OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Two more Java vulnerabilities found

Published January 20th, 2013 at 9:31 AM EDT , modified January 25th, 2013 at 3:08 PM EDT

Security researcher Adam Gowdiak has announced the discovery of two more vulnerabilities affecting the latest version of Java (Java 7 update 11). These are completely separate vulnerabilities from the still not yet fully repaired bug that caused the vulnerability prompting the latest Java update. Of course, it’s not exactly news, at this point, that Java is full of holes that hackers love to exploit. So why am I continuing to beat a dead horse? Primarily, because I continue to hear people dismiss concerns about Java’s security. Java is a sinking ship, folks… you can either hop in a lifeboat and get away or go down with the ship. The choice is yours.

Tags: ,

19 Comments

  • Someone says:

    Is there any record of how many Java vulnerabilities found per year (My guess is no, because there are too many)?

    Oh, and nice “no Java” image.

  • Someone says:

    I was just wondering… Honestly, I don’t care at this point, because there are waaaaaay too many :-). I can’t believe people still use Java when it’s such a horror show.

  • Mike Kingsley says:

    Yeah I agree that it should be considered a sinking ship, but it’s also easier said for those that don’t need to use it. Unfortunately there are still a lot out there that rely on it either due to programs being written in it that they need to run – or another popular one, coupon sites.

  • Tim says:

    I’m not a techie. Do we need Java? Can I just disable it? or must I use something else in it’s place. If so, what would that be?

    • Thomas says:

      Just disable it. It you need it, you’ll find that some web site you rely on no longer works. Then you’ll need to find a way to work with that site without risking the integrity of your machine by having Java enabled while visiting other sites.

  • Levi says:

    I’m concerned. I needed to download Java to access Time Warner’s website two nights ago. In Spotlight I see listed JavaAppletPlugIn. Can you tell me how to search for more Java and how to disable it? Thanks!

  • Levi says:

    Thanks! Should I do the same for JaveScript and Plug-Ins. (I have no idea what any of those mean).
    Also, I am now really concerned that my computer has been hacked. When I returned home after a few hours and activated my screen, I noticed something on the dock I’d never seen before: a black box, and when I scrolled over it, Terminal, came up.
    A google search tells me Terminal is used by people who really know what they’re doing. I don’t. I’ve done nothing to bring it up. It says my name and Bash 80X24 at the top. Then in the box, it shows a last login date and time (today) and ttys000.
    Have I been hacked?! Why has then shown up? I have none of the boxes checked in sharing. Thank YOU!!

    • Thomas says:

      If you disable JavaScript, you will cause many sites to stop working, and it’s not the same as Java anyway. Plug-ins refers to any other Internet plugins that you may have installed. This is also not related to the recent Java issues.

      As for the issue you saw, you haven’t been hacked. I can’t say why the Terminal would be open, but there are many perfectly legitimate reasons for that besides hacking, which is actually quite unlikely unless someone with physical access to the machine was doing something. (If someone untrusted has physical access, pretty much anything is possible.)

  • Levi says:

    Thank you, Thomas! While I was waiting for your answer, I disabled them all and noticed several sites not working.
    No one else was at my home or has access to my computer (physical access), so it was very disconcerting to see something on my computer that I had not accessed. Basically, I use mail and safari, not much else. I’m always worried about malware, spyware, viri….someone accessing my computer remotely.
    Thanks again! You’re the best!

  • aalien says:

    Hello!
    Nice website… Thanks for keeping us informed!
    My question (although I’m [almost] pretty sure of the answer [No?]) is:

    — Does mac OS X Mountain Lion have java pre-installed? I don’t need it, never needed either… I think it’s not (based in my most obvious reasons) BUT if it is I really would like to uninstall it…

    THANK YOU!

  • Someone says:

    If you have Java on your computer (either it runs Snow Leopard or you downloaded it) is there a way to actually remove all traces of it from your computer, or do you have to live with just turning it off in your browser?

    And also, I assume that if you have a computer running Snow Leopard (and it has Java on it) upgrading to Lion/Mountain Lion doesn’t remove Java?

  • Tom R says:

    I just discovered your site when looking for articles on anti-virus programs. I had no idea about the issues surrounding Java. I’m a professional photographer and got my first Mac last Feb., and just purchase a MPB last week. I use a tool called ROES to upload photos to my photo finisher for processing prints. It appears to me ROES is a Java application. I’ve seen lots of comments about disabling Java in your browser, but this application runs outside of a browser. Are you familiar with it? Do the vulnerabilities still exist if not running Java in a browser? Thanks in advance

  • Tom R says:

    Thanks for quick response and helpful advice!

  • McM says:

    Hello, thanks for this very useful and interesting blog. I purchased Intego’s Premium Bundle 2013 on Jan 30, as I discovered my Mac had been infected by Exploit virus on several occasions through Java in January. Intego is supposed to be THE ultimate protection for Macs. However, I see that their virus definitions only are updated once or twice a week, for example today is Feb 3 and their latest virus definitions are dated Jan 31. Does this seem normal to you? I read several places that new viruses appear every day, so how can a virus barrier which is updated every 4 days be trustworthy? Please let me know what you think. Thanks a lot in advance

    • Thomas says:

      You’re thinking of Windows. New malware certainly does not appear every day on the Mac. The last known malware to appear for the Mac appeared on December 11 of 2012. (See the malware catalog in my Mac Malware Guide.) As for your Mac having been infected, note that this is extremely unlikely to have happened last month. Most likely, whatever you detected was Windows malware, probably attached to junk e-mail.

This post is more than 90 days old and has been locked. No further comments are allowed.