Wednesday, April 4, 2012

CRITICAL Java Updates: Mac OS X 10.6 Update 7 and 10.7 Update 2012-002 (formerly 001)

[Updated 2012-04-06:
For users of Mac OS X 10.7, Java update 2012-002 has been released today to correct an error in the .DMG installation file for 2012-001. The 2012-001 installer has been withdrawn. I interpret this to mean that the flaw in 001 was critical. Therefore, please install Java for OS X 2012-002 IMMEDIATELY! It has been reported that over 600,000 (not a typo) Macs are now infected with the Flashback Trojan horse / botnet malware! This is unprecedented in Mac history. This Java update kills off a Drive-By method of Mac infection by the Flashback malware.]

If you haven't already installed the latest Java update for Mac OS X 10.6 Snow Leopard and 10.7 Lion, INSTALL IT NOW. No excuses. The best method of installation in this case is via Software Update, available under the Apple menu. There is currently a problem with the direct download version for 10.7 whereby it FAILs the fsck check the OS runs during DMG file verification. See details below.

This particular update is CRITICAL because there is an active exploit against the older version of Java that results in Drive-By infection of Mac machines without requiring the user to provide a password. This is unheard of on Macs. It is specifically a Java problem, NOT a Mac OS X problem. Don't blame Apple. Blame the lazy crapcoders at ORACLE.

Windows users have had this particular Java update for MONTHS. Supposedly Apple and Oracle have an arrangement whereby Oracle are now writing Mac updates for Java. But that arrangement is FAILing.

Earlier today I posted reviews of this update at both VersionTracker/CNET and MacUpdate. I have provided a somewhat redundant summary below which with details about how to turn OFF Java, which I highly recommend, as well as some rant action.

∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞ ∞

Good: This CRUCIAL Java update patches an active exploit against Macs. Better a late update than never. Java is occasionally useful.

Bad: Java is now one of the most INSECURE Internet technologies. If you don't use Java, TURN IT OFF! Oracle and Apple are NOT providing Mac Java updates in a timely manner. This Java update for Mac provides an update that Windows users have had for months. For over a week, there has been an active malware exploit against Mac users with the unpatched version of Java.

It is terrific that Apple jumped on this exploit so quickly. However, Apple users MUST be provided with Java patches at the same time as Windows users. Delaying Java patches for Mac users is NOT acceptable.

I have verified that the direct download file of the 10.7 version of Java for OS X 2012-001,  FAILs the Mac OS X fsck check during file verification. This is evident in the Console. This is BAD. If you used this downloaded installer, IMMEDIATELY update to the Java for OS X 2012-002 installer!

The BEST way to install this update is from Software Update. You will find it under your Mac's Apple menu. This installation works perfectly.

Now For My Rant:

Java has become a BANE of the Internet. I have turned it OFF. I am sick of the recent Java exploits against Mac users. I don't deal with it. I suggest you turn Java OFF as well, unless you use it regularly.


If you use multiple web browsers (I use six) then the best and simplest way to turn Java OFF is via the Java Preferences app found in your Mac's Utilities folder. Follow these steps:

1) Open the Java Preferences app.

2) Under the 'General' tab, check OFF "Enable applet plug-in and Web Start applications". (Mac OS X 10.6 users: Instead uncheck the plugins for Java SE 6 in the box inside the window).

3) Quit the Java Preferences app.

4) VERIFY IT'S OFF: Open the Java Preferences app, again. Verify that the "Enable..." checkbox remains OFF. If you find it on again, check the damned thing OFF again. Quit Java Preferences. Verify AGAIN as required.

I add this VERIFY step because I personally have seen this checkbox turn on again. If you want to be extra-special certain the box doesn't turn on again, you can go down to the box under the 'General' tab and turn OFF both 64 and 32-bit "Java SE 6", then turn off "Enable". That definitely does the trick.

My #2 Rant: 

SHAME ON ORACLE. That company has RUINED OpenOffice. The LibreOffice branch is now off and running and far superior, leaving the source OpenOffice project irrelevant. Oracle has been just as obtuse with Java, which is now a DETRIMENT to the Internet.

Maybe Java will be made open source, at long last. That would help. Perhaps great developers like those on the LibreOffice team will grab it and make Java seriously great. Until then, BEWARE OF JAVA. I fully expect more Java exploit malware to come. (o_0) 

Now I go all sentimental: 

Remember when Java was supposed to be 100% secure, never able to access your computer directly, entirely safe in its sandboxed little Just-In-Time runtime machine? Remember 'write once, run anywhere'? Remember 'secure memory management'? Fun times in Fantasy Land. 

No comments:

Post a Comment