You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Using Java temporarily safely

Hello,

I don't have Java installed yet but I need it temporarily.

Can having it installed pose a threat even if I only use .jar files I know are safe?

In other words, can an app that is already installed use Java without asking for permission?

Thank you!

macOS Sierra (10.12.6)

Posted on May 14, 2018 10:24 AM

Reply
5 replies

May 21, 2018 1:45 PM in response to rkaufmann87

Yes, you can, when using Safari (other browsers untested). It requires installing Java, activating Java for browsers (the plugin), the activating it in the browser (Safari: Preferences > Websites > Java, keep it off for other websites, but allow it for specific/currently open sites (Ask/Off/On).

You can turn off Java in the System Preferences Pane at any time. You can turn off Java in the browser’s preferences at any time. You can turn on Java for local programs, but keep it off for internet. You can set ‘Enhanced Security Restrictions’. Quite flexible, just don’t keep it on because you forgot it.


The Java that Apple supplied (up to v6, now called Legacy) was not inherently safer than Oracle’s Java (v10 now); it needed the same security patches as other platforms. The cool thing about Java is that a programmer can easily ‘port’ their code to any platform that works with Java. The downside is the number of vulnerabilities found, designed to bypass security measures and execute arbitrary code on behalf of others (e.g. be part of a botnet).


There is no such thing as a safe site w.r.t. Java: the owner of the compromised site is generally a victim too. That makes the Allowed-list a bit awkward. That’s why there are Java certificates, a bit like SSL certificates and Mac identified developers, so that the authenticity can be verified with a ‘circle of trust’: once revoked, the certificate is revoked on every check from then on.

May 21, 2018 1:45 PM in response to coxorange

Shall I use this version: javaforosx.dmg or really go to the Oracle website to get the latest version?

One may work while the other does not, for what you intend to do.

If a developer codes a java applet, he or she will develop for a range of compatible Java versions (the more versions, the more difficult his work; just like a Mac app for a range of macOS versions). If what your applet needs is Java RE 6, then get the Apple version. If your applet needs Java RE 8 or later, then you will have to go with Oracle’s version.

Using Java temporarily safely

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.