Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Should I be wary of Java and Adobe.

Just chatting to my son recently about Mac defender etc etc, he mentioned that some of the Microsoft discussion pages were expressing concern about the inherent safety qualities of Java and Adobe. The suggestion was that these could be weak links in the security required against Mac defender, amongst other bugs.


Okay, if we can avoid any banter about Microsoft, would any of our kind people answering forum questions have any idea of the truth behind the suggestion.


And one step further. If these could be problematic sources, would it be possible, indeed practical to disable Java and Adobe and operate a Mac without them? I ask the question because I seem to recall reading that Apple were trying to divorce themselves from Adobe in particular not too long ago.


Message was edited by: seventy one

Posted on Jul 1, 2011 3:41 PM

Reply
Question marked as Best reply

Posted on Jul 1, 2011 4:54 PM

The MacDefender malware actually uses Javascipt to pop up a window in order to fool users into clicking and downloading.


Java just got a update for OS X (Apple handles Java for OS X) and has had numerous security issues with bad websites.


Flash is the same catagory as Java, a real POS.



You can check the status of your plug-ins here:


https://www.mozilla.com/en-US/plugincheck/



You can turn off Java in Safari preferences and likely never have a need to use it, if you see the coffee cup symbol on a web page where something should be running and that would be Java. You could turn that back on temporarily.


Flash is used quite a bit more than Java, so you can install a Click2Flash extension for Safari and this way Flash is off by default unless you click on a Flash element to run it.


Javascript is used quite often on many webpages, out of hundreds of web sites I visit a day, perhaps 5-8 of them I need to turn on Javascipt for or else it won't work. (some I don't need it as i can read it just fine)


For Safari going to the Preferences ten times a day to turn Javascript on/off isn't a option.



So what I do is use the Firefox web browser and a Add-on called NoScript.


User uploaded file


NoScript is a web cop, basically not allowing websites to pull trickery on you as you surf. It also turns off ALL scripts (Java, Javascript, Flash, Silverlight etc) by default.


If you need the scripts to run, you click a Toolbar button and they are enabled for that site only for that time only.


So this way one reduces their exposure window to malicious or compromised sites waiting for the next driveby victim with all their scripts running.


Other add-ons are Ad Block Plus, Ghostery (web bugs), BetterPrivacy (deletes hidden Flash cookies), HTTPS Everywhere (asks websites for a secure connection), Certificate Patrol (helps you keep a eye out for stolen certificates), FlagFox (IP of site and background check) and WOT (Web of Trust)

59 replies
Question marked as Best reply

Jul 1, 2011 4:54 PM in response to seventy one

The MacDefender malware actually uses Javascipt to pop up a window in order to fool users into clicking and downloading.


Java just got a update for OS X (Apple handles Java for OS X) and has had numerous security issues with bad websites.


Flash is the same catagory as Java, a real POS.



You can check the status of your plug-ins here:


https://www.mozilla.com/en-US/plugincheck/



You can turn off Java in Safari preferences and likely never have a need to use it, if you see the coffee cup symbol on a web page where something should be running and that would be Java. You could turn that back on temporarily.


Flash is used quite a bit more than Java, so you can install a Click2Flash extension for Safari and this way Flash is off by default unless you click on a Flash element to run it.


Javascript is used quite often on many webpages, out of hundreds of web sites I visit a day, perhaps 5-8 of them I need to turn on Javascipt for or else it won't work. (some I don't need it as i can read it just fine)


For Safari going to the Preferences ten times a day to turn Javascript on/off isn't a option.



So what I do is use the Firefox web browser and a Add-on called NoScript.


User uploaded file


NoScript is a web cop, basically not allowing websites to pull trickery on you as you surf. It also turns off ALL scripts (Java, Javascript, Flash, Silverlight etc) by default.


If you need the scripts to run, you click a Toolbar button and they are enabled for that site only for that time only.


So this way one reduces their exposure window to malicious or compromised sites waiting for the next driveby victim with all their scripts running.


Other add-ons are Ad Block Plus, Ghostery (web bugs), BetterPrivacy (deletes hidden Flash cookies), HTTPS Everywhere (asks websites for a secure connection), Certificate Patrol (helps you keep a eye out for stolen certificates), FlagFox (IP of site and background check) and WOT (Web of Trust)

Jul 1, 2011 8:23 PM in response to seventy one

Short answer: yes.


Just to add to what ds store has written, Java and Javascript are two different animals. They are easily confused because of the similarity of their names. JavaScript adds functionality to certain web pages. Many sites will still function well enough without it. Some absolutely need it. Like, ds store, I use Firefox with NoScript, which keeps JavaScript turned off and which can be allowed to run selectively within a site. Many exploits, including the MacDefender Trojan, get through via JavaScript. I haven't seen it yet and I've visited Google Images, which has been deeply infested with the Trojan, many times.


There are Java exploits as well, through Java applets -- small programs -- that, like JavaScript, add certain functions to sites. I generally keep Java disabled and have it set not to run in NoScript unless allowed. I don't often encounter a site that requires a Java applet. If I do, I make sure it is one I can trust.


As for Adobe, Flash and Reader are easy targets and under relentless attack. Flash is constantly being patched to keep up with the latest "critical vulnerability." Reader also. I have Reader, but my default PDF program is Preview.


As the home page of NoScript used to say, "because the web is a jungle."

Jul 2, 2011 4:11 AM in response to WZZZ

It's probably worth mentioning that Java is developed by a committed community with an oversight by Oracle. This community take all security issues in Java very seriously and work hard to eliminate them when they're discovered. I've been involved with Java from its very beginning about 15 years ago, and even then it was designed with security in mind, so the number of exploitable security holes in Java is very few and reducing all the time.


The idea that Java is leaky sieve that will immediately corrupt your computer with malware is just a myth.


As long as you keep your Java up to date then you are as safe with Java as you are with any other technology.


Bob

Jul 2, 2011 5:41 AM in response to Bob Lang1

Bob Lang1 wrote:


I've been involved with Java from its very beginning about 15 years ago, and even then it was designed with security in mind, so the number of exploitable security holes in Java is very few and reducing all the time.



Yea, revealing the users computers internal IP to malicious sites is a real security feature. Not.


As long as you keep your Java up to date then you are as safe with Java as you are with any other technology.


Another Flash update headache here we come. *rolls eyes*

Jul 2, 2011 5:36 AM in response to Bob Lang1

Apple Pushes Fixes for 11 Java Vulnerabilities in Mac OS X



Apple Patches Java in Mac OS X Leopard and Snow Leopard


Apple patched 27 Java vulnerabilities in its latest update to close security flaws that allowed malicious Java applets to execute outside the browser.




I guess you could take comfort in the fact that these patches were released. Or you could be alarmed that so many were needed. And, you might be asking yourself, what's next? There have been a flurry of attacks over the past few years.



The lag time often exposed Mac users who remained unprotected after the vulnerabilities were publicized and other platforms had already fixed the issues....

Apple not exactly up to speed, either.

Jul 2, 2011 2:19 PM in response to Bob Lang1

ds store wrote:


Yea, revealing the users computers internal IP to malicious sites is a real security feature. Not.

Bob Lang1 wrote:


I've been involved with Java from its very beginning about 15 years ago


Bob Lang1 wrote:

It's taken 15 years for anyone to discover that hole and it's now fixed. Are you going to reject OS X next time it has a security hole? If so, you're soon going to run out of technologies.



java.net.InetAddress.getLocalHost()


Is NOT a "hole" but a actual command feature of Java that exists today.



One can test that right here on this site:


http://www.kidslovepc.com/javascript/javascript_ip_lan.shtml


Yep, still works, fully updated too.



Now what Bob?

Jul 2, 2011 5:27 PM in response to seventy one

I don't think there is anything wrong with bringing Microsoft into the mix. They are in much the same boat as Apple. Microsoft doesn't want to be dependent upon Adobe for their interactive web experience any more than Apple does. While Microsoft has Silverlight, it hasn't caught on as well as they had hoped. Microsoft isn't the Microsoft they once were. Like Apple, Microsoft is focusing on HTML5 support for the future.


Java is not a big deal because there is very little Java web content. I haven't seen an applet in years.

Should I be wary of Java and Adobe.

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.