Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Java security threats: What you need to know

Rich Mogull | Aug. 31, 2012
First, the bad news. Once again, Mac users are at risk due to a flaw in Java, similar to the one that enabled the Flashback Trojan. Even worse, there isn't (yet) a patch to fix that vulnerability. But don't worry: This time around, there's good news for Mac users: Thanks to changes Apple has made, most of us are likely to be safe from this threat.

The safest way to keep using Java

If, like me, you still need to use Java in your web browser, I recommend the following steps. They will reduce your risk, and I recommend them as an ongoing security practice even if you aren't on the vulnerable version of Java. Because, to be honest, these Java attacks aren't about to slow down anytime soon.

First, manually disable Java in your Web browsers. Even if you turned it off in Java Preferences, this will keep it from running if you ever change that setting (which we are about to do). In Google Chrome type chrome://plugins in the address bar and click the link to disable Java. In Safari, go to Safari > Preferences and uncheck Enable Java on the Security pane. In Firefox go to Tools > Add Ons > Plugins and uncheck Java Plug-In.

Next, re-enable Java applet support in the Java Preferences application (or wait for your Mac to automatically prompt you the next time you need it).

Third, pick a secondary browser that you never normally use and re-enable Java in it. For example, I use Chrome as my primary browser, and I disabled Java in it. I almost never use Firefox, but I still have it installed and Java is enabled in it. This protects me as I browse around the Web. (I also use Safari for development testing, so I keep it disabled on that). Whichever browser you choose as your secondary one, you should use it only when you know you need to use Java and you are going to a website you know. For me, I mostly need Java for presenting webcasts, so when I hit a site I must use that requires Java, I use my backup browser.

Disabling Java in your day-to-day browser and having a second browser for Java needs isn't perfect, but it does offer a lot of protection. It's easier to remember than installing a tool like NoScript which blocks Java on individual pages, but which many non-techie users find cumbersome. (I actually run it in Firefox, as another layer of protection, but I'm a raging security geek).

Another option is to access Java sites only from inside a virtual machine. I run VMWare Fusion (and sometimes Parallels Desktop) and frequently use Windows virtual machines for visiting those non-Mac-compatible websites I sometimes need for work (again, usually old webcast systems). I keep a baseline snapshot of my virtual machines, and revert to those after any risky activity.

We dodged a bullet

For once, being a software version behind worked to the advantage of Mac users, and nearly no Mac users are really at risk from the latest Java exploits. But, as we've seen with Flashback and this recent attack, Java remains a prime target. Thus I'd recommend that all users protect themselves, even if you aren't currently at risk. Disable Java if you don't need it, turn it off in your browsers if you don't need it there, or only use it under controlled circumstances if you don't have a choice.

 

Previous Page  1  2  3 

Sign up for CIO Asia eNewsletters.