Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!
Posted on August 6th, 2012 at 4:33 PM EDT
Many people using the latest versions of Mac OS X (10.7, aka Lion, and 10.8, aka Mountain Lion) have had problems getting Java applets to run. This is causing a great deal of confusion, and even some hard feelings, especially amongst those who have upgraded from older systems where Java worked just fine. Fortunately, the problem is easily fixed. However, before you fix it, you need to ask yourself an important question: “Should I fix it?”
A little background is important in understanding why these changes have been made. Apple has, for some time now, been trying to distance itself from Java. That strategy involved, among other things, no longer including Java as a part of the system by default, as Apple had done in Mac OS X 10.6 (Snow Leopard) and earlier. Apple’s reasons for doing this are many, but one of them may have been security. Java has suffered from serious security vulnerabilities from time to time, and Apple has always been responsible for Java updates on the Mac, and those updates have typically been released at a bit of a delay after they are available to other systems. By handing sole responsibility for updates of Java 7 (and up) in the future to Oracle, and by removing Java as a part of the system in Lion and up, Apple increased the security of Mac OS X.
Unfortunately, they acted too late, and in February of 2012, a new variant of the Flashback malware appeared that relied on Java vulnerabilities. All users of the versions of Java supplied by Apple were vulnerable. Lion users were safe unless they had installed Java, while all Snow Leopard users were fully vulnerable. Apple eventually managed to get a Java update out, but not until Flashback had infected more than 600,000 Macs and made international headlines.
Part of Apple’s response to Flashback involved an additional layer of security with respect to Java: disabling it. On machines that have Java installed, Java was disabled after Apple’s security updates. Further, the system now monitors Java usage, and if Java hasn’t been used in 35 days, it gets disabled once again. This makes for a far more secure system, but does cause some problems for users who need Java and who aren’t aware of this background!
Why you shouldn’t use Java
I know that you probably came here looking for a way to use Java, but I’m going to first tell you why that’s a bad idea. Unfortunately, some people simply need to use Java and don’t really have the choice of not using it, but it is still important to understand why using it is dangerous, so that you can take appropriate precautions.
As I mentioned earlier, Java can be a significant security risk. It has been used a lot recently as a method of installation by malware, such as Flashback, Tibet, Sabpab, Maljava, GetShell and Crisis. Some of those relied on vulnerabilities in Java that have already been fixed, while others used a Java-based “social exploit” to trick the user into allowing system modifications. Then, in late August of 2012, another vulnerability surfaced and was exploited to install malware on Windows machines and, reportedly, on a few Macs. Based on Java’s history of vulnerabilities, it is highly likely that other vulnerabilities will be found and exploited at some point in the future. If you’ve got Java, you could end up infected. By not installing Java, or keeping it disabled, you are safe from the majority of the Mac malware that has appeared within 2012, at the time of this writing.
How to use Java if you need to
If you have to use Java, or if you just really, really want to, there are two things you need to do. First, if you are using Lion or Mountain Lion, you need to install Java. One way of doing that is by opening any app that relies on Java. The easiest way of doing that is to go to the Utilities folder, which is in the Applications folder, and open the Java Preferences app. When you do, you will be asked if you want to install a “Java SE 6 runtime.” Click the Install button and Java will be installed.
Once you have installed Java, or if you are using Snow Leopard or had Java installed previously, you have to enable it. Remember, Mac OS X from Snow Leopard up will disable Java by default, and if you enable it, will disable it again automatically if you don’t use it for 35 days! To enable Java, you simply need to open the Java Preferences app, select the General tab and check the box labeled “Enable applet plug-in and Web Start applications.”
There are some things you can do to minimize the risks incurred by enabling Java. The easiest thing to do is to use a secondary browser for any sites you need to use that require Java. For example, if Safari is your preferred browser, keep Java turned off in Safari, but turn Java on in another browser, like Firefox. Then, use Firefox only for sites that you trust and that require Java. For all other sites, use Safari. (Of course, that’s just an example… you could just as easily use Firefox as your primary browser and Chrome as your “Java-only” browser, or some other combination of browsers.)
If you are firmly committed to the use of one browser over all others, another option is to simply turn Java on and off in that browser’s preferences as needed. When you need to use a site that requires Java, turn it on, and don’t visit any other sites while in that mode. Then, when you’re done with that site, turn Java back off.
Of course, neither of these options are without flaws. Even a trusted site could be hacked. That is not a far-fetched idea; it happens all the time. Better would be to petition the sites you use that require Java to find a way do eliminate their reliance on Java. Java has been slowly falling out of fashion on the web, and with its history of security problems, the sooner it stops being used entirely, the better!
On October 15, 2012, Oracle finally fixed a vulnerability in Java that had been there for quite some time. (Even Java 5, which is quite old at this point, contained the vulnerability.) The next day, Apple updated their version of Java 6, and yanked out the Java applet plug-in from Safari. If you absolutely must use Java in your web browser at this point, you will probably find it easiest to simply upgrade to Java 7.