Apple removes Java support from Safari
I have removed Java from my system some time ago and never looked back. I understand that some of you need Java for certain web activities, like online banking, but I think it is fair to say that the majority of Internet users does not need Java anymore, at least not in the browser.
Java vulnerabilities are discovered and exploited on a regular basis, and it can sometimes be difficulty to install the updates as soon as they get released. That's on Windows, with Apple Mac OS X users facing a different set of issues when it comes to Java. Since Apple is maintaining its own version of Java, in pretty much the same way that Microsoft and Google are maintaining their versions of Adobe's Flash Player, it is up to Apple to release updates. Sometimes that can mean that Apple users have to wait a tad longer before their version of Java gets patched.
With the latest Java update came a change that is improving security for the majority of Apple users. The update uninstalls the Apple-provided Java plug-in from all web browsers. What this means is that you can't run Java applets in your web browser on Mac OS X anymore by default. Apple instead displays a placeholder that informs users about the missing plug-in when they are on a site that requires Java for functionality.
If you want to run Java applets in your browser on Mac OS X, you need to install the official Oracle Java runtime on the system to do that. Yes, that runs then in parallel with Apple's version of Java. For users that need both, it means to take care of two versions of Java on the system from that moment on. The majority of Apple users on the other hand won't likely notice that Java is missing from the browser, as it is not really that commonly used anymore on the Internet.
Note that Apple systems do not come with a pre-installed version of Java anymore. The first time you run a Java program on Mac OS X, you will see an option to download and install Java on it. (via Naked Security)
Do you have Java installed on your system? If so, for what purpose?Advertisement
Oracle Leaves Fix for Java SE Zero Day Until February Patch Update
Oracle will not patch a critical sandbox escape vulnerability in Java SE versions 5, 6 and 7 until its February Critical Patch Update, according to the researcher who discovered the flaw…
The vulnerability and exploit were announced in late September. Gowdiakâ€™s exploit successfully beat a fully patched Windows 7 computer running Firefox 15.0.1, Chrome 21, Internet Explorer 9, Opera 12 and Safari 5.1.7. The exploit relies on a user landing on a site hosting the exploit; an attacker would use a malicious Java applet or banner ad to drop the malware and ultimately have full remote control of a compromised machine…
p.s I use one application that need java and won’t work with portable java :-(
As you said some on-line banking services require the use of Java, it doesn’t work without it or a ‘transparent’ alternative. So if Java is so open to being misused, what alternative(s) are there to allow continued use of services that require Java and check for its presence before loading?
NoScript for Firefox is the ultimate solution. Other than that, a sandboxed browser that you only use to load your bank’s website.
Her in the UK, I recently joined Tesco Bank’s online banking service. To find that their ‘highly secure’ website won’t work without both Java and Flash. Makes you wonder how much these people really know about security.
You’re actually missing the point.
Java in itself when used properly by legitimate sites can be and is secure, but the problem is that it can be exploited by other not so trustworthy websites/applications. Unless of course you think your bank will be trying to perform a malicious act on your PC and if so, you have bigger issues to worry about.
That’s why extensions like NoScript ( http://noscript.net/ ) in Firefox are so useful because you can block any Java from running unless you exclude the site e.g. your bank. You are then denying anyone else from exploiting your system as Java won’t run.
The same for Flash which again NoScript can help deal with. Maybe one day browser developers will build in this kind of functionality.
I do agree though that both Flash and Java should go the way of the dinosaurs, but I suspect that won’t happen for quite some time.
I think if you’re doing grownup work on your ipad, you’ll miss java. I couldn’t live without it.
I need Java but I’ve layered protection to avoid problems:
1) Disable Java Quick Starter under Advanced in the Control Panel.
2) Place the Java On/Off button in the Mozilla toolbar.
3) Set Online Armor’s Run Safer for jplauncher.exe, javaw.exe and java.exe.
4) Set Online Armor’s firewall to popup an Allow/Block alert for all java.exe outbound ports.
5) Restrict javaw.exe to 127.0.0.1 on ports 49152-65535 in the OA firewall.
6) Run effective anti-whatever solution(s). Currently IMHO: BullGuard AV, Malwarebytes Pro, Zemana AntiLogger.
When needing legitimate Java access, two and four require think-ahead. What “alarm system” doesn’t?
I’d like Java to go away, but it’s a known entity. Whatever replaces its functionality will introduce new exploits and no one can convince me otherwise. Of course, no one who doesn’t need Java should have it on their system.
I’m not sure why anyone would want to use NoScript (I found it annoying as hell, myself), when (at least for Firefox users) it’s an unbelievably simple process to disable the Java plugin.
Firefox -> Addons -> Plugins -> click “disable” button.
Similarly for Chrome, same level of ease. Only in IE it is a pain, but then everything in IE is a pain. If your Java/Java plugin is out-of-date, Firefox automatically disables it.
As others have said, many online bank sites won’t work without Java (BofA for one…though for anyone looking for an alternative, US Bank site does *not* require Java); Sabre (American Airlines) airline ticketing system; and Android SDK to name a few off the top of my head.
That totally disables it with no way to allow it to run for just the sites you need it to – that’s why I wrote that something better needs to be included in the browser itself.
NoScript can be as annoying as you want it to be, you just need to know how to use it and like a lot of things e.g. UAC, it will be annoying at first until you have configured it for everything. It barely bothers me now.
I don’t have Java on my Mac, and my bank’s web site runs just fine. It’s a small local mutual bank. I dumped BofA a few years ago for a variety of reasons.
I still want Java, because it’s a useful language. I just won’t run it in a browser.
Not to mention…Minecraft, Runescape, OpenOffice, Adobe Creative Suite 5.5, Vuze, GanttProject, Eclipse, and the list goes on of what still requires Java to run.
I enjoy this blog, and quote it/link to it regularly in my own, but Martin you really missed the mark this time with the holier-than-thou advise to just uninstall Java since it “isn’t really needed.”
Not cool, d00d…not cool.
> just uninstall Java since it â€œisnâ€™t really needed.â€
Which article did you read? This one is about *Apple* disabling Java by default in their browser — not uninstalling Java. Not other applications that use Java. In fact, he lists a way to *install* Java on your machine to get it to work with Safari.