As we noted earlier, there’s a rather large security hole with Java in Web browsers in all versions of OS X. Because of the way Java applets work, you can be attacked by simply visiting (not even clicking a link on, or downloading a file from) a Web site containing a malicious Java applet.
In addition, as Intego points out in its security memo on this issue, “malicious Java applets can also be circulated by other means, for example, as attachments to e-mail messages. A program called Applet Launcher allows users to run Java applets by double-clicking them.”
Regardless of how a malicious applet is launched, the damage it can do is very real. For example, a malicious applet could easily delete everything in your user’s home folder, change permissions on files and folders, and who knows what else. In short, it’s bad; really bad.
Until Apple sees fit to solve this problem, how can you protect yourself? The only real solution for now is to disable Java in your browser. Here’s how to do that in a handful of the most-popular OS X browsers:
- Safari 3 and 4 Beta: Preferences -> Security tab -> uncheck Enable Java. Note that you should also make sure that the “Open safe files after downloading” preference on the General tab is not checked.
- Firefox 3.0 and 3.5b4: Preferences -> Content -> uncheck Enable Java.
- OmniWeb 5.9.2: Preferences -> Show All tab -> click Security -> uncheck Enable Java.
- Camino 1.6.7: Preferences -> Web Features tab -> uncheck Enable Java.
- Opera 9.6.4: Preferences -> Advanced tab -> click Content -> uncheck Enable Java.
- iCab 4.5: Preferences -> Show All -> click Java -> uncheck Execute Java applets.
If you’re using a browser other than one of those, you’re on your own—but it’s a good bet the solution will be found in the program’s Preferences panel.
While nobody has reported being attacked via this exploit, this is a serious hole, and I strongly recommend you disable Java in your browser until Apple releases an update. Given that it takes nothing more than a visit to a site hosting a malicious applet, disabling Java offers the best protection.
If you absolutely, positively must have Java enabled, then I suggest using it in a browser that offers some sort of “run on click” option for Java applets. You can get this behavior in Firefox via certain add-ons (NoScript is one), and in OmniWeb (and probably other browsers) as a built-in feature. Then, if you’re visiting an unknown site, Java applets won’t run on their own—you’ll have to take action to make them run. This isn’t perfect protection, but if you need to use Java on known sites, it’s a reasonable solution until Apple patches this security hole.
Hopefully all the attention paid to this issue today will force Apple to issue a quick update to close the security hole—if this were Microsoft we were talking about, the blogosphere would be all over the company for its slow response. Any way you look at it, taking five months (and counting) to integrate an already-released patch for a relatively major security issue is simply unacceptable.