If you have Java running on your Mac, you need to stop reading this post and immediately go disable it. I’ll wait. The latest update for Java 7 has a serious security flaw in it. In fact it is so serious, the US Department of Homeland Security has issued a bulletin recommending that it be completely disabled for Macs and PCs.
ZDNet posted a quote from CERT (Computer Emergency Readiness Team), which is part of the DHS, where they stated
“We are currently unaware of a practical solution to this problem,” said the DHS’ Computer Emergency Readiness Team (CERT) in a post on its Web site on Thursday evening. “This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available.”
The exploit is significant: It could potentially turn your Mac into a bot or could expose personal information to thieves for Identity Theft. At the very least users should disable the Java plug-in in Safari or, do what I’ve done, which is uninstall Java completely from your Mac.
To disable Java in Safari, open Safari then go to Preferences and tap the Security Tab. Remove the checkboxes in the Java
related items This will disable Java in Safari but will keep Java on your Mac should you need it for some other reason. Note that some sites are highly dependent on Java and they may not render correctly or at all.
If you want to uninstall Java completely from your Mac, open up Finder then search for JavaAppletPlugin.plugin. Once you find it, move it to
the Trash and that will uninstall it from your Mac.
To this point there is no known fix for this issue and literally hundreds of millions of Windows PCs, Macs and other devices are at risk.
It is not uncommon for a government agency to issue warnings about security issues with software but it is rare they recommend disabling software. Clearly the DHS feels this one is worthy of people paying attention to and eliminating from their computers.
There has been no word from Oracle, the makers of Java, on when a fix for this latest security issue will be issued. With as high profile as this particular flaw is in Java, hopefully they will make it sooner rather than later.