Apple Remotely Disables Java on Macs After Major Security Alert

The U.S. Department of Homeland Security has urged that computer users immediately disable Java in light of of a security expert's warning of a serious exploit. Apple has already remotely disabled any version prior to 1.7.0_10-b18 via it's remote Xprotect security mechanism in OS X.

The U.S. Computer Emergency Readiness Team referenced, on January 10, the Software Engineering Institute Vulnerability Note VU#625617 which says: "Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system."

There is no known workaround to the latest version of Java, and the agency noted that "This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available."

Apple has already responded by disabling the Java plug-in on Macs that have it installed. OS X now has a mechanism, the "Xprotect.plist," that can be remotely updated by Apple.

If you're curious about whether Java is even installed on your Mac, you can open a terminal window and enter:

java -version

If it's not installed, the OS will invite you to do so, but considering that the latest version of Java is vulnerable, you should probaby pass on the offer.

The exploit was discovered by a French researcher, "Kafeine" who first described the problem.

Because the Java plug-in is disabled by Apple for browsers, applets will be prevented from executing within a browser.