4 Replies Latest reply: Feb 6, 2013 12:08 PM by thomas_r.
Ricki A. Mc Mahon Level 1 (5 points)

I'm not tech savvy. I know Apple disabled all Java plug-ins because of security issues.  I'm glad they did.


With this new update 12 is it now safe to run Java or is this to pacify those that aren't as security conscience

and were trying to find work arounds to run it anyway?

If I understand the notes with this update, we can elect enable Java per website or item requiring Java.

I'm not sure what this means about the security of it.

For ex: I went to CNBC this morning, before checking for sw updates, and clicked on a video.

I couldn't run it because I was missing the plug-in. I would assume that once I run this update,

it would safe on this website to run Java........but I'm not sure. 

Many websites I wouldn't know whether it's safe to enable or not.


Given how this update is worded and what it's doing with the choice to enable Java, I don't know whether Java is

safe to run or not. 



Apple also talks about a PGP  Security Key.   Is this something for programmers/developers or all of us?

I don't understand what it is;  What it's for and how to use it?


Would someone please explain it in simple terms.


Thank you.

MacBook Pro (15-inch Mid 2009), Mac OS X (10.6.8)
  • Linc Davis Level 10 (192,897 points)

    The update supposedly blocks all attacks on Java that are currently known. That doesn't mean it's safe.

    Java on the Web (not to be confused with JavaScript, to which it's not related, despite the similarity of the names) is a weak point in the security of any system. Java is, among other things, a platform for running complex applications in a web page, on the client. That was never a good idea, and Java's developers have had a lot of trouble implementing it without also creating a portal for malware to enter. Past Java exploits are the closest thing there has ever been to a Windows-style "virus" affecting OS X. Merely loading a page with malicious Java content could be harmful. Fortunately, Java on the Web is mostly extinct. Only a few outmoded sites still use it. Try to hasten the process of extinction by avoiding those sites, if you have a choice.
    Java is not included in OS X 10.7 and later. Discrete Java installers are distributed by Apple and by Oracle (the developer of Java.) Don't use either one unless you need it. Most people don't. If Java is installed, disable it — not JavaScript — in your browsers. In Safari, this is done by unchecking the box marked Enable Java in the Security tab of the preferences dialog.
    Regardless of version, experience has shown that Java on the Web can't be trusted. If you must use a Java applet for a specific task, enable Java only when needed for the task and disable it immediately when done. Close all other browser windows and tabs, and don't visit any other sites while Java is active. Never enable Java on a public web page that carries third-party advertising. Use it only on well-known, password-protected, secure websites without ads. In Safari 6 or later, you'll see a lock icon in the address bar with the abbreviation "https" when visiting a secure site.
  • thomas_r. Level 7 (30,749 points)

    Java should never be considered to be safe at this point. It has had countless security holes that have been repeatedly exploited over the last couple years (at least), one of which was responsible for around 600,000 Macs being infected with the Flashback malware last year. Recently, it seems that every time Oracle fixes one vulnerability, new ones are discovered less than a week later. (This has literally happened twice recently, with new vulnerabilities being discovered just a day or two after the previously known ones were fixed.)


    So, avoid Java if you can. If a site is not essential to your life somehow and requires Java, skip it. Boycott it. If there are sites that are essential to you somehow, use them only in a separate browser with Java enabled, and use that browser for nothing other than those specific sites. Use a differen browser for everything else, and keep Java disabled in that browser.

  • MrHoffman Level 6 (14,849 points)

    Simple?  Don't install Java on 10.7 and later.  Since it's also been widely attacked, you might not want to install Adobe Flash, or — if it's installed — you might want to deinstall Adobe Flash.


    Somewhat less Simple?  Shut off the Java JVM web plug-in in each browser you have, and leave it turned off.  Disabling the Java JVM web plug-in in Safari doesn't prevent you from running (for instance) Minecraft locally, it just blocks the path that the Java attacks have recently been using to breach Java.


    Less simple?  Install and use a plug-in manager — plug-in blocking tool — to prevent access to Java and Flash, and only allow it for content you need.  One of the available Safari extensions that provides this block is ClickToPlugin.  You'll need one of these for each different web browser you use.


    Reports that SpeedTest was breached appeared recently, and that site was reportedly serving Java malware, so filtering by a trusted web site can potentially get you in trouble, if there's a Java attack active, and if the attackers have breached a server you use.

  • thomas_r. Level 7 (30,749 points)

    Extensions like ClickToPlugin cannot actually protect you against all Java applets. There's a note about this on the ClickToPlugin page.


    Edit: Under the Overview of Features section, you will find the following note:


    ClickToPlugin does not block <applet> elements. These elements are used to embed Java applets into web pages and launch a Java plug-in. The reason is that they cannot be blocked.