couldn't find what you needed...
Whoops:

<http://osxdaily.com/2012/04/09/detect-flashback-malware-easy-mac-os-x/>
--
Send responses to the relevant news group rather than email to me.
E-mail sent to this address may be devoured by my very hungry SPAM
filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google
Groups. Use a real news client if you want me to see your posts.

JR
gtr
2013-01-14 03:07:33 UTC
Permalink
Post by Jolly Roger
Post by gtr
Post by Jolly Roger
Post by gtr
Post by Jolly Roger
Have you tried searching Google or similar for phrases like "Mac detect
Flashback"? ; )
Yes, and find a lot of people marketing a lot of stuff that google can
find for me. I find more valid the information from people on usenet,
yourself included, that can answer direct questions rather than giving
me 500 articles that may or may not be of any value.
I've also tried to hammer a nail with a screwdriver, and loosen a screw
with my thumbnail and find these are not the best choice of tools.
Well I could transcribe what is on the net here for you, but I don't
feel like it.
I guess I didn't make myself clear: Google, well known to be all things
to all people, doesn't give me what I want.
You asked for a program you could run to find out if you have Flashback.
The very first Google hit for "mac detect flashback" gives you a couple
<>
That's just the first hit.
Not that edifying as presented.
Post by Jolly Roger
Subsequent hits (many of them) have similar information in them. Hard
to imagine you couldn't find what you needed...
Okay then: I lied, I'm stupid, I'm lazy or I'm a leecher. PIck one,
pick three. If there's something else you need, please let me know.
Jolly Roger
2013-01-14 18:00:07 UTC
Permalink
Post by gtr
Post by Jolly Roger
Post by gtr
Post by Jolly Roger
Post by gtr
Post by Jolly Roger
Have you tried searching Google or similar for phrases like "Mac detect
Flashback"? ; )
Yes, and find a lot of people marketing a lot of stuff that google can
find for me. I find more valid the information from people on usenet,
yourself included, that can answer direct questions rather than giving
me 500 articles that may or may not be of any value.
I've also tried to hammer a nail with a screwdriver, and loosen a screw
with my thumbnail and find these are not the best choice of tools.
Well I could transcribe what is on the net here for you, but I don't
feel like it.
I guess I didn't make myself clear: Google, well known to be all things
to all people, doesn't give me what I want.
You asked for a program you could run to find out if you have Flashback.
The very first Google hit for "mac detect flashback" gives you a couple
<>
That's just the first hit.
Not that edifying as presented.
Post by Jolly Roger
Subsequent hits (many of them) have similar information in them. Hard
to imagine you couldn't find what you needed...
Okay then: I lied, I'm stupid, I'm lazy or I'm a leecher. PIck one,
pick three. If there's something else you need, please let me know.
Dude. All I'm saying is, Google.
--
Send responses to the relevant news group rather than email to me.
E-mail sent to this address may be devoured by my very hungry SPAM
filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google
Groups. Use a real news client if you want me to see your posts.

JR
David Empson
2013-01-13 21:19:09 UTC
Permalink
Post by gtr
Man thanks for the avalanche of information.
Post by David Empson
This latest Java exploit is likely to target Intel Macs. I don't know at
this stage whether they have come up with a new infection mechanism
which gets around existing Flashback detection code. PowerPC Macs might
be immune simply because nobody has bothered to write a PowerPC payload
yet.
In any case, no program one can run to find out if there are
viruses/infections/vulnerabilities?
Of course there are. Run Clam XAV, or Sophos AntiVirus for Mac Home
Edition (both free) or any of the paid anti-virus packages, as long as
they are compatible with your OS X version. If you are running an older
version of OS X, you may not have any options because none of the up to
date anti-virus packages support your OS X version.

If you are mostly concerned about FlashBack and you have an Intel Mac,
then you should be running Snow Leopard or later, with all OS X updates
installed.

If you have a PowerPC Mac, you will have to rely on your wits and/or
third party anti-virus software.
--
David Empson
***@actrix.gen.nz
gtr
2013-01-14 01:54:54 UTC
Permalink
Post by David Empson
Post by gtr
In any case, no program one can run to find out if there are
viruses/infections/vulnerabilities?
Of course there are. Run Clam XAV, or Sophos AntiVirus for Mac Home
Edition (both free) or any of the paid anti-virus packages, as long as
they are compatible with your OS X version.
Thanks again!
Kurt Ullman
2013-01-13 12:31:20 UTC
Permalink
Post by Jolly Roger
Post by gtr
Post by Michelle Steiner
Java was a part of what was the most serious malware threat to the Mac,
dubbed "Flashback." That trojan was estimated to have infected 600,000 Macs
worldwide last year, before Oracle and Apple released Java patches to
remove the malware.
What software could one run to expose this infection?
Browser-based software that uses Java.
Today's dumb question. Is Java Script different or do I need to disable
that, too?
--
America is at that awkward stage. It's too late
to work within the system, but too early to shoot
the bastards."-- Claire Wolfe
David Empson
2013-01-13 13:31:39 UTC
Permalink
Post by Kurt Ullman
Post by Jolly Roger
Post by gtr
Post by Michelle Steiner
Java was a part of what was the most serious malware threat to the Mac,
dubbed "Flashback." That trojan was estimated to have infected 600,000 Macs
worldwide last year, before Oracle and Apple released Java patches to
remove the malware.
What software could one run to expose this infection?
Browser-based software that uses Java.
Today's dumb question. Is Java Script different or do I need to disable
that, too?
JavaScript has nothing to do with Java apart from the names being
similar. You can blame Netscape for the poor decision in naming
JavaScript after Java.

You only need to disable the Java plugin in your web browser to protect
against this issue (and previous issues involving Java).

It is safe to leave JavaScript enabled (and generally you will have to
leave JavaScript enabled for a significant proportion of web sites to
work properly.)
--
David Empson
***@actrix.gen.nz
Kurt Ullman
2013-01-13 13:50:43 UTC
Permalink
Post by David Empson
Post by Kurt Ullman
Post by Jolly Roger
Post by gtr
Post by Michelle Steiner
Java was a part of what was the most serious malware threat to the Mac,
dubbed "Flashback." That trojan was estimated to have infected
600,000
Macs
worldwide last year, before Oracle and Apple released Java patches to
remove the malware.
What software could one run to expose this infection?
Browser-based software that uses Java.
Today's dumb question. Is Java Script different or do I need to disable
that, too?
JavaScript has nothing to do with Java apart from the names being
similar. You can blame Netscape for the poor decision in naming
JavaScript after Java.
You only need to disable the Java plugin in your web browser to protect
against this issue (and previous issues involving Java).
It is safe to leave JavaScript enabled (and generally you will have to
leave JavaScript enabled for a significant proportion of web sites to
work properly.)
Thanks.
--
America is at that awkward stage. It's too late
to work within the system, but too early to shoot
the bastards."-- Claire Wolfe
David Ritz
2013-01-13 17:58:51 UTC
Permalink
On Monday, 14 January 2013 02:31 +1300,
Post by David Empson
You only need to disable the Java plugin in your web browser to
protect against this issue (and previous issues involving Java).
I'd like to note, that there's a way to deal with all installed
web-browsers, at the same time, at least if you're using Oracle's
implementation of Java 7 for OS X 10.8.*.

Open System Preferences/Java. This launches as separate application,
Java Control Panel. Under the Security pane, there's a tick box,
"Enable Java content in the browser". If it is unchecked, Java cannot
be run from _any_ browser.

I cannot recall, whether the Java Control Panel existed in previous
versions of OS X or Java. Others may be able to shed additional light
on this matter.

- --
David Ritz <***@mindspring.com>
Be kind to animals; kiss a shark.
Jolly Roger
2013-01-13 18:17:08 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Monday, 14 January 2013 02:31 +1300,
Post by David Empson
You only need to disable the Java plugin in your web browser to
protect against this issue (and previous issues involving Java).
I'd like to note, that there's a way to deal with all installed
web-browsers, at the same time, at least if you're using Oracle's
implementation of Java 7 for OS X 10.8.*.
Open System Preferences/Java. This launches as separate application,
Java Control Panel. Under the Security pane, there's a tick box,
"Enable Java content in the browser". If it is unchecked, Java cannot
be run from _any_ browser.
I cannot recall, whether the Java Control Panel existed in previous
versions of OS X or Java. Others may be able to shed additional light
on this matter.
Nice tip there. Thanks.
- --
Be kind to animals; kiss a shark.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (Darwin)
Comment: Public Keys: <http://dritz.home.mindspring.com/keys.txt>
iEYEARECAAYFAlDy9dwACgkQUrwpmRoS3utMhQCgjJlO+5ze0pxUnqJzjU0jmf7m
5UgAn1WClmbeAZzGPCHvAUsdxV/ZZ23F
=Vv0a
-----END PGP SIGNATURE-----
Is all of this crap really necessary? God...
--
Send responses to the relevant news group rather than email to me.
E-mail sent to this address may be devoured by my very hungry SPAM
filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google
Groups. Use a real news client if you want me to see your posts.

JR
Patty Winter
2013-01-13 19:23:26 UTC
Permalink
Post by David Ritz
I cannot recall, whether the Java Control Panel existed in previous
versions of OS X or Java. Others may be able to shed additional light
on this matter.
No sign of it in 10.6. (And thus, of course, not in 10.4 on my other
Mac, either.)


Patty
b***@MIX.COM
2013-01-13 21:32:27 UTC
Permalink
Post by Patty Winter
Post by David Ritz
I cannot recall, whether the Java Control Panel existed in previous
versions of OS X or Java. Others may be able to shed additional light
on this matter.
No sign of it in 10.6. (And thus, of course, not in 10.4 on my other
Mac, either.)
My 10.3 computers have these (which in their title bars are labeled
Java Plug-in Control Panel) -

Java 1.3.1 Plugin Settings.app
Java 1.4.2 Plugin Settings.app

And I'd guess something similar exists for 10.4 (can't look until
tomorrow). But, they don't provide any means to disable anything.
If anyone's curious, a screenshot is here -

Loading Image...

There is, however, /usr/bin/policytool (man policytool for info).
But, getting into this is a bit more work (a lot more if you include
testing to be sure it does what it claims to do) than just offing it
in the web browsers.

Billy Y..
--
sub #'9+1 ,r0 ; convert ascii byte
add #9.+1 ,r0 ; to an integer
bcc 20$ ; not a number
Michelle Steiner
2013-01-14 00:42:26 UTC
Permalink
Post by Patty Winter
Post by David Ritz
I cannot recall, whether the Java Control Panel existed in previous
versions of OS X or Java. Others may be able to shed additional light
on this matter.
No sign of it in 10.6. (And thus, of course, not in 10.4 on my other
Mac, either.)
I don't have it on my 10.8.2 system.
--
Ignore this sig.
Kurt Ullman
2013-01-14 00:53:28 UTC
Permalink
Post by Michelle Steiner
Post by Patty Winter
Post by David Ritz
I cannot recall, whether the Java Control Panel existed in previous
versions of OS X or Java. Others may be able to shed additional light
on this matter.
No sign of it in 10.6. (And thus, of course, not in 10.4 on my other
Mac, either.)
I don't have it on my 10.8.2 system.
FWIW: I have it on my 10.8.2, but it in the "other section" and it just
says Java.
--
America is at that awkward stage. It's too late
to work within the system, but too early to shoot
the bastards."-- Claire Wolfe
Michelle Steiner
2013-01-14 01:17:50 UTC
Permalink
Post by Kurt Ullman
Post by Michelle Steiner
I don't have it on my 10.8.2 system.
FWIW: I have it on my 10.8.2, but it in the "other section" and it just
says Java.
Maybe I never installed it, but I thought that I had.
--
Ignore this sig.
David Ritz
2013-01-14 01:44:13 UTC
Permalink
On Sunday, 13 January 2013 18:17 -0700,
Post by Michelle Steiner
Post by Kurt Ullman
Post by Michelle Steiner
I don't have it on my 10.8.2 system.
FWIW: I have it on my 10.8.2, but it in the "other section" and it
just says Java.
Maybe I never installed it, but I thought that I had.
If you do, remember that Apple no longer supports Java, nor will it
supply new updates.

If you want to install Java 7 udate 11, the current version, you'll
need to get it from Oracle's Java website
<http://www.java.com/en/download/index.jsp>..

- --
David Ritz <***@mindspring.com>
Be kind to animals; kiss a shark.
Michelle Steiner
2013-01-14 01:48:21 UTC
Permalink
Post by David Ritz
If you want to install Java 7 udate 11, the current version, you'll
need to get it from Oracle's Java website
<http://www.java.com/en/download/index.jsp>..
Already did; I was going to post about it, but you beat me to it.
--
Ignore this sig.
Paul Sture
2013-01-14 09:09:20 UTC
Permalink
Post by Michelle Steiner
Post by Kurt Ullman
Post by Michelle Steiner
I don't have it on my 10.8.2 system.
FWIW: I have it on my 10.8.2, but it in the "other section" and it just
says Java.
Maybe I never installed it, but I thought that I had.
There are to my knowledge at least a couple of ways Java can end up on
your ML system:

1. If you used Migration Assistant to bring everything over from Leopard
as I did, Xcode 3.n if that was installed will come across, and firing
it up for the first time on ML will offer to download Java for you.

2. Earlier releases of OpenOffice and LibreOffice will complain like
hell the first time you run them if Java isn't present, though you could
safely ignore these. Just last week I tried creating a new Text
document using LibreOffice and it offered to download Java for me.
However the latest version of LibreOffice doesn't do this, as far as I
can tell.
--
Paul Sture
Michelle Steiner
2013-01-14 19:12:49 UTC
Permalink
Post by Paul Sture
There are to my knowledge at least a couple of ways Java can end up on
That's not the situation; it's that the Java preferences icon was not in my
system preferences, which led me to believe that I didn't have Java
installed, even though I thought that I had installed it.

No big thing now.
--
Ignore this sig.
Bread
2013-01-14 20:42:26 UTC
Permalink
Post by Michelle Steiner
Post by Paul Sture
There are to my knowledge at least a couple of ways Java can end up on
That's not the situation; it's that the Java preferences icon was not in my
system preferences, which led me to believe that I didn't have Java
installed, even though I thought that I had installed it.
The Java pref pane is not part of older versions of Java. It's part of
"Java 7" (also known as Java 1.7), which only runs on Intel macs
running 10.7.3 or later. I think it's been out since late 2011, but
was released for OS X only in mid 2012. I don't have it installed,
but I believe that Java 7 has available auto-updates via that pref-pane.

Java 7 has never been there by default: you have to have gone and put
it in. Java 6 (and older), which do *not* include that pref pane, came
pre-installed in older systems. Java 6 came out in late 2006.

If you migrated from an older system, you may have an older version of
Java. For example, my MBP, which is quite old (though I've migrated
the system across several drives over the years), and is currently
running ML 10.8.2, does *not* have Java 7. It inherited the older
version (and links to it under various older version identifiers).
Apparently, in SL and earlier OS X versions, Apple's Java 6 included a
Java preferences *application* under /Applications/Utilities, but it's
no longer there in Lion or ML.

% cd /System/Library/Frameworks/JavaVM.framework/Versions
% ls -l
total 64
lrwxr-xr-x 1 root wheel 10 Oct 24 15:48 1.4 -> CurrentJDK
lrwxr-xr-x 1 root wheel 10 Oct 24 15:48 1.4.2 -> CurrentJDK
lrwxr-xr-x 1 root wheel 10 Oct 24 15:48 1.5 -> CurrentJDK
lrwxr-xr-x 1 root wheel 10 Oct 24 15:48 1.5.0 -> CurrentJDK
lrwxr-xr-x 1 root wheel 10 Oct 24 15:48 1.6 -> CurrentJDK
lrwxr-xr-x 1 root wheel 10 Oct 24 15:48 1.6.0 -> CurrentJDK
drwxr-xr-x 7 root wheel 238 Oct 24 15:48 A
lrwxr-xr-x 1 root wheel 1 Oct 24 15:48 Current -> A
lrwxr-xr-x 1 root wheel 59 Oct 24 15:48 CurrentJDK ->
/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents

Apparently, Oracle is auto-updating folks on Windows from Java6 to
Java7. I saw no notice of anything like that for the Mac versions.

Moreover, Oracle is (barely) still keeping Java6 updated. Per Oracle
at
<http://www.oracle.com/technetwork/java/javase/documentation/autoupdate-1667051.html>
:

Oracle is now extending the End of Public Updates again for 4
additional months to provide developers and users with additional time
to migrate to Java 7. The last publicly available release of Java 6
will be in February of 2013 with the release of Java SE 6 Update 39
(Java SE 6u39).

FWIW, the actual specific version on my machine right now is this:

% java -version
java version "1.6.0_37"
Java(TM) SE Runtime Environment (build 1.6.0_37-b06-434-11M3909)
Java HotSpot(TM) 64-Bit Server VM (build 20.12-b01-434, mixed mode)

As far as I can tell, that version was installed/updated by *Apple* via
"Java for OS X 2012-006" released in Oct, 2012.

See <http://support.apple.com/kb/DL1572> for more about that. This was
the update that *uninstalled* the Apple-provided Java applet plug-in
from the browsers.

So is there any reason we should be rushing off to install Oracle's Java 7?

Note that if you go to a web page which looks for the Java plug-in,
since the plug-in was disabled by Apple a few months ago, you'll be
given the "missing plug-in" placeholder and a link which takes you to
Oracle's java.com site to download Java 7.

This was a pretty interesting read:

http://blogs.computerworld.com/application-security/21173/ugly-side-latest-java-updates
Fred Moore
2013-01-14 22:33:59 UTC
Permalink
Post by Bread
Java 7 has never been there by default: you have to have gone and put
it in. Java 6 (and older), which do *not* include that pref pane, came
pre-installed in older systems. Java 6 came out in late 2006.
If you migrated from an older system, you may have an older version of
Java. For example, my MBP, which is quite old (though I've migrated
the system across several drives over the years), and is currently
running ML 10.8.2, does *not* have Java 7. It inherited the older
version (and links to it under various older version identifiers).
Apparently, in SL and earlier OS X versions, Apple's Java 6 included a
Java preferences *application* under /Applications/Utilities, but it's
no longer there in Lion or ML.
Note for clarity: We've drifted slightly in this thread to discussing
the Java Runtime Environment itself rather than just the web browser
plugin which lets a browser access the JRE.

My question is this: Has anyone experienced problems with Java 7 and
_apps_ which use Java? I just upgraded a client running Adobe CS4 from a
G5 PPC with 10.5.8 to a Mini with 10.8.2. CS evidently uses Java heavily
in some portions of it's work--seemingly unavoidable from what I've
read. The client doesn't have the money to buy CS6 and I'm afraid
installing Java 7 in case it breaks CS4. Anyone have any experience with
this?

TIA!
Bread
2013-01-17 16:34:31 UTC
Permalink
Post by Bread
So is there any reason we should be rushing off to install Oracle's Java 7?
I've consulted with a couple of local Java experts. The answer was
pretty much "no" with one "and, in fact, there are good reasons *not*
to upgrade to it".

I'm sticking with Java6 for now. (plug-ins all disabled, of course).
Lewis
2013-01-18 03:32:30 UTC
Permalink
Post by Bread
Post by Bread
So is there any reason we should be rushing off to install Oracle's Java 7?
I've consulted with a couple of local Java experts. The answer was
pretty much "no" with one "and, in fact, there are good reasons *not*
to upgrade to it".
There was a 0-day exploit for the newest Java 7 before it was even released.
Post by Bread
I'm sticking with Java6 for now. (plug-ins all disabled, of course).
Java 6 isn't secure either.

No one should have Java enabled in their web browsers, it is simply not
safe. At all.
--
A man, in a word, who should never have been taught to write and whom if
unhappily gifted with that ability, should have been restrained by a Act
of Parliament from writing Reminiscences. - PG Wodehouse
Jolly Roger
2013-01-18 14:32:03 UTC
Permalink
Post by Lewis
Post by Bread
Post by Bread
So is there any reason we should be rushing off to install Oracle's Java 7?
I've consulted with a couple of local Java experts. The answer was
pretty much "no" with one "and, in fact, there are good reasons *not*
to upgrade to it".
There was a 0-day exploit for the newest Java 7 before it was even released.
Post by Bread
I'm sticking with Java6 for now. (plug-ins all disabled, of course).
Java 6 isn't secure either.
No one should have Java enabled in their web browsers, it is simply not
safe. At all.
Some of us need it, unfortunately. : (
Luckily there is a quick and easy way to en/disable it.
--
Send responses to the relevant news group rather than email to me.
E-mail sent to this address may be devoured by my very hungry SPAM
filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google
Groups. Use a real news client if you want me to see your posts.

JR
Fred Moore
2013-01-18 17:24:43 UTC
Permalink
Post by Jolly Roger
Post by Lewis
Post by Bread
Post by Bread
So is there any reason we should be rushing off to install Oracle's Java 7?
I've consulted with a couple of local Java experts. The answer was
pretty much "no" with one "and, in fact, there are good reasons *not*
to upgrade to it".
There was a 0-day exploit for the newest Java 7 before it was even released.
Post by Bread
I'm sticking with Java6 for now. (plug-ins all disabled, of course).
Java 6 isn't secure either.
No one should have Java enabled in their web browsers, it is simply not
safe. At all.
Some of us need it, unfortunately. : (
Luckily there is a quick and easy way to en/disable it.
On the topic of those who _need_ Java, I asked about Java and Adobe CS
on Macintouch and got this response:

<http://www.macintouch.com/readerreports/security/index.html#d18jan2013>
**
MacInTouch Reader
Fred Moore writes,
"Many apps, such as Adobe Creative Suite, make significant use of Java.
I have upgraded clients with CS4 to 10.8. Java 6 came along for the
ride. They can't afford CS6. I'm hesitant to try Java 7 in case it
causes problems with the older Adobe products. Anyone with experience or
informed speculation care to comment?"

Very few apps use Java, and in particular, Photoshop and CS6 do not use
Java at all.

According to Chris Cox of Adobe, the confusion is because Apple marked
Adobe's installers as needing Java even though nothing about CS6 needs
it, and Apple has yet to fix the problem.
<http://forums.adobe.com/message/4461129>
**

So contrary to what I and others have heard, you do not need Java at all
for Adobe CS6.
Jolly Roger
2013-01-18 20:31:14 UTC
Permalink
Post by Fred Moore
Post by Jolly Roger
Post by Lewis
Post by Bread
Post by Bread
So is there any reason we should be rushing off to install Oracle's
Java
7?
I've consulted with a couple of local Java experts. The answer was
pretty much "no" with one "and, in fact, there are good reasons *not*
to upgrade to it".
There was a 0-day exploit for the newest Java 7 before it was even released.
Post by Bread
I'm sticking with Java6 for now. (plug-ins all disabled, of course).
Java 6 isn't secure either.
No one should have Java enabled in their web browsers, it is simply not
safe. At all.
Some of us need it, unfortunately. : (
Luckily there is a quick and easy way to en/disable it.
On the topic of those who _need_ Java, I asked about Java and Adobe CS
<http://www.macintouch.com/readerreports/security/index.html#d18jan2013>
**
MacInTouch Reader
Fred Moore writes,
"Many apps, such as Adobe Creative Suite, make significant use of Java.
I have upgraded clients with CS4 to 10.8. Java 6 came along for the
ride. They can't afford CS6. I'm hesitant to try Java 7 in case it
causes problems with the older Adobe products. Anyone with experience or
informed speculation care to comment?"
Very few apps use Java, and in particular, Photoshop and CS6 do not use
Java at all.
According to Chris Cox of Adobe, the confusion is because Apple marked
Adobe's installers as needing Java even though nothing about CS6 needs
it, and Apple has yet to fix the problem.
<http://forums.adobe.com/message/4461129>
**
So contrary to what I and others have heard, you do not need Java at all
for Adobe CS6.
Good to know. Unfortunately, I need it for other things.
--
Send responses to the relevant news group rather than email to me.
E-mail sent to this address may be devoured by my very hungry SPAM
filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google
Groups. Use a real news client if you want me to see your posts.

JR
Lewis
2013-01-19 03:04:19 UTC
Permalink
Post by Fred Moore
Post by Jolly Roger
Post by Lewis
Post by Bread
Post by Bread
So is there any reason we should be rushing off to install Oracle's Java 7?
I've consulted with a couple of local Java experts. The answer was
pretty much "no" with one "and, in fact, there are good reasons *not*
to upgrade to it".
There was a 0-day exploit for the newest Java 7 before it was even released.
Post by Bread
I'm sticking with Java6 for now. (plug-ins all disabled, of course).
Java 6 isn't secure either.
No one should have Java enabled in their web browsers, it is simply not
safe. At all.
Some of us need it, unfortunately. : (
Luckily there is a quick and easy way to en/disable it.
On the topic of those who _need_ Java, I asked about Java and Adobe CS
Using Java locally has nothing to do with using it in a web browser, and
the browser plugins are the ones with the security issues.
Post by Fred Moore
According to Chris Cox of Adobe, the confusion is because Apple marked
Adobe's installers as needing Java even though nothing about CS6 needs
it, and Apple has yet to fix the problem.
What? Apple would have nothing to do with Adobe's installer.
--
"Conservatives want live babies so they can raise them to be dead
soldiers" ~Carlin
nospam
2013-01-19 03:15:33 UTC
Permalink
Post by Lewis
Post by Fred Moore
According to Chris Cox of Adobe, the confusion is because Apple marked
Adobe's installers as needing Java even though nothing about CS6 needs
it, and Apple has yet to fix the problem.
What? Apple would have nothing to do with Adobe's installer.
adobe, who wrote the installer, says otherwise.

i'm quite sure they know better than you do.
Bread
2013-01-18 20:37:53 UTC
Permalink
Post by Lewis
Post by Bread
I'm sticking with Java6 for now. (plug-ins all disabled, of course).
Java 6 isn't secure either.
No one should have Java enabled in their web browsers, it is simply not
safe. At all.
See up there where I say "plug-ins all disabled" - that means it's not
enabled in my browsers.

But some of us do use local java applications on a regular basis.
Tom Stiller
2013-01-18 22:06:00 UTC
Permalink
Post by Bread
Post by Lewis
Post by Bread
I'm sticking with Java6 for now. (plug-ins all disabled, of course).
Java 6 isn't secure either.
No one should have Java enabled in their web browsers, it is simply not
safe. At all.
See up there where I say "plug-ins all disabled" - that means it's not
enabled in my browsers.
But some of us do use local java applications on a regular basis.
<https://threatpost.com/en_us/blogs/latest-java-update-broken-two-new-san
dbox-bypass-flaws-found-011813>
--
PRAY, v. To ask that the laws of the universe be annulled in behalf
of a single petitioner confessedly unworthy. -- Ambrose Bierce
Kevin McMurtrie
2013-01-19 05:48:21 UTC
Permalink
Post by Tom Stiller
Post by Bread
Post by Lewis
Post by Bread
I'm sticking with Java6 for now. (plug-ins all disabled, of course).
Java 6 isn't secure either.
No one should have Java enabled in their web browsers, it is simply not
safe. At all.
See up there where I say "plug-ins all disabled" - that means it's not
enabled in my browsers.
But some of us do use local java applications on a regular basis.
<https://threatpost.com/en_us/blogs/latest-java-update-broken-two-new-san
dbox-bypass-flaws-found-011813>
As others have said, there's no issue having Java installed. It's
simply another runtime environment like bash, tch, ruby, perl, python,
Rosetta, C++, and Objective C. The issue is, as usual, browser plugins.
--
I will not see posts from Google because I must filter them as spam
Lewis
2013-01-19 03:05:07 UTC
Permalink
Post by Bread
Post by Lewis
Post by Bread
I'm sticking with Java6 for now. (plug-ins all disabled, of course).
Java 6 isn't secure either.
No one should have Java enabled in their web browsers, it is simply not
safe. At all.
See up there where I say "plug-ins all disabled" - that means it's not
enabled in my browsers.
But some of us do use local java applications on a regular basis.
Yes, as do I. The security issues are with the browser use of Java.
--
'There has to be enough light,' he panted, 'to see the darkness.'
David Ritz
2013-01-14 01:36:12 UTC
Permalink
On Sunday, 13 January 2013 19:53 -0500,
Post by Kurt Ullman
Post by Michelle Steiner
Post by Patty Winter
Post by David Ritz
I cannot recall, whether the Java Control Panel existed in
previous versions of OS X or Java. Others may be able to shed
additional light on this matter.
No sign of it in 10.6. (And thus, of course, not in 10.4 on my
other Mac, either.)
I don't have it on my 10.8.2 system.
Michelle, the purchase of your iMac follows the point in time, when
Apple removed Java. As you do not have Java installed, you do not
have to be concerned with this current security issue.
Post by Kurt Ullman
FWIW: I have it on my 10.8.2, but it in the "other section" and it just
says Java.
It takes time to launch the Java Control Panel, by clicking the Java
Preference.pane in System Preferences. Be patient.

BTW - Oracle released update 11, for Java 7, jre-7u11-macosx-x64.dmg,
today. It's available from Oracle's Java website. I have no idea
whether it addresses the security issues at hand. While I performed
the update, Java remains disabled for all browsers, using the Java
Control Panel.

Notes: Java is developed by Oracle.
JavaScript was created by Netscape and has no connection to
Java, beyond having a similar name.

- --
David Ritz <***@mindspring.com>
Be kind to animals; kiss a shark.
Michelle Steiner
2013-01-14 01:47:35 UTC
Permalink
Post by David Ritz
BTW - Oracle released update 11, for Java 7, jre-7u11-macosx-x64.dmg,
today. It's available from Oracle's Java website. I have no idea
whether it addresses the security issues at hand. While I performed
the update, Java remains disabled for all browsers, using the Java
Control Panel.
Oracle says that update 11 is in response to that security issue. Here are
the release notes:

<http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-18968
49.html>
--
Ignore this sig.
John Varela
2013-01-14 20:57:09 UTC
Permalink
On Mon, 14 Jan 2013 00:42:26 UTC, Michelle Steiner
Post by Michelle Steiner
Post by Patty Winter
Post by David Ritz
I cannot recall, whether the Java Control Panel existed in previous
versions of OS X or Java. Others may be able to shed additional light
on this matter.
No sign of it in 10.6. (And thus, of course, not in 10.4 on my other
Mac, either.)
I don't have it on my 10.8.2 system.
Open System Preferences. If you have installed Java then there will
be a Java icon in the bottom row of icons. Click on it. A pane will
open that says "The Java control panel will open in a separate
window," which it does.
--
John Varela
Michelle Steiner
2013-01-14 23:02:45 UTC
Permalink
Post by Michelle Steiner
Post by Patty Winter
Post by David Ritz
I cannot recall, whether the Java Control Panel existed in previous
versions of OS X or Java. Others may be able to shed additional
light on this matter.
No sign of it in 10.6. (And thus, of course, not in 10.4 on my other
Mac, either.)
I don't have it on my 10.8.2 system.
Open System Preferences. If you have installed Java then there will be a
Java icon in the bottom row of icons. Click on it. A pane will open that
says "The Java control panel will open in a separate window," which it
does.
At the time I wrote that I didn't have that icon in System Preferences;
telling me to look in System Preferences doesn't miraculously put it there.

I've since installed the new version of Java that came out yesterday, and
the icon is now there.
--
Ignore this sig.
Bread
2013-01-14 23:35:34 UTC
Permalink
Post by John Varela
On Mon, 14 Jan 2013 00:42:26 UTC, Michelle Steiner
Post by Michelle Steiner
Post by Patty Winter
Post by David Ritz
I cannot recall, whether the Java Control Panel existed in previous
versions of OS X or Java. Others may be able to shed additional light
on this matter.
No sign of it in 10.6. (And thus, of course, not in 10.4 on my other
Mac, either.)
I don't have it on my 10.8.2 system.
Open System Preferences. If you have installed Java then there will
be a Java icon in the bottom row of icons. Click on it. A pane will
open that says "The Java control panel will open in a separate
window," which it does.
See my earlier note -- that's NOT necessarily the case. If you have
Java 1.6, you will NOT have such a control panel or system pref pane on
either 10.8 or 10.7. And on 10.6, it'll be under
/Applications/Utilities, not under System Preferences.
dorayme
2013-01-14 23:39:16 UTC
Permalink
Post by John Varela
On Mon, 14 Jan 2013 00:42:26 UTC, Michelle Steiner
Post by Michelle Steiner
Post by Patty Winter
Post by David Ritz
I cannot recall, whether the Java Control Panel existed in previous
versions of OS X or Java. Others may be able to shed additional light
on this matter.
No sign of it in 10.6. (And thus, of course, not in 10.4 on my other
Mac, either.)
I don't have it on my 10.8.2 system.
Open System Preferences. If you have installed Java then there will
be a Java icon in the bottom row of icons. Click on it. A pane will
open that says "The Java control panel will open in a separate
window," which it does.
In Snow Leopard, or at least on my SL, the relevant preferences are an
app called, sensibly enough, "Java Preferences.app" and resides in the
Utility folder of the Applications folder.
--
dorayme
JF Mezei
2013-01-13 20:05:19 UTC
Permalink
On the limited sites I visit that require JAVA, I manually enable Java
(I have a button on Firefox to do that) and then, I usually see a long
"java starting up" panel in the pane where the java app is to run.

It is obvious because it takes many seconds to start up.

After visiting the site, I turn Java back off.

Question: If I were to leave Java turned on all the time, once it has
gone through the process of starting up (visible because it takes so
much time), would subsequent web sites needing Java run very fast
without my noticing they are activating Java ?
Patty Winter
2013-01-13 17:59:51 UTC
Permalink
Post by gtr
Post by Michelle Steiner
Java was a part of what was the most serious malware threat to the Mac,
dubbed "Flashback." That trojan was estimated to have infected 600,000 Macs
worldwide last year, before Oracle and Apple released Java patches to
remove the malware.
What software could one run to expose this infection?
One of Apple's security updates checked for and removed Flashback.

Also, you can check for a Flashback infection on a special website
set up by Kaspersky:

http://www.flashbackcheck.com/


Patty
Patty Winter
2013-01-12 20:23:43 UTC
Permalink
Post by Michelle Steiner
Java was a part of what was the most serious malware threat to the Mac,
dubbed "Flashback." That trojan was estimated to have infected 600,000 Macs
worldwide last year, before Oracle and Apple released Java patches to
remove the malware.
Ah, thanks, Michelle, you just answered the question I asked in a
previous posting about what sort of Java exploit could be dangerous
for Macs.


Patty
Paul Magnussen
2013-01-12 20:40:38 UTC
Permalink
Post by Michelle Steiner
The newly discovered zero-day flaw in Java 7 is so serious that the U.S.
Department of Homeland Security has warned users to disable or uninstall it.
Am I correct, then, in inferring that one doesn't have to worry about
earlier versions (e.g. that on my old G4)?

I wonder if this also applies to Scala, then, since that's built on top
of the (JVM)? One would think so.

Paul Magnussen
Michelle Steiner
2013-01-12 21:13:57 UTC
Permalink
Post by Paul Magnussen
Post by Michelle Steiner
The newly discovered zero-day flaw in Java 7 is so serious that the
U.S. Department of Homeland Security has warned users to disable or
uninstall it.
Am I correct, then, in inferring that one doesn't have to worry about
earlier versions (e.g. that on my old G4)?
I read, after I posted that notice, that the problem exists for all
versions of Java.
--
The 2012 elections are over; let the 2016 campaigning begin!
b***@MIX.COM
2013-01-13 06:08:34 UTC
Permalink
Post by Paul Magnussen
Am I correct, then, in inferring that one doesn't have to worry about
earlier versions (e.g. that on my old G4)?
Perhaps - the only way to know for sure is to get the exploit (or find
a web site running it) and give it a try. Probably the safest way to
do that is wait for the Metasploit project to release a module for it.
It shouldn't be a very long wait...

http://www.metasploit.com/

This only runs, however, under Linux or Windows.
Post by Paul Magnussen
I wonder if this also applies to Scala, then, since that's built on top
of the (JVM)? One would think so.
Probably. On stuff this old testing is the best way to find out.

I have some Java programs on my old G4s, but I've never, ever let any
of the web browsers access it. I rarely ever even enable Javascript,
which has nothing to do with Java, and was initially named Livescript.
Netscape changed the name to take advantage of all the hype surrounding
Java - I wonder how those guys are feeling about that these days. Heh.

Billy Y..
--
sub #'9+1 ,r0 ; convert ascii byte
add #9.+1 ,r0 ; to an integer
bcc 20$ ; not a number
dorayme
2013-01-13 06:33:46 UTC
Permalink
Post by b***@MIX.COM
I have some Java programs on my old G4s, but I've never, ever let any
of the web browsers access it. I rarely ever even enable Javascript
How can you live this way these days? Maybe Java can be sparingly used
but surely only monks could deny themselves javascript enabled
browsers?
--
dorayme
b***@MIX.COM
2013-01-13 18:42:24 UTC
Permalink
Post by dorayme
Post by b***@MIX.COM
I have some Java programs on my old G4s, but I've never, ever let any
of the web browsers access it. I rarely ever even enable Javascript
How can you live this way these days? Maybe Java can be sparingly used
but surely only monks could deny themselves javascript enabled
browsers?
Well, a rather large fraction of web-based attacks use Javascript.
Hence the popularity of NoScript, NotScripts, and probably others I
don't know.

As well, many script-laden sites are now approaching Flash in the
sense of needlessly being resource hogs of the highest order. So,
although in a rather small way, I can register my displeasure by
not allowing them to run.

I also use Lynx to take a first look at sites that may be a problem,
and often that's enough to get the content I wanted to see.

Billy Y..
--
sub #'9+1 ,r0 ; convert ascii byte
add #9.+1 ,r0 ; to an integer
bcc 20$ ; not a number
Paul Sture
2013-01-13 22:28:29 UTC
Permalink
Post by b***@MIX.COM
Post by dorayme
Post by b***@MIX.COM
I have some Java programs on my old G4s, but I've never, ever let any
of the web browsers access it. I rarely ever even enable Javascript
How can you live this way these days? Maybe Java can be sparingly used
but surely only monks could deny themselves javascript enabled
browsers?
Well, a rather large fraction of web-based attacks use Javascript.
Hence the popularity of NoScript, NotScripts, and probably others I
don't know.
As well, many script-laden sites are now approaching Flash in the
sense of needlessly being resource hogs of the highest order. So,
although in a rather small way, I can register my displeasure by
not allowing them to run.
One site I regularly visit is run by a guy who cannot resist adding
bells and whistles written in Javascript and those scripts were
regularly timing out. It's a waste of my system resources, so I only
visit that site with JS firmly switched off.

This gave a real performance problem not only on my older PPC machines,
but also my Mac mini before I upgraded the RAM.

The BBC used to be another offender. They would pester me to enable JS,
and the only purpose of that was to serve up news videos, which they
then wouldn't allow me to view because I am outside the UK. Listening
to their radio channels also insists that I have JS enabled, but I do
that on a temporary basis.
Post by b***@MIX.COM
I also use Lynx to take a first look at sites that may be a problem,
and often that's enough to get the content I wanted to see.
Lynx can be a pain when navigating sites with huge menus down the left
sidebar, but yes it is a useful tool.

Links is another one, which I have successfully used on OS X. It is
better than Lynx for displaying tables, but I have a feeling that the
last time I looked at it they were implementing Javascript (mandatory
YUCK).
--
Paul Sture
Jim Janney
2013-01-14 06:29:01 UTC
Permalink
Post by Paul Sture
Post by b***@MIX.COM
Post by dorayme
Post by b***@MIX.COM
I have some Java programs on my old G4s, but I've never, ever let any
of the web browsers access it. I rarely ever even enable Javascript
How can you live this way these days? Maybe Java can be sparingly used
but surely only monks could deny themselves javascript enabled
browsers?
Well, a rather large fraction of web-based attacks use Javascript.
Hence the popularity of NoScript, NotScripts, and probably others I
don't know.
As well, many script-laden sites are now approaching Flash in the
sense of needlessly being resource hogs of the highest order. So,
although in a rather small way, I can register my displeasure by
not allowing them to run.
One site I regularly visit is run by a guy who cannot resist adding
bells and whistles written in Javascript and those scripts were
regularly timing out. It's a waste of my system resources, so I only
visit that site with JS firmly switched off.
This gave a real performance problem not only on my older PPC machines,
but also my Mac mini before I upgraded the RAM.
The BBC used to be another offender. They would pester me to enable JS,
and the only purpose of that was to serve up news videos, which they
then wouldn't allow me to view because I am outside the UK. Listening
to their radio channels also insists that I have JS enabled, but I do
that on a temporary basis.
Post by b***@MIX.COM
I also use Lynx to take a first look at sites that may be a problem,
and often that's enough to get the content I wanted to see.
Lynx can be a pain when navigating sites with huge menus down the left
sidebar, but yes it is a useful tool.
Links is another one, which I have successfully used on OS X. It is
better than Lynx for displaying tables, but I have a feeling that the
last time I looked at it they were implementing Javascript (mandatory
YUCK).
I like w3m best of the text browsers I've tried. I think I used brew to
install it on my Snow Leopard system, but I don't quite remember at this
point.
--
Jim Janney
dorayme
2013-01-13 23:19:30 UTC
Permalink
Post by b***@MIX.COM
...I rarely ever even enable Javascript
... surely only monks could deny themselves javascript enabled
browsers?
Well, a rather large fraction of web-based attacks use Javascript.
Hence the popularity of NoScript, NotScripts, and probably others I
don't know.
Yes, that is a strategy.
Post by b***@MIX.COM
As well, many script-laden sites are now approaching Flash in the
sense of needlessly being resource hogs of the highest order. So,
although in a rather small way, I can register my displeasure by
not allowing them to run.
I also use Lynx to take a first look at sites that may be a problem,
and often that's enough to get the content I wanted to see.
I guess if you know in advance which sites may be a problem. If you
have a great bandwidth allowance and a Mac and good backup strategies,
I believe most of us can rest easy enough and relax more though, (not
the feeling I get with windoze though!)
--
dorayme
Jim Janney
2013-01-13 16:45:30 UTC
Permalink
Post by b***@MIX.COM
Post by Paul Magnussen
Am I correct, then, in inferring that one doesn't have to worry about
earlier versions (e.g. that on my old G4)?
Perhaps - the only way to know for sure is to get the exploit (or find
a web site running it) and give it a try. Probably the safest way to
do that is wait for the Metasploit project to release a module for it.
It shouldn't be a very long wait...
http://www.metasploit.com/
This only runs, however, under Linux or Windows.
Post by Paul Magnussen
I wonder if this also applies to Scala, then, since that's built on top
of the (JVM)? One would think so.
Probably. On stuff this old testing is the best way to find out.
I have some Java programs on my old G4s, but I've never, ever let any
of the web browsers access it. I rarely ever even enable Javascript,
which has nothing to do with Java, and was initially named Livescript.
Netscape changed the name to take advantage of all the hype surrounding
Java - I wonder how those guys are feeling about that these days. Heh.
I think the official name is now ECMAScript, but no one uses that for
obvious reasons.
--
Jim Janney
Paul Sture
2013-01-13 22:14:25 UTC
Permalink
Post by b***@MIX.COM
I rarely ever even enable Javascript,
which has nothing to do with Java, and was initially named Livescript.
Netscape changed the name to take advantage of all the hype surrounding
Java - I wonder how those guys are feeling about that these days. Heh.
Javascript also went by the name of ECMAScript at one point:

<http://en.wikipedia.org/wiki/JavaScript#Standardization>

also further up that page:

<http://en.wikipedia.org/wiki/JavaScript#Birth_at_Netscape>
--
Paul Sture
Kevin McMurtrie
2013-01-13 07:24:21 UTC
Permalink
Post by Paul Magnussen
Post by Michelle Steiner
The newly discovered zero-day flaw in Java 7 is so serious that the U.S.
Department of Homeland Security has warned users to disable or uninstall it.
Am I correct, then, in inferring that one doesn't have to worry about
earlier versions (e.g. that on my old G4)?
I wonder if this also applies to Scala, then, since that's built on top
of the (JVM)? One would think so.
Paul Magnussen
The vulnerability is usually in the Java Security Manager. That makes
browser plugins and servers running public JSPs vulnerable. Honestly,
you shouldn't have any browser plugin automatically run.

Normal Java apps don't have a Security Manager. If you run an app
designed to hijack your personal account then it will freely do so.
That's the way apps are regardless of the language they're written in.
--
I will not see posts from Google because I must filter them as spam
Paul Sture
2013-01-14 09:11:56 UTC
Permalink
An appropriate typo in the subject line

'Diable' is French for 'devil' for those who don't know.
--
Paul Sture
Loading...