Yet another Java vulnerability discovered, researchers recommend disabling browser plug-in

Following an attack on a smaller number of corporate Macs that exploited exploited a flaw in the Java browser plug-in, researchers from security firm FireEye are warning users of yet another new Java zero-day vulnerability. According to a blog post published yesterday (via IDG), browsers running Java v1.6 Update 41 and Java v1.7 Update 15 are currently vulnerable to a malware attack that installs a remote access tool known as McRAT. The exploit is reportedly different from the one used to attack Facebook, Twitter, Apple and several other companies last month. Following the earlier attack, Apple released an updateto Java for users to version 1.6.0_41. These recent vulnerabilities come after several updates over the past year to Java addressing exploits.

FireEye is recommending users disable Java until Oracle addresses the issue:

We have notified Oracle and will continue to work with Oracle on this in-the-wild discovery. Since this exploit affects the latest Java 6u41 and Java 7u15 versions, we urge users to disable Java in your browser until a patch has been released; alternatively, set your Java security settings to “High” and do not execute any unknown Java applets outside of your organization.

Oracle provides the instructions below for uninstalling Java on Mac:  

  1. Click on the Finder icon located in your dock
  2. Click on Applications tab on the sidebar
  3. In the Search box enter JavaAppletPlugin.plugin
  4. This will find the JavaAppletPlugin.plugin file
  5. Right click on JavaAppletPlugin.plugin and select Move to Trash

[Source: 9to5Mac]

Oracle patches Java exploits, toughens its default security levels

Oracle hasn't had a great start to 2013. It's barely into the new year, and Apple and Mozilla are already putting up roadblocks to some Java versions after discoveries of significant browser-based exploits. The company has been quick to respond, however, and already has a patched-up version ready to go. The Java update goes one step further to minimize repeat incidents, as well -- it makes the "high" setting the default and asks permission before it lauches any applet that wasn't officially signed. If you've been skittish about running a Java plugin ever since the latest exploits became public, hit the source to (potentially) calm your nerves.

[Source: Engadget]

Apple Blocks Java 7 Plug-in on OS X to Address Widespread Security Threat

As noted by ZDNet, a major security vulnerability in Java 7 has been discovered, with the vulnerability currently being exploited in the wild by malicious parties. In response to threat, the U.S. Department of Homeland Security has recommended that users disable the Java 7 browser plug-in entirely until a patch is made available by Oracle.

Hackers have discovered a weakness in Java 7 security that could allow the installation of malicious software and malware on machines that could increase the chance of identity theft, or the unauthorized participation in a botnet that could bring down networks or be used to carry out denial-of-service attacks against Web sites. 

"We are currently unaware of a practical solution to this problem," said the DHS' Computer Emergency Readiness Team (CERT) in a post on its Web site on Thursday evening. "This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available."

Apple has, however, apparently already moved quickly to address the issue, disabling the Java 7 plug-in on Macs where it is already installed. Apple has achieved this by updating its "Xprotect.plist" blacklist to require a minimum of an as-yet unreleased 1.7.0_10-b19 version of Java 7. With the current publicly-available version of Java 7 being 1.7.0_10-b18, all systems running Java 7 are failing to pass the check initiated through the anti-malware system built into OS X.

[Source: MacRumors]

Apple says no Java for you, removes plugin from browsers on OS X 10.7 and up

Apple has recently released a Mac update for OS X Lion and Mountain Lion that removes its Java plugin from all OS X browsers. If you install the update, you'll find a region labeled "Missing plug-in" in place of a Java applet; of course, Apple can't stop you from clicking on it to download a Java plug-in directly from Oracle. The Cupertino-based company had previously halted pre-installing Java in OS X partially due to the exploitable factors of the platform, so this update signifies further distancing from Larry Ellison's pride and joy.

[Source: Engadget]