6 Replies Latest reply: Apr 17, 2013 6:54 PM by Frank Caggiano
hawghead Level 1 (0 points)

I disabled Java months ago when there was a security scare but there have been 11 updates since then that I have ignored. Is it safe to use yet according to Apple?

iMac, OS X Mountain Lion
  • Klaus1 Level 8 (47,600 points)

    Don't ignore them - the whole point of them is to make Java safe!

  • hawghead Level 1 (0 points)

    I have Java disabled for months. Is there any reason to keep it updated unless I turn it on again> I am not sure if it is now safe to use according to Apple.

  • Klaus1 Level 8 (47,600 points)

    Apple barred Java from running on Macs in order to safeguard users by blocking Java 7 Update 11 and adding it to the banned list in XProtect.

    This was the second time in two weeks that Apple had blocked Oracle's code from running on Macs. The threat was so serious that the U.S. Department of Homeland Security had recommended that all Java 7 users disable or uninstall the software until a patch was issued. This time Java is blocked through Apple's XProtect anti-malware feature.

    Java has come under fire as the means by which hackers have been able to gain control of computers. In April 2012 more than 600,000 Macs were reported to have been infected with a Flashback Trojan horse that was being installed on people's computers with the help of Java exploits. Then in August Macs were again at risk due to a flaw in Java, this time around, there was good news for Mac users: Thanks to changes Apple has made, most of us were safe from the threat.


    Unwilling to leave its customers open to potential threats Apple decided it's safer to block Java entirely.

    In order to block older versions of Flash, Apple has updated its "Xprotect.plist" file so that any versions that come before the current one (version 11.6.602.171) cannot be used on a Mac. Users who have older versions of Flash installed will be greeted with an alert that says "Blocked plug-in," and Safari will prompt the user to update to a newer version.

    Macs running OS X Snow Leopard and beyond are affected.


    UPDATE for those running Lion or Mountain Lion:

    Oracle on Friday February 1 released a new version reportedly addressing vulnerabilities seen with the last build.

    Apple disabled Java 7 through the OS X XProtect anti-malware system, requiring users to have at least version "1.7.0_10-b19" installed on their Macs. The release dated February 1 carries the designation "1.7.0_13-b20," meeting Apple's requirements.


    Oracle "strongly recommends" applying the CPU fixes as soon as possible, saying that the latest Critical Patch Update contains 50 new security fixes across all Jave SE products.


    Update for Snow Leopard users:


    Apple issued update 12 for Java for OS 10.6:




    Note:  On systems that have not already installed Java for Mac OS X 10.6 update 9 or later, this update will configure web browsers to not automatically run Java applets. Java applets may be re-enabled by clicking the region labeled "Inactive plug-in" on a web page. If no applets have been run for an extended period of time, the Java web plug-in will deactivate.


    If, after installing Java for OS X 2013-002 and the latest version of Java 7 from Oracle, you want to disable Java 7 and re-enable the Apple-provided Java SE 6 web plug-in and Web Start functionality, follow these steps:


    Further update:


    Apple issued this Java related security update No. 13 on February 19:




    and Update No. 14 on March 4:  http://support.apple.com/kb/DL1573




    And the latest update from April 16, 2013:




    and for Snow Leopard:




    You should also read this:




    The standard recommendation is for users to turn off Java except when they have to use it on known and trusted websites (like their bank). Javascript, which is unrelated despite the name, can be left on.


    Further useful comments in these articles:





  • varjak paw Level 10 (169,815 points)

    The latest release of Java, just released in the last day or two, purports to fix the current known exploits, but since Oracle has claimed that before and more security holes have been found, I still recommend to my users that they keep Java turned off when they don't need to use it with a Java-based web site. The new version of Safari, 6.0.4, now allows you to select specific sites for which Java will be allowed rather than it being on or off gloabally, so that will help a lot. If you don't need Java, though, just keep it turned off.


    There's no harm in accepting the update; that way it won't bug you with the update and you're prepared in the event you do need to use Java.



  • MadMacs0 Level 5 (4,700 points)

    varjak paw wrote:


    The latest release of Java, just released in the last day or two, purports to fix the current known exploits

    Technically, there have not been any known "exploits" that could impact OS X since the Flashback era, just tons of vulnerabilities.


    That being said, all of your advice is sound!

  • Frank Caggiano Level 7 (25,715 points)

    Also the latest release of Safari allows you to configure the browser do that Java will only work on the sites you designate.


    If you enable Java in Safari->Preferences->Security you will get a page in which you can add the sites you want to let Java work in.