Apple and Mozilla - 'Just say no to Java'

Filed Under: Adobe, Apple Safari, Featured, Firefox, Java, Oracle, OS X, Podcast, Vulnerability

No JavaAs if advice from SophosLabs own Fraser Howard and the US Department of Homeland Security are not enough reason to ditch Java, Apple and Mozilla have both decided to join the party.

This afternoon, Friday January 11th here on the North American West coast, Apple released an updated malware definition list for their XProtect pseudo-antivirus protection in OS X Snow Leopard and newer.

Instead of identifying a new virus, this updated definition temporarily disabled the Java Web Start browser plugin that enables Java applications to run inside of Safari/Firefox/Chrome.

XProtectJava500

While the reports have been stating the issue is with Java 7, there are reports from researchers that Java versions 1.4 and higher are all vulnerable to this flaw.

It appears that Apple has learned an important lesson from this time last year. CVE-2012-0507 was fixed by Oracle in February, but Apple didn't make the patch available until April.

The result? Over 600,000 Macs were infected with malware in the interim.

Mozilla is no slouch when it comes to security and has implemented an almost identical procedure. Mozilla has added all current releases of Java to its add-on blocklist.

FFClickToPlay170In Mozilla's announcement they explain that plugins on the blocklist are forced into utilizing Firefox's Click to Play functionality.

This can be a double-edged sword when it comes to known vulnerable plugins.

The advantage to this approach is that you are prompted every time a website wants to launch a Java applet and you can make an informed decision as to whether you truly need that applet.

The problem is you need to be informed and know enough to choose the right option. Most people are conditioned to click through warning messages and may not get the protect they need against drive-by attacks.

It is good to see everyone agree on the risk this vulnerability poses and getting the word out or actively protecting users against the threat.

Want to understand more about Java? Why Java isn't JavaScript? Listen to this Techknow where Paul Ducklin and I explain what you need to know.

Listen now:


(31 August 2012, duration 16'19", size 11MBytes)

, , , , , , , , ,

You might like

12 Responses to Apple and Mozilla - 'Just say no to Java'

  1. Bongo · 464 days ago

    Many banks application are using java applets. So this movement can be painful when one "lucky day", it blocks you access to your client-bank.

    • Mongo · 463 days ago

      Maybe it's about time banks start moving away from the insecure Java applets and onto something better.

  2. Jillr · 464 days ago

    hi, i am not that computer savy..but i have what shows in my computer as java 2 runtime enviroment. this is on my laptop. i do use java for work on this computer. should i delete that one? thanks Jr

    • Joe · 461 days ago

      You should update Java to the newest at the least- that's way way old!

  3. Carthagen · 463 days ago

    If your bank uses java while handling your private details you should probably find a new bank.

  4. marigoldmama · 463 days ago

    I'm the defacto IT person at my son's very small private school. Any advice on how to avoid being murdered by the mob of kids when I tell them they can't play minecraft? It uses the JRE. Wouldn't this be safe to play as long as you are offline?

    Minecraft.com is down right now.

    *sigh*

  5. Chester Wisniewski · 463 days ago

    @marigoldmama

    You don't need to remove Java for local applications, you only need to disable "Java Web Start" which is the browser plugin. I don't know much about Minecraft, but if it is a Java application that runs outside the browser you should be fine.

  6. Richard Fer · 463 days ago

    Is this vulnerability also affecting IcedTea OpenJDK Java 7?

  7. Good read. There are vulnerabilities in every application or web browser, nothing is infallible. Even this sentence

    "The problem is you need to be informed and know enough to choose the right option. Most people are conditioned to click through warning messages and may not get the protect they need against drive-by attacks."

    has a mistake but it doesn't take anything away from the content. An educate user is key to averting vulnerabilities.

  8. John · 453 days ago

    I use Jdownloader download manager and it uses a Java platform. With Windows 7 I was using McAfee firewall and it was never blocked. When I upgraded to 8 I went to Windows Firewall and the first time I started Jdownloader it told me that it was blocked. I had to tell the Firewall to allow incoming to download with Jdownloader. I do not have the plug in installed in Firefox. Is Java safe to use with only Jdownloader?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.