Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Java security threats: What you need to know

Rich Mogull | Aug. 31, 2012
First, the bad news. Once again, Mac users are at risk due to a flaw in Java, similar to the one that enabled the Flashback Trojan. Even worse, there isn't (yet) a patch to fix that vulnerability. But don't worry: This time around, there's good news for Mac users: Thanks to changes Apple has made, most of us are likely to be safe from this threat.

The first, and most important, reason is that relatively few Macs are running the vulnerable version of Java. Any operating system running JRE 1.7 is affected, but the attack doesn't work against JRE 1.6. That last one is the version that Mac users have installed (assuming they use Java at all).

The only way to update from Java 6 (1.6)--the last version supported by Apple--to Java 7 is by manually downloading and installing it from Oracle. And apparently few Mac users have done so: For example, according to a representative of Crashplan, the online backup service that uses Java for its client app, none of that company's users (who must have Java installed) are using the vulnerable version.

The second reason you don't have to worry, even if you do have Java 7 installed, is that Apple by default disabled Java applet support in Web browsers in its most recent Java security update. Starting with OS X 10.7 Lion, Java isn't installed by default anyway. And even if you do turn on Java, OS X will turn it off again if you don't use it for a while.

Many users do install Java for websites or applications (like Crashplan) that require it. But, again, even if you did install Java, the odds are very, very good that you aren't running a vulnerable version.

What you should do

There are two simple ways to check to see if you're vulnerable to this latest threat.

This is what you want your Java Preferences to look like.

The first option is to run the Java Preferences app (/Applications/Utilities/). On the General tab it shows the version of Java you have installed. If it says you're running Java SE 7, and if the Enable Applet Plug-in and Web Start Applications option is checked, you are exposed. If it says Java SE 6, or if that applet option isn't checked, you're safe.

You can also check your version by opening Terminal and typing java -version. This time you want to make sure the response isn't 1.7. If it is, don't be too alarmed; you can't be exploited if you don't also have that browser support turned on in the Java Preferences app.

If you are vulnerable, immediately uncheck that Enable Applet Plug-in and Web Start Applications option in the Java Preferences app. Doing so isn't a perfect defense, but it does prevent malicious websites from exploiting you. (

You could still be tricked into downloading an exploit that you would run manually.)

Using the Java Preferences application is more reliable than disabling Java in your browser since it blocks it from all browsers at once. This allows you to still use Java on your Mac, but without the risk of being infected through your web browser.

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.