This article originally appeared in TidBITS on 2013-04-26 at 7:00 p.m.
The permanent URL for this article is: http://tidbits.com/article/13716
Include images: Off

Safari Updates Add Extra Layer of Java Protection

by Agen G. N. Schmitz

Further locking down Mac OS X against Java security exploits, Apple recently posted updates to Safari and new versions of Java SE 6 to close up multiple vulnerabilities. Each of the Safari and Java updates is available in two versions, with one for those running Mac OS X 10.6 Snow Leopard and the other covering 10.7 Lion and 10.8 Mountain Lion.

Both versions of Safari (Safari 5.1.9 [1] for Snow Leopard and Safari 6.0.4 for Lion and later) introduce a new scheme [2] for enabling the Java plug-in to run on a site-specific basis. When you encounter a Java applet on a Web site, you’ll be asked whether you want to allow the applet to run or block it. If you click the Block button, the Java plug-in will always be blocked from running on that particular Web site, though you can toggle that behavior by visiting the new site-by-site Java management settings in Safari’s preferences.

[image link] [3]

Choose Safari > Preferences and click the Security tab, then click the Manage Website Settings button to the right of the Allow Java option. A new pane appears, listing the Web sites that have encountered the Java plug-in (you cannot manually add Web sites). Click the pop-up menu to choose from four levels of Java access for that site: Ask Before Using, Block Always, Allow, and Allow Always.

[image link] [4]

The Block Always and Allow Always options are fairly straightforward in their behavior, with the Java plug-in stopped each time with the former (though the rest of the Web site will render) and always initiated with the latter. However, Apple warns that the Allow Always option should be used only for thoroughly trusted sites, such as a company intranet site (and we at TidBITS concur).

Choosing the Ask Before Using option reverts to the initial behavior of querying you whether to allow or block the Java plug-in each time it’s encountered. Note, however, that if you choose to block the Java plug-in from running when asked, the Web site will be marked as Block Always in Safari’s preferences — there’s no way to block the plug-in for a single visit (but you can always return to Safari’s preferences to allow it again).

If you choose Allow, the Java plug-in will run without bothering you as long as there are no critical security issues percolating in your currently installed version of Java. If an update is available, you’ll be directed to download that version.

In addition to the Java options, Safari 6.0.4 fixes a WebKit-related zero-day vulnerability that was uncovered by the Pwn2Own hacking competition in March 2013. According to Apple’s security notes [5] for the update, the update closes a hole with SVG files that could lead to the standard “unexpected application termination or arbitrary code execution.”

On the Java side of things, both Java for OS X 2013-003 [6] (63.92 MB) and Java for Mac OS X 10.6 Update 15 [7] (63.39 MB) update Java SE 6 to version 1.6.0_45, which eliminates a large number of vulnerabilities [8] found in the previous version of Java (version 1.6.0_43). The updates mirror the changes made to the latest version of Java SE 7 [9], which is available only from the Oracle Web site, since Apple stopped releasing its own versions of Java with version 7 (see the release notes for 1.7.0_21).

All of these updates are available via the App Store app (Lion and Mountain Lion) or Software Update (Snow Leopard) and direct download, apart from Safari 6.0.4, which must be downloaded from the Mac App Store. For the Java updates, Apple reminds you to quit any Web browsers and Java applications before installing.

As we noted in the last round of Java updates [10], this might be a good time to remove Java entirely from your system if you don’t rely on Java for any critical applications. Some major apps that still use Java include CrashPlan, Adobe Creative Suite, Minecraft, and OpenOffice. To learn how to extract this increasingly troubled technology from your Mac, check out Rich Mogull’s Macworld article [11] on disabling Java, which also includes instructions on how to isolate its use in the Safari, Chrome, and Firefox browsers.

[1]: http://support.apple.com/kb/DL1569
[2]: http://support.apple.com/kb/HT5678
[3]: http://tidbits.com/resources/2013-04/java-website-ask.png
[4]: http://tidbits.com/resources/2013-04/java-website-options.png
[5]: http://support.apple.com/kb/HT5701
[6]: http://support.apple.com/kb/DL1572
[7]: http://support.apple.com/kb/DL1573
[8]: http://support.apple.com/kb/HT5734
[9]: http://www.java.com/en/download/mac_download.jsp
[10]: http://tidbits.com/article/13607
[11]: http://www.macworld.com/article/2028900/how-to-disable-java-on-your-mac.html