Earlier this week Oracle reported on a newly-vulnerability in Java SE 7 that could risk many users on a variety of platforms, including OS X. The real-world threat to Mac users was very low, because only a small amount of users manually installed Java SE 7, this is incident is another reminder that Mac users can be vulnerable to malicious attacks.

Oracle reportedly warned of the issue months ago but did not take an significant action to protect users until it became public. Now, Oracle has moved quickly to address the problem with an announcement regarding the release of Java SE 7 Update 7. The company has also released Java SE 6 Update 35 to address a separate issue with the earlier version.

If successfully exploited, these vulnerabilities can provide a malicious attacker the ability to plant discretionary binaries onto the compromised system, e.g. the vulnerabilities can be exploited to install malware, including Trojans, onto the targeted system. Note that this malware may in some instances be detected by current antivirus signatures upon its installation.

The update versions of Java available through Oracle's Java download page.

Java· Java SE 6· Java SE 7· Oracle· Patch· Security· updates

Oracle releases patch to address security Vulnerability in Java 7

Earlier this week Oracle reported on a newly-vulnerability in Java SE 7 that could risk many users on a variety of platforms, including OS X. The real-world threat to Mac users was very low, because only a small amount of users manually installed Java SE 7, this is incident is another reminder that Mac users can be vulnerable to malicious attacks.

Oracle reportedly warned of the issue months ago but did not take an significant action to protect users until it became public. Now, Oracle has moved quickly to address the problem with an announcement regarding the release of Java SE 7 Update 7. The company has also released Java SE 6 Update 35 to address a separate issue with the earlier version.

If successfully exploited, these vulnerabilities can provide a malicious attacker the ability to plant discretionary binaries onto the compromised system, e.g. the vulnerabilities can be exploited to install malware, including Trojans, onto the targeted system. Note that this malware may in some instances be detected by current antivirus signatures upon its installation.

The update versions of Java available through Oracle's Java download page.

According to Firefox, an unpatched vulnerability in the current version of Java has "gone mainstream," prompting Mozilla Firefox to help users to switch the plugin off. The zero-day exploit could currently affect users running Java 1.7 on any Windows browser, and Websense reports that it's now included in Blackhole, the "most prevalent exploit kit out there."

Oracle is yet to issue a patch for the exploit. IDG says that it was among several security issues reported to the company back in April that have been left untouched until the planned October Critical Patch Update. Mozilla is preparing its own solution which will disable Java by default, but hasn't announced how this will be implemented.  While Mozilla is preparing its own solution, they have uploaded instructions on how to disable Java, and anyone using other browsers may well wish to do the same.

Blackhole· Exploit· Firefox· Java· Mozilla· Oracle· Patch· Plugin· Sun· Vulnerability· Web Browser

Mozilla warns Firefox users to disable Java following zero-day exploit

According to Firefox, an unpatched vulnerability in the current version of Java has "gone mainstream," prompting Mozilla Firefox to help users to switch the plugin off. The zero-day exploit could currently affect users running Java 1.7 on any Windows browser, and Websense reports that it's now included in Blackhole, the "most prevalent exploit kit out there."

Oracle is yet to issue a patch for the exploit. IDG says that it was among several security issues reported to the company back in April that have been left untouched until the planned October Critical Patch Update. Mozilla is preparing its own solution which will disable Java by default, but hasn't announced how this will be implemented.  While Mozilla is preparing its own solution, they have uploaded instructions on how to disable Java, and anyone using other browsers may well wish to do the same.

Apple yesterday released updates to Java for Lion and Snow Leopard in sync with Oracle. The update builds upon the earlier Java update for Lion that disabled automatic execution of Java applets in attempt to minimize the impact of Java-base malware threats like Flashback.

"This update configures web browsers to not automatically run Java applets. Java applets may be re-enabled by clicking the region labeled "Inactive plug-in" on a web page. If no applets have been run for an extended period of time, the Java web plug-in will deactivate."

As noted by Krebs on Security, the release is notable because it came on the same day that Oracle released updates for Java on other platforms. Apple has always been criticised for lacking Java updates, a strategy which allowed the Flashback malware to grow as Mac systems were unprotected against the threat, even though Oracle had patched the vulnerability on other systems several months before.

"The update Oracle released yesterday, Java 6 Update 33 and Java 7 Update 5, fixes at least 14 security flaws in the oft-attacked software that is installed on more than three billion devices worldwide. Apple’s Java update brings Java on the Mac to 1.6.0_33, and patches 11 of the 14 security vulnerabilities that Oracle fixed in Tuesday’s release. It’s unclear whether those other three flaws simply don’t exist in the Mac version of Java, but we’ll take progress where we can get it."

With Java SE 7 coming to the Mac later this year, control over updates is switching from Apple to the OpenJDK project, with both Apple and Oracle providing expertise to ensure that updates for Mac roll out on a timely basis. That transition was begun back in late 2010, with Steve Jobs noting at the time that having Apple responsible for Java updates on the Mac "may not be the best way to do it."

Apple· flashback· Java· Mac· malware

Apple Updates Java for Lion and Snow Leopard in Sync with Oracle

Apple yesterday released updates to Java for Lion and Snow Leopard in sync with Oracle. The update builds upon the earlier Java update for Lion that disabled automatic execution of Java applets in attempt to minimize the impact of Java-base malware threats like Flashback.

"This update configures web browsers to not automatically run Java applets. Java applets may be re-enabled by clicking the region labeled "Inactive plug-in" on a web page. If no applets have been run for an extended period of time, the Java web plug-in will deactivate."

As noted by Krebs on Security, the release is notable because it came on the same day that Oracle released updates for Java on other platforms. Apple has always been criticised for lacking Java updates, a strategy which allowed the Flashback malware to grow as Mac systems were unprotected against the threat, even though Oracle had patched the vulnerability on other systems several months before.

"The update Oracle released yesterday, Java 6 Update 33 and Java 7 Update 5, fixes at least 14 security flaws in the oft-attacked software that is installed on more than three billion devices worldwide. Apple’s Java update brings Java on the Mac to 1.6.0_33, and patches 11 of the 14 security vulnerabilities that Oracle fixed in Tuesday’s release. It’s unclear whether those other three flaws simply don’t exist in the Mac version of Java, but we’ll take progress where we can get it."

With Java SE 7 coming to the Mac later this year, control over updates is switching from Apple to the OpenJDK project, with both Apple and Oracle providing expertise to ensure that updates for Mac roll out on a timely basis. That transition was begun back in late 2010, with Steve Jobs noting at the time that having Apple responsible for Java updates on the Mac "may not be the best way to do it."

Oracle has lost its alleged Java patent infringement case against Google. Oracle's lawsuit against Google started falling apart just after a few weeks it was filed. Oracle started to throw money at the case, however now the jury has retuned a verdict that clears Google of infringing Java patents in its Android operating system for mobile phones.

Google issued a statement which said:

"Today's jury verdict that Android does not infringe Oracle's patents was a victory not just for google but the entire Android ecosystem."

James Gosling, who has had the biggest influence on the development of Java at Sun Microsystems, wanted a different verdict.

Gosling also added that the case "went out with a whimper", and also adding

"Court cases are never about right and wrong, they're about the law and what you can convince a jury of. For those of us at Sun who felt trampled-on and abused by Google's callous self-righteousness, I would have preferred a different outcome - not from the court case as much as from events of years past."

Well as for Oracle's infamous damage claims, the firm will be lucky to win enough cash to pay its lawyers. Oracle still has the right to appeal, but for now, Google and software developers everywhere have scored a victory.

Google· Java· lawsuit· Sun Microsystems

Google Cleared Of Java Patent Infringement in Android

Oracle has lost its alleged Java patent infringement case against Google. Oracle's lawsuit against Google started falling apart just after a few weeks it was filed. Oracle started to throw money at the case, however now the jury has retuned a verdict that clears Google of infringing Java patents in its Android operating system for mobile phones.

Google issued a statement which said:

"Today's jury verdict that Android does not infringe Oracle's patents was a victory not just for google but the entire Android ecosystem."

James Gosling, who has had the biggest influence on the development of Java at Sun Microsystems, wanted a different verdict.

Gosling also added that the case "went out with a whimper", and also adding

"Court cases are never about right and wrong, they're about the law and what you can convince a jury of. For those of us at Sun who felt trampled-on and abused by Google's callous self-righteousness, I would have preferred a different outcome - not from the court case as much as from events of years past."

Well as for Oracle's infamous damage claims, the firm will be lucky to win enough cash to pay its lawyers. Oracle still has the right to appeal, but for now, Google and software developers everywhere have scored a victory.

U.S District Court in San Francisco, courtroom 8 on Tuesday was Oracle CEO Larry Ellison's response to a question regarding the status of the Java programming language, which the company bought from Sun in 2010.

Asked by Google's lead attorney Rober Van Next if the java language is free, Ellison was slow to respond to the question but slowly said his answer because Judge William Alsup pushed Ellison to give a yes or no answer. Ellison resisted, huffed and said, "I don't Know." 

Java is free but also has a set of licenses that are required for specific use cases. 

Sources: Cnet

Java· News· Oracle

Larry Ellison In Court: I don't know if Java is free

U.S District Court in San Francisco, courtroom 8 on Tuesday was Oracle CEO Larry Ellison's response to a question regarding the status of the Java programming language, which the company bought from Sun in 2010.

Asked by Google's lead attorney Rober Van Next if the java language is free, Ellison was slow to respond to the question but slowly said his answer because Judge William Alsup pushed Ellison to give a yes or no answer. Ellison resisted, huffed and said, "I don't Know." 

Java is free but also has a set of licenses that are required for specific use cases. 

Sources: Cnet