Apple closes Java hack, and why it's time to switch Java off

February 20, 2013 8:39 AM EST

The Apple [AAPL] critics are dancing their dance once again today following news of a Java-based malware attack on Macs. But, given Java is the bad boy in the room, shouldn't critics and Kool-Aid drinkers alike just do the right thing and switch Java off for good?

Java you're such a chore

Apple yesterday revealed that "a small number" of its own corporate Macs had been hacked by the malware.  Hackers infected the Macs when they visited a software developer's site (iPhoneDevSDK, according to AllThingsD) that had been infected with the Java-based exploit, which was also used in a campaign against Facebook.

A few hours later, the company shipped the Java for OS X 2013-001 1.0 update, explaining the software "delivers improved security, reliability, and compatibility" by updating Java SE 6 to 1.6.0_41."

On the surface Apple seems to have acted swiftly to protect us. That would be the case but for the fact that Oracle released a patch to address the Java problem at the beginning of the month. Meanwhile computer users on any platform should take a good look at this feature, which offers good advice for using it safely and how it works.

Java is a problem

We know there is a Java problem -- most security experts agree with Sophos' security expert, Paul Ducklin, who has consistently told computer users on any platform to "switch Java off".

This is certainly not the first Java-based expoit to affect Mac users -- remember the Flashback attack?

Microsoft's Security Intelligence Report 11 last year revealed Java exploits are also the biggest ongoing problem impacting Windows systems.

In a note accompanying the security patch, Apple gives a more detailed account of what's happened:

"Multiple vulnerabilities existed in Java 1.6.0_37, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a Web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user."

The solution Apple has deployed is to walk away from involvement with Java on its Web browsers.

As Ducklin observes:

"It's telling, perhaps, that Apple, with this most recent update, seems to have washed its hands permanently of browser-based Java.

As its own update notification (see above) points out:

This update disables the Java SE 6 applet plug-in. To use applets on a web page, click on the region labeled "Missing plug-in" to download the latest version of the Java applet plug-in from Oracle.

I wonder how many Apple programmers will tempt their employer's wrath by reaching out to Oracle to re-enable Java in their browsers?"

Cisco claims 80% of online attacks use Java

Java is a culprit. A recent Cisco report confirmed how dangerous Java is for everyday computer users. Inside the report that company confirmed online advertising to be one of the biggest sources of malicious content on the Web.

"It’s not that hard to sneak a bad ad into one of these ad-syndicate networks, which will then be distributed to a number of otherwise-innocent websites," writes Intego.

This suggests that ad networks may have been partially to blame for the Mac malware problem we're discussing here.

Cisco also makes a second point: the vast majority -- 80 percent -- of online attacks used Java vulnerabilities to do their damage. What does this mean? Basically it suggests the problem here is nothing to do with platforms -- Windows, Mac -- but everything to do with Java.

·      Java is a cross-platform application that tends not to be updated until a newly discovered vulnerability begins to be widely exploited.

·      This means the patch introduced earlier this month no doubt followed weeks or months during which the vulnerability was either not known or ignored.

·      A few weeks later and Apple has moved to combat the problem.

·      Despite the release of the patch, millions of Mac users must now get themselves together to install the software.

Putting this into a wider context, as devices become connected (the Internet of Things) and mobile devices proliferate, it's becoming ever more clear that Java may represent a major threat to the whole edifice of a connected intelligent Web.

Tip of the iceberg?

Hackers are intelligent about exploiting its holes, and tend to avoid over-use of vulnerabilities as they recognize that if an exploit proliferates too much, Java is updated to protect against it.

This suggests that, while the current matter may be raising attention and giving Apple bashers a chance to dance and Apple fans a chance to apologise for their firm, the true scale of the Java security problem isn't yet known.

After all, all we do know is that one of the bigger-used exploits has been identified and patched. We do not know what the attack risk is via less well-known holes in Java software.

How do users on any platform protect against this? For Mac users, follow a few simple steps.

What else can you do? That's pretty simple really: Switch Java off in your browser if you are a user, and if you happen to be a Web developer, now's probably a good time to minimize your reliance on Java for your Web sites and services.

While this will certainly be a problem for many -- particularly in the enterprise -- it seems to me that beyond the daily chance for a little Apple-bashing, it's time to dump Java altogether.

This certainly seems to be Apple's opinion.

It isn't solely Apple that should be on trial here, as the problem it faces is one that also affects Windows systems. It's Java. And it's time to switch Java off.

Got a story? Drop me a line via Twitter or in comments below and let me know. I'd like it if you chose to follow me on Twitter so I can let you know when these items are published here first on Computerworld.