Skip navigation

Is Java safe to use yet?

10802 Views 6 Replies Latest reply: Apr 17, 2013 6:54 PM by Frank Caggiano RSS
hawghead Calculating status...
Currently Being Moderated
Apr 17, 2013 6:18 AM

I disabled Java months ago when there was a security scare but there have been 11 updates since then that I have ignored. Is it safe to use yet according to Apple?

iMac, OS X Mountain Lion
  • Klaus1 Level 8 Level 8 (43,350 points)
    Currently Being Moderated
    Apr 17, 2013 6:26 AM (in response to hawghead)

    Don't ignore them - the whole point of them is to make Java safe!

  • Klaus1 Level 8 Level 8 (43,350 points)
    Currently Being Moderated
    Apr 17, 2013 7:00 AM (in response to hawghead)

    Apple barred Java from running on Macs in order to safeguard users by blocking Java 7 Update 11 and adding it to the banned list in XProtect.

    This was the second time in two weeks that Apple had blocked Oracle's code from running on Macs. The threat was so serious that the U.S. Department of Homeland Security had recommended that all Java 7 users disable or uninstall the software until a patch was issued. This time Java is blocked through Apple's XProtect anti-malware feature.

    Java has come under fire as the means by which hackers have been able to gain control of computers. In April 2012 more than 600,000 Macs were reported to have been infected with a Flashback Trojan horse that was being installed on people's computers with the help of Java exploits. Then in August Macs were again at risk due to a flaw in Java, this time around, there was good news for Mac users: Thanks to changes Apple has made, most of us were safe from the threat.

     

    Unwilling to leave its customers open to potential threats Apple decided it's safer to block Java entirely.

    In order to block older versions of Flash, Apple has updated its "Xprotect.plist" file so that any versions that come before the current one (version 11.6.602.171) cannot be used on a Mac. Users who have older versions of Flash installed will be greeted with an alert that says "Blocked plug-in," and Safari will prompt the user to update to a newer version.

    Macs running OS X Snow Leopard and beyond are affected.

     

    UPDATE for those running Lion or Mountain Lion:

    Oracle on Friday February 1 released a new version reportedly addressing vulnerabilities seen with the last build.

    Apple disabled Java 7 through the OS X XProtect anti-malware system, requiring users to have at least version "1.7.0_10-b19" installed on their Macs. The release dated February 1 carries the designation "1.7.0_13-b20," meeting Apple's requirements.

     

    Oracle "strongly recommends" applying the CPU fixes as soon as possible, saying that the latest Critical Patch Update contains 50 new security fixes across all Jave SE products.

     

    Update for Snow Leopard users:

     

    Apple issued update 12 for Java for OS 10.6:

     

    http://support.apple.com/kb/DL1573

     

    Note:  On systems that have not already installed Java for Mac OS X 10.6 update 9 or later, this update will configure web browsers to not automatically run Java applets. Java applets may be re-enabled by clicking the region labeled "Inactive plug-in" on a web page. If no applets have been run for an extended period of time, the Java web plug-in will deactivate.

     

    If, after installing Java for OS X 2013-002 and the latest version of Java 7 from Oracle, you want to disable Java 7 and re-enable the Apple-provided Java SE 6 web plug-in and Web Start functionality, follow these steps:

    http://support.apple.com/kb/HT5559?viewlocale=en_US

    Further update:

     

    Apple issued this Java related security update No. 13 on February 19:

     

    http://support.apple.com/kb/HT5666

     

    and Update No. 14 on March 4:  http://support.apple.com/kb/DL1573

     

    http://support.apple.com/kb/HT5677

     

    And the latest update from April 16, 2013:

     

    http://support.apple.com/kb/DL1572

     

    and for Snow Leopard:

     

    http://support.apple.com/kb/DL1573

     

    You should also read this:

     

    https://support.apple.com/kb/HT5672

     

    The standard recommendation is for users to turn off Java except when they have to use it on known and trusted websites (like their bank). Javascript, which is unrelated despite the name, can be left on.

     

    Further useful comments in these articles:

     

    http://www.macworld.co.uk/macsoftware/news/?newsid=3435007&olo=email

     

    http://www.macworld.co.uk/digitallifestyle/news/?newsid=3437378&olo=email

  • varjak paw Level 10 Level 10 (167,130 points)
    Currently Being Moderated
    Apr 17, 2013 7:02 AM (in response to hawghead)

    The latest release of Java, just released in the last day or two, purports to fix the current known exploits, but since Oracle has claimed that before and more security holes have been found, I still recommend to my users that they keep Java turned off when they don't need to use it with a Java-based web site. The new version of Safari, 6.0.4, now allows you to select specific sites for which Java will be allowed rather than it being on or off gloabally, so that will help a lot. If you don't need Java, though, just keep it turned off.

     

    There's no harm in accepting the update; that way it won't bug you with the update and you're prepared in the event you do need to use Java.

     

    Regards.

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Apr 17, 2013 5:58 PM (in response to varjak paw)

    varjak paw wrote:

     

    The latest release of Java, just released in the last day or two, purports to fix the current known exploits

    Technically, there have not been any known "exploits" that could impact OS X since the Flashback era, just tons of vulnerabilities.

     

    That being said, all of your advice is sound!

  • Frank Caggiano Level 7 Level 7 (22,760 points)
    Currently Being Moderated
    Apr 17, 2013 6:54 PM (in response to hawghead)

    Also the latest release of Safari allows you to configure the browser do that Java will only work on the sites you designate.

     

    If you enable Java in Safari->Preferences->Security you will get a page in which you can add the sites you want to let Java work in.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.