We have been getting questions about the Homeland Security warning concerning Java, so here is a quick article explaining what we know at this time. There are a lot of mixed messages circulating on the web, which makes it very confusing.
The Facts
On Friday, January 11th, 2013, ZDnet.com reported about the Homeland Security warning to disable or uninstall Java due to the “zero-day” security flaw in Java 7.
On Sunday, January 13th, Oracle released an update to Java that supposedly patched the security flaw.
As of Monday, January 14th, the Boston Globe says Oracle fixed it.
But ZDnet.com reports that Homeland Security still warns that Java poses a risk.
So there’s the timeline from the news media perspective.
But what do Mac users need to know to keep themselves safe?
Here are a couple excepts from an Apple discussions post.
“The newly discovered zero-day flaw in Java 7 is so serious that the U.S. Department of Homeland Security has warned users to disable or uninstall it, and Apple has disabled the Java 7 plugin on Macs through its OS X anti-malware system, in order to protect users from a potentially serious security issue.
You should disable Java (if not already done) until either the US Department of Homeland Security, or Oracle, declare it safe and Apple restore the facility. Javascript should not be disabled (it has nothing to do with Java).” – Klaus1
“You don’t need to do anything right now. Both Apple and Google have totally disabled it in their browsers until Oracle can come out with a patch and there is no telling when that might be.” – MadMacs0
So Apple and Google disabled it, what if I use Firefox?
“In Firefox, you disable the Java plugin in the Tools > Add-ons > Plugins settings.” – Chakravartin
But how exactly did Apple disable Java in the Safari browser without a Software Update to do the job?
Here is a forum post from macresource.com that addresses the question, but I am not completely sure it answers it. Either way, it explains a not commonly known process that your Mac does for you.
“Apple added an option to the “General” tab of the “Security and Privacy” System Preferences panel, under the Advanced button labeled “Automatically update safe downloads list”. If this option is enabled (which it is by default) then approximately every 24 hours the system will check Apple’s servers to see if a new version of the malware definition list is available, and will install the update if found.”
“A file called Xprotect.plist gets updated.” – decked
Conclusions
Oracle says they have fixed the vulnerabilities in Java, but Homeland Security says not well enough. Either way, Apple and Google have disabled it in the Safari and Chrome browsers until they determine it is all clear. You can disable it in the Firefox browser if you feel the need. Feel free to contact us if you have questions or concerns.
A friend sent me this link to an article from OSXDaily.com that says Apple disabled Java back in Oct 2012 through a Software Update. Beware that it says this disabled it in all web browsers, but I have found it enabled in Firefox, so do that manually.
http://osxdaily.com/2012/10/19/java-update-2012-006-os-x-removes-java/