Wednesday, September 5, 2012

Apple Releases Patched Java 6, v1.6 Update 35

--
For the moment, Java is 'safe' again. Apple has provided for Mac users the latest patched version of Java 6, which apparently does not include any of the drive-by infection security holes found plentiful in recent versions of Java 7 as well as older versions of Java 6.

There are two different Java updates:

I) For OS X 10.6 Snow Leopard you'll want to install 'Java for Mac OS X 10.6 Update 10'. You can read about it and download it HERE.
This update configures web browsers to not automatically run Java applets. Java applets may be re-enabled by clicking the region labeled "Inactive plug-in" on a web page. If no applets have been run for an extended period of time, the Java web plug-in will deactivate. 
Please quit any web browsers and Java applications before installing this update.
II) For OS X 10.7 Lion and 10.8 Mountain Lion you'll want to install 'Java for OS X 2012-05'. You can read about it and download it HERE.
This update configures the Java plug-in to deactivate when no applets are run for an extended period of time. If the prior update named "Java for OS X 2012-004" was not installed, this update will disable the Java web plug-in immediately. Java applets may be re-enabled by clicking the region labeled "Inactive plug-in" on a web page.
Please quit any web browsers and Java applications before installing this update.
Again Note: There is NO safe version of Java 7 (v1.7) available for OS X at this time. If you have installed it, you might as well uninstall it and instead install the appropriate Java 6 update from above.

I've noted a lot of confusion on the net about the Java drive-by infection problems. They do NOT affect your use of software on your Mac as long as that software is not accessing the Internet. The only way you can become infected is by browsing the Internet with the Java plug-in activated. To entirely avoid this situation, simply turn Java OFF using the Java Preferences app found inside your Utilities folder. I have covered this subject previously.

If you have Java installed and you must use Java somewhere on the Internet, here is the best strategy:

1) Be sure Java is ON in the Java Preferences app, found inside your Utilities folder.

2) Be sure Java is OFF inside your web browser's preferences for normal web surfing.

3) Visit the website where you must use Java.

4) Turn Java ON using your browsers preferences.

5) Reload the web page and go to work.

6) When you have finished working with that website, turn Java OFF again using the browser's preferences.

I note that Apple discuss how installation of today's Java updates automatically turns Java off. Apple recommend "clicking the region labeled "Inactive plug-in" on a web page" when you need to run Java on that website.

I do NOT like Apple's idea at all as it leaves Java running when we leave that website and surf elsewhere. We do NOT want to go wandering around the web with Java enabled, specifically due to the possibility of yet-another Java drive-by infection security hole being discovered and exploited. My method above is a bit more annoying, but it is SAFE, unlike Apple's potentially dangerous method.

If at some point Apple automatically disable Java every time we leave a website, then we will be safe. Until that time, we're going to have to re-disable Java ourselves.

Just to be clear: No, Apple is not saying they are disabling Java on every new web page. All Apple is doing is deactivating Java "if no applets have been run for an extended period of time." That is all. That is NOT good enough. Please take this warning seriously.

At least we can now go back to using Java. But Java's reputation has become so incredibly poor, thanks to crapcoding at the Java project, that it is well worth remaining wary of using it on the Internet. Using Java while not on the Internet should be fine at this time. There are currently no Trojan horses for OS X that exploit Java security holes.

I hope this helps. If there are questions, please comment below or check out the links I provided in my previous article about this ongoing problem.
--


No comments:

Post a Comment