Friday, January 18, 2013

Java Security Tips @ MacFixIt

[Updated 2012-01-20]

My Mac security friend Topher Kessler has posted a great article at MacFixIt with some tips about keeping your computer safe from the ongoing Java lunacy.

With the latest security holes coming to light, many are recommending removing Java entirely from your system. If you don't want to go that far, here are some things you can do.
Lately Java has been getting a bit of bad press, thanks to several consecutive security holes that have been exploited by malware developers. One notable occurrence was the Flashback malware threat that affected a number of OS X users, which (though due in part to Apple's negligence about Java upkeep) was rooted in the Java runtime. More recently, Java 7 has seen a new zero-day vulnerability that has been circulating in exploit kits. 
In response to these threats, many in the tech community have recommended that people uninstall Java altogether. However, this can be impractical for some, as many people need Java to run applications, including Web apps and a number of technical and creative development tools. . . .
For Safari users, one of Topher's ideas is superior to simply turning off Java in the Safari Preferences. It's the add-on ClickToPlugin. It allows you to turn on or off any Internet plug-in for Safari:

What is useful about this option is that ClickToPlugin doesn't just shut down Java. Instead, it (usually) provides you the ability to click on Java content in order to allow it to run. I'm finding this method of Java control to be a bit messy. But it's another option if you don't want to have to sit-and-wait for the goofy/buggy Java 'Control Panel' to load so you can change security modes.

NEW: As you'll see in my added comment below (read for details), the ClickToPlugin add-0n for Safari is NOT adequate for blocking Java applets from running in the browser.

Therefore, I cannot recommend bothering with ClickToPlugin for blocking Java. So it's back to the mantra:

Just Turn Java Off


1 comment:

  1. Mac security friend Al V pointed out to me that the ClickToPlugin add-on for Safari is only partially effective. He pointed me to the developer's website:

    There you'll find that Marc Hoyois has stated the following:

    "Note. ClickToPlugin does not block -applet- elements. These elements are used to embed Java applets into web pages and launch a Java plug-in. The reason is that they cannot be blocked."

    Why this is the case is beyond my understanding. But obviously Marc Hoyois has verified the situation. Therefore, ClickToPlugin is only PARTIALLY effective. As such, I CANNOT recommend bothering with it.

    Therefore, stick to the mantra:
    Just Turn Java Off.