Apple and Mozilla act fast to secure Java
Published January 12th, 2013 at 8:42 AM EDT , modified January 12th, 2013 at 8:42 AM EDT
Thursday saw the discovery of a new Java vulnerability (see New Java vulnerability discovered). Worse, the discovery of this vulnerability came at the same time as discovery that it was already being exploited actively to drop malware onto vulnerable Windows machines. Macs were undoubtedly soon to follow, since several prominent cross-platform “crime kits,” such as Blackhole, are known to have started using this vulnerability. Fortunately, less than 24 hours after this news broke, both Apple and Mozilla (creators of the Firefox web browser) had acted to protect users of their products against this threat.
Both companies have blacklisted all current versions of Java in their web browsers. When Oracle updates Java, that new version will not be on the blacklist, and thus will work fine. Until then, however, users of Java in Safari will find that they cannot use any Java applets on web sites. (This does not have any affect on Java applications that are run directly, rather than in a web browser.)
In the case of Firefox, the security is a bit weaker. Although the plugin is blocked, users can very quickly and easily choose to run the Java applet anyway, through Firefox’s Click To Play feature. Many users have a pattern of behavior that involves just clicking on whatever they need to in order to get things to work, without any thought for the consequences (often, in fact, without ever even reading the warnings). This kind of solution leaves those users in a vulnerable state.
Of course, Apple’s all-or-nothing approach has its disadvantages as well. Although it is by far the more secure solution, it has raised the ire of a few users who rely on Java and who are complaining loudly on public forums. There are ways to get around Apple’s restriction, though I don’t recommend doing so (and won’t discuss them here), as these methods will leave you vulnerable.
There is some confusion as to whether Java 6 may be safe. The National Vulnerability Database’s entry for CVE-2013-0422 (as this vulnerability is called in the security industry) lists versions of Java from Java 4 and up as being vulnerable. However, a contact at a security company told me that they could not get the exploit to run in Java 6. I am not privvy to the details of the test, of course, so I don’t know exactly how far to trust that. Java 6 may be safe, or it may simply be that that particular exploit required Java 7, or there may be some other explanation entirely. I would not recommend assuming that Java 6 is safe, even if Apple and Mozilla hadn’t taken the decision out of our hands by blacklisting that, too.
Security measures are never perfect. There are always compromises that must be made between security and usability. Both of these companies have taken different routes in their blacklisting of Java plugins, and both of those routes have their advantages and disadvantages. The most important thing, however, is that both companies acted very quickly to protect their users, and there’s never a downside to that!