Apple has released two important updates for Safari and Java respectively. The updates, which are available via Software Update, bring a new site-by-site Java support along with other security updates.
The Safari update brings the version up to 6.0.4 and allows you to select on a site-by-site basis to enable, disable or partially allow the Java plug-in access. This is something that many have wanted, me included, given the security challenges of Java but the need for it on particular sites. In my case, disabling Java completely was never an option as I
have to have it on some of the sites for my day job. Now Safari has an option on the Preferences>Security tab that allows you to manage Java on a per-site basis.
For those who are running Snow Leopard, the Safari update takes you to version 5.1.9
Along with the Safari update, Apple has released a Java update along side. This update, Java for OS X 2013-003 (Mountain Lion) and Java for Mac OS X 10.6 Update 15, brings the supported Apple version of Java to the latest version of Java 6 which was released on Tuesday by Oracle.
Both of these updates are available via the Software Update function in OS X and both are free to download. The Safari update is approximately 47MB in size while the Java update weighs in at 67MB.
If you missed all the fun yesterday, Apple had several employees hacked yesterday. The exploit made its way into the Cupertino Macs via, wait for it, Java. Yes that programming language applet that we all hate but seemingly cannot divorce (as a colleague of mine said, “a bugger you can’t flick”) has become THE gateway for malware into Macs. It would seem that Apple themselves are not immune.
Not sitting back on this one, Apple has release a Java update today to fix this and other improvements. Here is the summary from the Apple Support Page
This release updates the Apple-provided system Java SE 6 to version 1.6.0_41 and is for OS X versions 10.7 or later.
This update uninstalls the Apple-provided Java applet plug-in from all web browsers. To use applets on a webpage, click on the region labeled “Missing plug-in” to go download the latest version of the Java applet plug-in from Oracle.
This update also removes the Java Preferences application, which is no longer required to configure applet settings.
Mac users are recommended to install this update immediately as it is available now in the Mac App Store under Updates. Even if you do not normally use Java you should install this update. This release supersedes any previous updates.
To get the update, open up the App Store on your Mac and go to the Updates tab.
If you have Java running on your Mac, you need to stop reading this post and immediately go disable it. I’ll wait. The latest update for Java 7 has a serious security flaw in it. In fact it is so serious, the US Department of Homeland Security has issued a bulletin recommending that it be completely disabled for Macs and PCs.
ZDNet posted a quote from CERT (Computer Emergency Readiness Team), which is part of the DHS, where they stated
“We are currently unaware of a practical solution to this problem,” said the DHS’ Computer Emergency Readiness Team (CERT) in a post on its Web site on Thursday evening. “This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available.”
The exploit is significant: It could potentially turn your Mac into a bot or could expose personal information to thieves for Identity Theft. At the very least users should disable the Java plug-in in Safari or, do what I’ve done, which is uninstall Java completely from your Mac.
To disable Java in Safari, open Safari then go to Preferences and tap the Security Tab. Remove the checkboxes in the Java
related items This will disable Java in Safari but will keep Java on your Mac should you need it for some other reason. Note that some sites are highly dependent on Java and they may not render correctly or at all.
If you want to uninstall Java completely from your Mac, open up Finder then search for JavaAppletPlugin.plugin. Once you find it, move it to
the Trash and that will uninstall it from your Mac.
To this point there is no known fix for this issue and literally hundreds of millions of Windows PCs, Macs and other devices are at risk.
It is not uncommon for a government agency to issue warnings about security issues with software but it is rare they recommend disabling software. Clearly the DHS feels this one is worthy of people paying attention to and eliminating from their computers.
There has been no word from Oracle, the makers of Java, on when a fix for this latest security issue will be issued. With as high profile as this particular flaw is in Java, hopefully they will make it sooner rather than later.