The Safe Mac

Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!


Apple and Mozilla act fast to secure Java

Posted on January 12th, 2013 at 8:42 AM EDT

e-biohazard

Thursday saw the discovery of a new Java vulnerability (see New Java vulnerability discovered). Worse, the discovery of this vulnerability came at the same time as discovery that it was already being exploited actively to drop malware onto vulnerable Windows machines. Macs were undoubtedly soon to follow, since several prominent cross-platform “crime kits,” such as Blackhole, are known to have started using this vulnerability. Fortunately, less than 24 hours after this news broke, both Apple and Mozilla (creators of the Firefox web browser) had acted to protect users of their products against this threat.

Both companies have blacklisted all current versions of Java in their web browsers. When Oracle updates Java, that new version will not be on the blacklist, and thus will work fine. Until then, however, users of Java in Safari will find that they cannot use any Java applets on web sites. (This does not have any affect on Java applications that are run directly, rather than in a web browser.)

In the case of Firefox, the security is a bit weaker. Although the plugin is blocked, users can very quickly and easily choose to run the Java applet anyway, through Firefox’s Click To Play feature. Many users have a pattern of behavior that involves just clicking on whatever they need to in order to get things to work, without any thought for the consequences (often, in fact, without ever even reading the warnings). This kind of solution leaves those users in a vulnerable state.

Of course, Apple’s all-or-nothing approach has its disadvantages as well. Although it is by far the more secure solution, it has raised the ire of a few users who rely on Java and who are complaining loudly on public forums. There are ways to get around Apple’s restriction, though I don’t recommend doing so (and won’t discuss them here), as these methods will leave you vulnerable.

There is some confusion as to whether Java 6 may be safe. The National Vulnerability Database’s entry for CVE-2013-0422 (as this vulnerability is called in the security industry) lists versions of Java from Java 4 and up as being vulnerable. However, a contact at a security company told me that they could not get the exploit to run in Java 6. I am not privvy to the details of the test, of course, so I don’t know exactly how far to trust that. Java 6 may be safe, or it may simply be that that particular exploit required Java 7, or there may be some other explanation entirely. I would not recommend assuming that Java 6 is safe, even if Apple and Mozilla hadn’t taken the decision out of our hands by blacklisting that, too.

Security measures are never perfect. There are always compromises that must be made between security and usability. Both of these companies have taken different routes in their blacklisting of Java plugins, and both of those routes have their advantages and disadvantages. The most important thing, however, is that both companies acted very quickly to protect their users, and there’s never a downside to that!

Post to Twitter

Tags: , , ,


7 Comments

  • MC says:

    I have something weird going on with my new mac purchased in december running the latest O/S. I don’t use FIREFOX only Safari. I see a window pop up but go away quickly about every 30 minutes.. I can’t read it. I have disabled JAVA in Safari I have installed Clamvox and Sophos, neither are detecting viruses. Help what is this thing?

  • Someone says:

    Clamvox? Or ClamXav?

  • aalien says:

    I ask this in another post but I think it’s more appropriate here:

    — Can I simply delete Java by selecting it and trash it, right?
    I done it by going to “/Library/Internet/Plug-Ins/JavaAppletPlugin.plugin” and delete the “JavaAppletPlugin.plugin” file… No problems so far…

    It’s that enough? Should I delete the file “Java Preferences” located in /Applications/Utilities” folder???

    It’s anything else in OSX 10.8.2? I don’t need it at all and never liked in for years. Since my youth I always had all kinds of windows problems, and Java always gave me problems too.
    Now, I’m 4 years in peace with mac and want to keep it like that!!!

  • aalien says:

    Found more…

    1 – “/Library/Internet/Plug-Ins/” —-> File “JavaAppletPlugin.plugin”
    2 – “/System/Library/Java/” ——–> Entire folder “Java”
    3 – “/Applications/Utilities” ———> App “Java Preferences”

    It’s there more? Can I safely delete the “Java Folder” in system library?
    I want it all out of the system… :)

  • aalien says:

    Sorry late answer… Very busy with University. I search a little after my comment (in that day) and realised that OS X Mountain Lion does not have Java installed, so everything is fine… :D

  • somebody says:

    Does chrome use java? I dont see anywhere that i can disable it

This post is more than 90 days old and has been locked. No further comments are allowed.

This page and all contents (unless otherwise noted) copyright 2011-2014 by Thomas Reed.
For questions or comments, please contact me.