Friday, October 19, 2012

Oracle Java For Mac FAIL x10,
Installing Oracle's Version Of Java

[Updated 2012-10-23 @6:30 pm]

I have installed Oracle's Java for Mac. I now hate Oracle, seriously hate Oracle.

What's ahead is a long, nasty soap opera of FAIL. Let me save you time and cut to the quick:

Disabling Oracle's Java:

If you've installed the current version of Oracle's Java for OS X, v1.2 update 9, there is only one way to turn it off in your system: REMOVE IT from your root level Internet Plugins directory. Here's how:

1) Shut down your web browsers.

2) Navigate to:
/Library/Internet Plug-ins/

3) Remove/move these two files:


I have set up a folder where I store them called 'Internet Plug-ins (disabled)'. You have to do the Admin authorization stuff to move these files around.

4) Start your web browser again and surf around, carefree, not worried that another Java sandbox security hole getting your Mac PWNed.

OR: You could turn Java off in all your web browsers.

Now leave Java off all the time unless you desperately need to use it, in which case, reverse the above process.

Here's a good ArsTechnica article about the current state of Java:

And now for:

The Long, Sad, Hatred-Of-Oracle Inspiring Story Of The Java For Mac FAIL:

A Frightening Cautionary Tale, Just In Time For Halloween:

[Please note that all the images in this article can be clicked to expand them to normal readable size.]

I had to visit my ISP's website last night in order to contact them regarding the catastrophic mess they had made of both my cable TV signal and my Internet bandwidth. Horror of horrors, their live online support interface requires Java. Here is what I saw when I tried to use their interface:

See that little button that says 'Get JRE Plugin'? This is the one Apple tells us to expect after we have uninstalled Java from our OS X 10.7 and 10.8 systems. If we wish to proceed and install Java, we click the button and are sent to the Oracle Java website to download the OS X Java installer.

Except THE BUTTON DOESN'T DO ANYTHING. I clicked away in Safari and nothing happened at all, ever. It doesn't work. It's inert. That's FAIL #1.

So I went over to Oracle's Java website all on my own, dug around for the version of Java they offer for OS X, and went into shock when I discovered that it was Java 1.7 update 6, an old crusty entirely UNSAFE, yer gonna get your Mac PWNed version. That's FAIL #2.

[NOTE, October 23rd Addendum: Immediately after I first posted this article, Oracle saw fit to remove the olde Java 1.7 update 6 installer and instead directly provide Java 1.7 update 9. Thank you to reader Franklin for bringing this to my attention. This negates 'FAIL #2'. However, if you scroll down to the Comments, you'll see that Oracle STILL has a bad web page, apparently from 1998 (!), that states Apple is going to provide a Java plug-in. I ran into this page using an ordinary, logical Google search of "oracle java for mac download". This bogus Oracle page was the #1 link result. Read it and weep:
Java Plug-In Mac Download Page
What the?! I cannot comprehend how a company can be so incredibly careless. This ridiculously olde, decrepit page at Oracle constitutes the new FAIL #2. Therefore, I have not changed the title of this article. Hopefully Oracle will respond by pointing victims of this idiocy to the website where Oracle does indeed provide the latest version of Java's plug-in for Mac.]

But I downloaded and installed it anyway, hoping it would upgrade itself. I ran the installer. The first pane of the installer proclaims the following propaganda:

'Java provides safe and secure access to the world of amazing Java content.' blahblahblah.
Right. That's why Apple dumped Java and we had NO 'safe and secure' version of Java for the entirety of the summer of 2012 on into mid-October. Nice try Oracle. That's FAIL #3.

After the Java installation, thankfully it alerted me to download the latest updated version. Kewlness:

After the update installed, I tried to figure out how to set the Java preferences. There is NO 'Java Preferences' app in Utilities any more. Instead, Oracle installs a System Preferences pane in the root Library folder. I'd read about that being the case, so fine. This is what I saw when I opened the Java preferences pane:

'The Java Control Panel opens in a separate window.'
WHAT? Oracle were too lazy to write an actual preference pane? They think Macs still have 'control panels'? That's FAIL #4.

So, I waited around for the 'control panel' to decide to open, tickticktick, yawn, what's on TV, and then it shows up:

Fine, a common tabbed window for Mac. I started searching around for how to turn Java on and off, similar to what Apple's now defunct 'Java Preferences' app used to do. I discover what I wanted is under the ridiculously named 'Java' tab. What? Everything here is Java! Huh? That's FAIL #5.

The 'Java' (duh!) tab comes up and it looks like this:

Oh look, an award worthy user interface that does nothing-at-all but make you dig even deeper to actually get anywhere. That's FAIL #6.

I am forced to hit the 'View...' button in order to get past the bureaucracy. This is what appears:

Hey! A checkbox to uncheck! Yeah!

Except the checkbox is inert. Remember the earlier inert 'Get JRE Plugin' button! Winner programming here! And guess what! The corresponding checkboxes for BOTH 'User' and 'System' don't work! That's FAIL #7 and FAIL #8.

That's 8 Oracle Java FAILs. Eight. Not ready for prime time crapware: That's what this garbage is. That's why I now hate, seriously hate, Oracle. What incredibly lazy, careless, obtuse, inept, dumbass programmers from hell.

-> So what do you do when you want to turn Java OFF?!
See the start of this article for instructions.

To hell with Oracle. To hell with Java.

But we're not finished! Where are the more detailed security settings? Under the 'Security' tab? No! What you'll find there are settings for certificates. You want to go under the 'Advanced' tab, then scroll down to 'Security'. That's FAIL #9.

But first, look just above 'Security' and do this:

* Under 'Application Installation' you must choose 'Never install'.

Why? Because this specific setting stops DEAD the ability of drive-by malware to install itself onto your Mac via sandbox-broken Java. Could this cause a problem? Maybe. You might well find yourself scrambling to change this setting to 'Install if hinted' instead, but only on a website you TRUST. Otherwise, leave this set to 'Never install'. Please.

Now we at last get to the 'Security' settings. I suggest the following, with my added notes in brackets:

√ Allow user to grant permissions to signed content
- Allow user to grant permissions to content from an untrusted authority
√ Use certificates and keys in browser keystone
√ Don't prompt for client certificate selection when no certificates or only one exists
√ Warn if site certificate does not match hostename
- Show site certificate from server even if it is valid [Turning this on is fine]
√ Show sandbox warning banner
√ Allow user to accept JNLP Security requests
√ Check certificates for revocation using Certificate Revocation Lists (CRLs) [Shame on Oracle for not have this turned on by default! Dunderheads!]
√ Enable online certificate validation
√ Enable list of trusted publishers
√ Enable blacklist revocation check [of course!]
- Enable caching password for authentication [risky, not advisable]
√ Use SSL 3.0
√ Use TLS 1.2 [Yes, 1.2, not earlier. Again, shame on Oracle for not making this the default! Dummies!]

And now for our final FAIL. This one's worth a good laugh. Under 'Miscellaneous' it offers the checkbox "Place Java icon in system tray". It doesn't matter if you check in on or check it off. It doesn't do anything. It doesn't put a Java icon in your menu bar or anywhere else. It's total crap. Only Windows has a 'system tray'. So what's a Windows setting doing here on a Mac? It's just an excuse for Oracle to hand us an even 10 FAILs. 10 fingers, 10 toes, 10 FAILs. Whatever. Thanks for being so attentive to the OS X platform Oracle. I hate you.

[NOTE, October 23 Addendum: Reader Franklin kindly pointed out that the 'system tray' checkbox DOES do something. It puts a Java icon at the far right of the menu bar whenever Java is actually running on your Mac. Thus my hatred of, and low opinion of Oracle is slightly abated. However, lazily mis-naming the Mac menu bar, which was established by Apple over 10 years before the Windows 'system tray', still constitutes a remarkable FAIL by Oracle's programmers. Therefore, I continue to call this FAIL #10 and have not changed the title of the article. 

Please get with it and catch up Oracle. It's the "menu bar" and it is as old as the very first Macintosh computer, IOW 1984. Then add to that the fact that the "menu bar" also existed on the Apple LISA (1983)

The menu bar is an Apple innovation and improvement upon the Xerox Star OS, which instead put the menu bar at the top of individual windows, as found in today's Microsoft Windows OS.]

Warning: Phishing Rats Want Your Apple ID

Today an article came to my attention that is of extreme relevance. It's about an ongoing Phishing Rat campaign using social engineering to steal Apple IDs. After all the intermittent reports I've heard about Apple IDs being stolen, including within my family (ahem), this appears to be the prime source of the problem:

The Websense® ThreatSeeker® Network has detected a phishing campaign whose potential victims are holders of an Apple ID account. . . . The phishing campaign begins with an email message like this one, informing the recipient of a "suspended" Apple ID...

Please read the article. Clearly this phishing campaign is a prime source of LUSER behavior leading to robbery of Apple accounts and everything that goes with them.

IF you receive one of these Apple ID 'suspended' phishing emails, please report it to:

When you report phishing email, please be sure to include the entire email, including full headers, in your report to Apple. Reporting phishing email to the scammed company source is the best way to stop dead any phishing campaign. The entire Apple user community will appreciate your rat extermination assistance.

It is also useful to report phishing email as spam to your ISP or one of the spam blacklist websites, such as SpamCop.

Wednesday, October 17, 2012

Java Security Update!
Apple's JRE 1.6 update 37 Is Available Today

[Updated 2012-10-17 @3:26 pm ET]

Be sure to update today to Apple's JRE (Java Runtime Engine) version 1.6 update 37. It restores Java for Mac back to secure usability, for the moment anyway. The update is available for OS X 10.6, 10.7 and 10.8.

This installer is DIFFERENT in that it REMOVES the Java plugin from Mac OS X. After the installation you will NOT be able to run Java in any OS X web browsers. Instead, when Java is required at a website, you will be offered the opportunity to download Oracle's version of the plugin. Here are Apple's provided notes about the installer:

Java for OS X 2012-006 delivers improved security, reliability, and compatibility by updating Java SE 6 to 1.6.0_37. 
This update uninstalls the Apple-provided Java applet plug-in from all web browsers. To use applets on a web page, click on the region labeled "Missing plug-in" to go download the latest version of the Java applet plug-in from Oracle.
Apple's 'About' pages regarding the Java updates for OS X 10.7 and 10.8 (but not 10.6) further point out that:
This update also removes the Java Preferences application, which is no longer required to configure applet settings.
You can check out a detailed analysis of the update by my colleague Topher Kessler at MacFixIt here:

Java Preferences missing after latest OS X Java update
While the Preferences utility is missing, this may be a simple oversight on Apple's part.

Cross your fingers and toes that the sandboxing in Java will stay fixed for the long term future and we won't have to worry about our Macs being PWNed simply because Java is running in our web browser.

If/when new Java security holes are discovered, I'll be posting here.

Friday, October 12, 2012

Danger! Security Hole In Firefox 16.0.0,
Get 16.0.1 Update Now!
(And assorted other stuff)

Hi Kids!

A quick note: Mozilla rapidly discovered a security hole in Firefox (and Thunderbird) version 16.0.0 on all platforms, including Android. Therefore, either download the latest update (currently 16.0.1) or allow Firefox (and Thunderbird) to update themselves immediately the next time you use them. You can read about the situation here:


1) Java Update WHEN?! 

It appears that Oracle are (irresponsibly, IMHO) going to wait until their scheduled Tuesday, October 16th date for updating Java to something safe. So watch for it that day specifically from Oracle. If you don't want or need to deal with the hassle of Oracle's clunky version, hang on until Apple provide their more OS X friendly version via Software Update / The App Store. Or better yet, write off Java as dangerous crapware and never use it again! We wish. Hopefully the current danger will end and we can all go back to simply swearing at Java for being so slow.

2) This is the weekend I am going to finish off my 2012 malware review. I'll start the list again from scratch for the sake of simplicity. We also have another couple new minor malware to add to the list. Also, I'm going to consign some further oldie stuff to the 'inert' bin, as you'll see. Thank you for waiting!

3) If you are not doing so already, go visit and have some fun. MacHeist 4 is the BIGGEST and most fun Heist EVER. The free mission prizes are trés kewl. As of today we are starting on 'nanoMission 4'. So catch up and get some discount coins for The Big Heist coming up! MacHeist is seriously one of the most unique, fun and charitable events of the Mac platform. The missions have been astoundingly well designed with everything having a jaunty, puzzling and mysterious steampunk theme. There is nothing equivalent or as kewl on those other computer platforms! And it's all free! ...That is, until we get to the Big Final Heist. You shall crave to ogle the digital devices concealed within the confines of the culminating, capacious cyclopean vault...!

Share and Enjoy,