We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Java is vulnerable… Again?!

Published February 25th, 2013 at 10:37 AM EST , modified March 5th, 2013 at 12:07 PM EST

Once again, Java is in the news after new vulnerabilities have been found. Adam Gowdiak, of Security Explorations, has reported to Softpedia the discovery of two new issues in Java. These issues can, when used together, allow an attacker to once again bypass the Java sandbox altogether and gain access to the user’s machine through a malicious Java applet embedded in a web site.

I’ve lost track at this point of how many times I have repeated the same tired old story. I’m sure I could look back through my posts and figure it out, but there’s no reason… suffice it to say, it has happened a lot! So why am I continuing to harp on this? Because every single day, I encounter people who are still using Java, or who haven’t even heard that Java is a problem. This is a major issue, and it cannot be stressed often enough: if you haven’t done it already, it’s time to disable Java in your web browser!

With regard to disabling Java, there are two important things to understand. First, JavaScript is not Java, despite the unfortunate similarity in names. They are in no way related. Disabling JavaScript in your web browser is not necessary, and will, in fact, break functionality on many web sites. Second, uninstalling Java completely, as some experts have recommended recently, is absolutely unnecessary! There’s no easy way to remove all components of Java, and even if you could, it’s really just the Java web plug-in that is the problem. If you download a Java application onto your computer and run it, that is no more insecure than downloading and running any other application. It is the automatic execution of Java code embedded in web pages that is where the security risks come into play. So you really don’t need to do more than just disabling Java in your web browser.

I know there are folks out there who will read this and complain that they can’t stop using Java. The problem with that is that Java has now got a very well-established track record of extreme insecurity. The vast majority of the Mac malware that has appeared in the last couple years has relied on Java vulnerabilities for getting installed. Worse, you can’t just avoid dodgy web sites and stay safe… many high-profile legitimate sites have been hacked to contain malicious Java applets, including the recent hacking of NBC’s web site. So, if there is any possible way of abandoning Java, even if it means giving up your favorite Java-based online games or switching to a new bank that doesn’t use Java for its online banking, you should do so.

Of course, not everyone will be able to do that. Perhaps your job depends on using a proprietary Java-based system, for example. At this point, however, you simply cannot use such a system securely. In the past, I have recommended using a separate web browser reserved only for such systems, and using a different browser, with Java turned off, for everything else. However, hackers are targeting sites where people are likely to want Java enabled, and you cannot guarantee that the Java-requiring site(s) you rely on will remain secure. At any point in time, such a site could be hacked, and you could end up with malware on your computer simply by visiting the site.

For this reason, I recommend not using Java on any computer that might also be used for handling any kind of sensitive information. If you’ve got data you don’t want hackers getting hold of, don’t use web-based Java applets on that computer! Instead, use a cheap throwaway netbook, or something along those lines, to access those sites. Alternately, install Parallels and run Java in a virtual machine. You can install Mac OS 10.7 or 10.8 in a Parallels virtual machine quite easily, and then use Java in a web browser on that virtual machine. This will effectively isolate any malware that you might run into from the rest of your system, and you can use Parallels’ snapshots feature to revert to an older, clean state very easily.

Ultimately, you have your own choices to make. It is certainly your right to use Java in your web browser indiscriminately. If you choose to do so, I recommend that you install anti-virus software, such as Sophos Anti-Virus for Mac Home Edition. Keep in mind, though, that anti-virus software cannot stop a new threat, and the recent vulnerability that resulted in malware infecting Macs at companies like Facebook, Apple and Microsoft even affected machines that had up-to-date anti-virus software. Anti-virus software is not the panacea of security.

If you keep using Java and you end up with malware as a result, remember that you were warned, and that such an infection will have been no one’s fault but your own.

Tags: ,


  • Someone says:

    “If you keep using Java and you end up with malware as a result, remember that you were warned, and that such an infection will have been no one’s fault but your own.”

    Hear, hear!

  • aalien says:

    Java again!

  • Tom says:

    I have Java disabled, have not come across any Safari errors saying anything about it being disabled. But I know there’s a lot of JS out there on sites. Is Java going to become the new Flash when it comes to Apple devices? What’s with developers who have products that hackers love?

  • Tom says:

    On the main page here it says to follow them on Twitter for info. Tried to do that, but with Java disabled clicking on Follow does nothing. Enabled Java, it worked. Looks like I discovered the type of sites that need it. 😉

    • Thomas says:

      I think you may be confusing Java and JavaScript. Despite the similarity in names, they are completely unrelated. JavaScript is fine, and disabling it will disable a lot of functionality on many sites.

  • Someone says:

    People really don’t need Java, in my opinion. I don’t go on too many different websites (I’m totally computer-chicken) but I’ve only found one website that told me I needed Java – an online game site that I really don’t need to use. I don’t have to worry about Java (thanks to Apple’s Flashback-induced distancing from Oracle/Java in Lion/Mountain Lion), but I don’t know why anyone still is.

This post is more than 90 days old and has been locked. No further comments are allowed.