Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the best-selling Take Control ebooks.

 

 

Pick an apple! 
 
Quickly Attach to an Email Message

Want to start an email message that requires an attachment? Save a step or two by dragging the file's icon onto Mail's Dock icon - Mail automatically opens a new message window with the file already included as an attachment.

Visit MacTipster Blog

Submitted by
Sharon Zardeto

 
 

FlippedBITS: Java, JavaScript, and You

Send Article to a Friend

Lately, there have been a lot of news reports about security concerns with Java, Java-related software updates from Apple, and numerous conjunctions of the words “Java” and “danger.” At the same time, I’ve observed an enormous amount of confusion over what Java is, what the potential problems are, and what the consequences of getting rid of Java might be. There’s further confusion over Java updates coming from Apple versus Java updates coming from Oracle; what a Java Runtime is; how JavaScript relates to Java (spoiler: not at all), and more. In this installment of FlippedBITS, I’m going to attempt the quixotic undertaking of sorting all that out for you.

Let’s start at the beginning.


Java, East of Krakatoa -- Java is the name of the fifth-largest (and most populous) island in Indonesia. I’ve been there a couple of times, most recently when I turned 40. My wife and I hiked up to the rim of Mt. Bromo, an active volcano, at sunrise on my birthday. Come on over some evening and we’ll show you our slides over a nice cup of… java. It so happens that a great deal of high-quality coffee is grown on the island of Java, hence the nickname. (It also so happens that I single-handedly consume 3.5 percent of the world’s coffee; hence another nickname for coffee, “Joe.”) In the early 1990s when a team of engineers at Sun Microsystems was developing a new programming language, they toyed around with several names before settling on Java, allegedly because they, too, were coffee enthusiasts.

Image

So, for our purposes, Java is a programming language. I could tell you that it’s an object-oriented language largely based on C++, but if you’re a programmer you already know that, and if you aren’t, you wouldn’t care. Let’s just say that as programming languages go, Java is a pretty nice one. It’s powerful, popular, and — crucially — designed in such a way that once a Java application is compiled, it can run on many different platforms. That’s right, a given Java application can run on a Mac, a Windows PC, a Linux PC, or a smartphone without any modifications. (In practice, that’s a bit of an oversimplification, but it’s a convenient fiction.)

How does Java pull off this feat of legerdemain? It relies on something called a virtual machine. If you’ve ever run Windows or Linux on your Mac using an application like Parallels Desktop or VMware Fusion, you already have a general idea of what a virtual machine is — it’s an environment, created in software, that functions like a physical computer. Just as a Windows virtual machine lets you run Windows on a Mac (or even within another copy of Windows), the Java Virtual Machine (JVM) lets Java software run on any platform. Each host platform has a different JVM that’s designed to run on its physical hardware — for example, Intel x86 chips have one JVM, while ARM chips have a different one.

Now, there’s a little more to it than that, so please bear with me for two slightly technical paragraphs.

First, when I say the JVM lets “Java software” run on any platform, the software I’m referring to is what’s known as Java bytecode. Java bytecode isn’t Java as such, but rather a sort of intermediate language created when Java code is run through a program called a compiler. Ordinarily, this distinction wouldn’t be important to a non-programmer, except it turns out that other programming languages besides Java can also be compiled into Java bytecode, and then run by the JVM. So, someone could write a program in, say, Python or Ruby, and use a special compiler to build that into something that, as far as the JVM is concerned, is indistinguishable from a program written in Java. In this article, we’re concerned with any software that runs in a JVM, regardless of what language it was written in.

Second, a JVM by itself is usually not enough to enable Java bytecode to run on a computer. You also need a platform-specific version of the Java Class Library, which tells the JVM how to do particular tasks on that platform. For example, maybe a Java program contains an instruction to play the system beep sound. Mac OS X does that one way, while Windows does it another way. So, the Java Class Library takes an instruction that the JVM is trying to send to the host platform and passes it on in the form the host platform expects. The JVM and the Java Class Library are almost always distributed together as a package, and that package is known as the Java Runtime Environment (or JRE), commonly shortened to “Java Runtime.” The Java Runtime is sandboxed (much like iOS and Mac App Store apps), which was supposed to help with security, but secure sandboxes are extremely difficult to develop, and the Java sandbox hasn’t fared well — I’ll return to that issue shortly.

To sum up thus far: Any device with a Java Runtime installed can run Java bytecode, which may have been originally written in Java or some other language.

Once Upon a Platform -- In the early days of Mac OS X, Apple not only included a built-in Java Runtime (licensed from its then-owner Sun), it actively promoted Java as a “first-class citizen.” Developers were free to write their applications in Objective-C, Apple’s own programming language that was originally part of NeXTSTEP, or in Java. Either way, users would end up with a valid application that looked and felt (more or less) native. (Java apps have often been criticized as feeling “not quite right” because they often use interface elements that are different from those of native Mac apps, but that’s a relatively minor point.) As a result, lots of Mac apps were — and a few still are — written in Java.

Java isn’t just for stand-alone, double-clickable applications, mind you. A Java applet can also be embedded in a Web page. Assuming your computer has a Java Runtime installed, your browser has a Java plug-in (to support embedded applets), and Java support is enabled, highly complex programs called applets can run right inside your Web browser. Before Flash and Silverlight began to catch on, Java applets were a common way to add interactivity and complex computational capabilities to Web pages.

But over the years, Java has gone from first-class citizen to suspiciously regarded foreigner (and not just on the Mac). The whole story is long and twisted, involving a combination of technical, legal, and political issues. I’ll hit just a few recent highlights.

Java — including the tools to develop and compile it, the runtime environments, and various other pieces — has been open-source since at least 2007, but it’s maintained primarily by Oracle Corporation, which acquired Sun Microsystems in 2010. Although Oracle’s implementation of Java isn’t the only one, it’s as close as you can get to the “official” version. For a long time, the version of the JRE Apple included with Mac OS X was always several months or more behind Oracle’s latest version. And this was a problem when, for example, a security flaw was discovered. Oracle might fix it quickly, but Macs remained vulnerable for some time, until Apple caught up.

Let’s talk about those security flaws for a moment. I’m sorry to say the Java Runtime has had a lot of serious security problems, and more turn up all the time. (To be precise, Apple’s Java updates in 2013 alone address 56 unique vulnerabilities.) Notice that I said Java Runtime — it’s not the Java programming language itself that has issues, but rather the environment used to run Java bytecode. Even then, the real problem isn’t the Java Runtime as such, but rather the fact that if your Web browser has a Java plug-in installed and enabled, and you happen to visit a Web page that contains a malicious Java applet, it can do all sorts of serious damage. Some of the flaws enable Java code that’s supposed to stay safely within your Web browser to jump outside the sandbox, as it were, and cause all sorts of mischief elsewhere on your computer. It’s nasty, nasty stuff. And the bad guys have been working overtime to find and exploit these security holes.


Apple has used multiple tactics to address these problems, and for some time now has been trying hard to push users in the direction of not using Java at all.

Starting with Mac OS X 10.7 Lion, Apple no longer includes a Java Runtime with the operating system, but if you try to run a Java app, your Mac prompts you to download and install Java Runtime – it’s a matter of a few clicks. What you get if you do that is not the latest release. Apple gives you a version of Java 6 (that is, build 1.6.x), whereas the latest from Oracle is Java 7 (that is, build 1.7.x). If you want Oracle’s version, you can download it, and installing it will override Apple’s version. But you probably shouldn’t do that, because Java 7 has had even more security issues than Java 6. For the time being, Apple is actively updating its version of Java 6 with security patches, while Oracle is maintaining Java 7 with comparable fixes. And, unlike in past years, Apple is now delivering many of those patches just as fast as Oracle. In addition, Apple has blocked Safari from using certain particularly vulnerable versions of the Java plug-in. (Meanwhile, Java isn’t available at all on iOS, and you can see why.)

Joe on Java -- I want to reiterate two main points to be sure they’re crystal clear. On the one hand, neither the Java programming language nor the Java Runtime will hurt you or your Mac. Merely having the Java Runtime installed does not introduce any security risks. In fact, even running stand-alone Java applications is safe, as long as they come from well-known sources. Or, to put it differently, it’s just as safe to run a stand-alone Java app as it is to run any other app (because, after all, any app could in theory be compromised).

On the other hand, having Java enabled in your browser is, at this point, wildly dangerous. I strongly suggest turning it off. To do this in Safari, choose Safari > Preferences, click Security, and uncheck Allow Java. In Chrome, visit chrome://plugins and click the Disable link underneath Java. In Firefox, choose Tools > Add-ons, click Plugins, and click the Disable button next to the Java Applet Plug-in.

If you’re using the latest version of Safari, you can enable Java selectively for individual Web sites (leave Java enabled, but then agree to each site’s usage of Java individually if you’re sure it’s safe; for details, read “Safari Updates Add Extra Layer of Java Protection,” 26 April 2013). But the number of Web sites that legitimately use Java these days is small indeed, and I suggest leaving Java off in your browser unless you’re absolutely certain you need it.

Now, in case you’re wondering if you should go ahead and uninstall the Java Runtime altogether, I’ll lay it out for you. If you’re running Lion or later, you’ll have the Java Runtime on your Mac only if you tried to run a Java app (in which case, if you still want to run that app, you still need Java Runtime) or you downloaded it from Oracle yourself (again, presumably because you needed it). If you’re running CrashPlan, which I strongly endorse, you currently need Java. (CrashPlan developer Code 42 Software is working on a non-Java version of CrashPlan for Mac, to be released later this year.) Portions of Adobe Creative Suite, including Photoshop, rely on Java. So do OpenOffice, a few games, and a handful of productivity apps. If you need an app that relies on Java, you must hang onto the Java Runtime. Stick with Apple’s version of Java, and turn it off in all your Web browsers.

If you don’t need Java but still have it installed, you can uninstall it. Rich Mogull has instructions for either uninstalling or disabling it, as the situation warrants, in his Macworld article “How to disable Java on your Mac.”

JavaScript -- So that’s Java. But now we come to another coffee-like computing term: JavaScript. JavaScript is the name of another programming language, originally developed by Netscape. It bears only a vague resemblance to Java, in that both languages drew inspiration from the much older language C. The similarity in names was essentially a marketing stunt. JavaScript was previously called LiveScript, but Netscape apparently wanted to capitalize on the recent popularity of Java, so the company renamed it JavaScript. That’s a shame, because from day one people have assumed that JavaScript was somehow related to Java, but it isn’t. It’s just another language.

Unlike Java, JavaScript doesn’t rely on a virtual machine. However, it is an interpreted language, which means it doesn’t create stand-alone applications, or even applets. Software called an interpreter has to read the raw programming code and execute its instructions on the fly. JavaScript is most often used to add features to Web pages, so virtually every Web browser includes its own JavaScript interpreter.

JavaScript can do an amazing number of things on a Web page, including many of the tasks Java was previously used for. Lots of sites have dynamic menus and other navigational controls created with JavaScript. Photo galleries, Web apps for email and calendars, word processors like Google Docs, and many other common tools rely heavily on JavaScript. You can disable it in your browser if you want to. But don’t. It’s such a useful and pervasive tool that your experience of the Web will become quite poor without it — many sites may not even be usable at all. (And, I might add, JavaScript is available even on iOS devices.)

That’s not to say JavaScript has a perfect security record. Certainly it can be used for lots of annoying things, such as pop-up ads and resizing windows. But JavaScript’s threat level can’t compare to that of Java, because JavaScript can’t reach outside your browser.

Final Thoughts -- I’m quite fond of Java (the island, the drink, and even the programming language). But I’ve turned off Java in all my browsers, and when the Java software I depend on has been replaced with native Mac versions, I’ll uninstall Java and never look back. Java’s “write once, run everywhere” approach is brilliant in theory, but in practice isn’t worth the hassles. As for JavaScript, it’s all good — but don’t be surprised if I tweak my browsers to block pop-up windows and other annoying behaviors.

[Java map by Burmesedays. CC-BY-SA-3.0, via Wikimedia Commons.]

 

Make friends and influence people by sponsoring TidBITS!
Put your company and products in front of tens of thousands of
savvy, committed Apple users who actually buy stuff.
More information: <http://tidbits.com/advertising.html>
 

Comments about FlippedBITS: Java, JavaScript, and You
(Comments are closed.)

Steve Nicholson  2013-05-02 16:41
"In Chrome, visit and click the Disable link underneath Java"

Is there something missing between "visit" and "and"?
Joe Kissell  An apple icon for a TidBITS Staffer 2013-05-02 16:56
Try refreshing the page. There is something there, but it wasn't displaying properly at first.
Steve Nicholson  2013-05-02 17:30
There it is! Thanks.
G'day Folks,

Many thanks for this, exactly the article I asked for.

Much appreciated!

Kind regards, Raimund
Joe Kissell  An apple icon for a TidBITS Staffer 2013-05-02 18:14
Your wish is my command! Glad you found it helpful.

Joe
John Faughnan  An apple icon for a TidBITS Contributor 2013-05-02 19:23
The Java runtime certainly bypasses the App Store/Signed Code security system. I believe it also runs as Root, so it also bypasses the OS restrictions for apps run by non-admin users.

I don't agree that it's not a security risk.
Joe Kissell  An apple icon for a TidBITS Staffer 2013-05-02 19:37
My point is, the JRE itself is inert; it needs software to do anything. Someone could write a malicious Java app, but then, someone can write a malicious app in Objective-C and distribute it outside the Mac App Store too.
Ron Colvin  2013-05-06 19:05
Apple is repackaging Oracle's Java 6 updates for OS X. No one should assume that staying on Java 6 is safe since we are well past EOL for Java 6 and soon there will be known vulnerabilities that are only patched in Java 7.
Joe Kissell  An apple icon for a TidBITS Staffer 2013-05-06 19:10
It's unknown what will happen in the future. Apple could certainly create their own patches for Java 6 problems even if Oracle doesn't. But I think Apple's real hope is that we can all get rid of Java altogether before patches stop appearing. (And remember, Java 7 has had its own problems that go beyond what Java 6 has/had.)
Openreels  An apple icon for a TidBITS Contributor 2013-05-06 19:09
Truly great article! Amusing, clear and really helpful!
Joe Kissell  An apple icon for a TidBITS Staffer 2013-05-06 19:11
Thanks! Glad you liked it.

Joe
Josh Centers  An apple icon for a TidBITS Staffer 2013-05-06 19:40
Now if we could just get an Objective-C version of Minecraft.
Rob Lewis  2013-05-06 20:01
I read somewhere that the official name of JavaScript is ECMAscript, "ECMA" being the European Computer Manufacturers Association. How does this relate to Netscape?

On the alleged portability of Java, people used to joke that the claim that you could "Write once, run anywhere" should really be "Write once, debug everywhere". Maybe the situation has improved with later versions.
Joe Kissell  An apple icon for a TidBITS Staffer 2013-05-06 20:05
On the subject of ECMAscript, you may find this Wikipedia article helpful:

http://en.wikipedia.org/wiki/ECMAScript


Joe
Daniel Cohen  An apple icon for a TidBITS Contributor 2013-05-06 23:45
I had assumed that Oracle's Java would bee safer than Aple's but I gather from you that this is not so. I need Java for CrashPlan, and currently have Oracle's version installed. I suppose what I need to do is to remove it completely, following Rich Mogull's instructions, and then wait for CrashPlan to ask for Java and install Apple's version.
Joe Kissell  An apple icon for a TidBITS Staffer 2013-05-06 23:46
You can do that, but you'll have to run CrashPlan afterward to get it to prompt you to install Apple's Java—it won't happen automatically.
Norm Harris  2013-05-07 06:26
Joe:
Thanks much. Finally, I now know what is behind that brew.
Appreciate the education and recommendations.
Joe Kissell  An apple icon for a TidBITS Staffer 2013-05-07 08:12
You're welcome!
Thomas Bassler  2013-05-08 05:16
Thank you for this well-written article which explains Java and JavaScript in plain terms. However, from a software engineering point of view I beg to disagree: A future where C++ (or even Objective C) again replaces Java is not desirable given that Java and its development environment reduce the number of possible software errors dramatically. (And yes, I have professional experience with all three of these languages.)
Joe Kissell  An apple icon for a TidBITS Staffer 2013-05-08 09:44
As I said in the article, I like Java as a programming language. My feeling is that the security risks associated with the JRE outweigh the considerable benefits of Java. That's not to say C++ or Objective-C is the last word in programming languages, and I hope to see better alternatives in the future.

Joe
Patrick McClure  An apple icon for a TidBITS Contributor 2013-05-08 10:02
Hi, Joe

FlippedBITS is the best series I've seen in TidBITS, thanks so much. And it's inspired your best writing. With previous experience as both a programmer and documentation writer, I know how difficult it is to be clear and concise, and yet communicate a complete idea. But you're doing it.

Cheers
Joe Kissell  An apple icon for a TidBITS Staffer 2013-05-08 10:23
You're too kind! Thank you!
Peter White  2013-05-09 05:28
great article that finally explains the details.

Can you please do one on flash?
Joe Kissell  An apple icon for a TidBITS Staffer 2013-05-09 08:12
Glad you liked the article. Pretty much everything I'd want to say about Flash (get rid of it, except maybe in Chrome) is covered in this article by Rich:

http://tidbits.com/article/13545


Joe
You say "Portions of Adobe Creative Suite, including Photoshop, rely on Java." If that's true, how come both Photoshop CS5 and Photoshop CS6 run fine on my Snow Leopard Mac, even though I have both of the Java 6 checkboxes *unchecked* in the Java Preferences utility? Doesn't that mean I've disabled the JRE?
Joe Kissell  An apple icon for a TidBITS Staffer 2013-05-12 10:59
I'm not sure what that preference does, and the behavior may be different in Snow Leopard. But see this article from Adobe on Lion and later:

http://helpx.adobe.com/x-productkb/global/known-issues-mac-os-10.html

Joe
Joe, you say "Java 7 has had even more security issues than Java 6". Please let us know when you feel that it is safe and appropriate to upgrade to Java 7. Thanks.
Joe Kissell  An apple icon for a TidBITS Staffer 2013-06-19 19:24
My advice, actually, is to ditch Java as soon as possible :-). And, until then, stick with Apple's Java 6. I'm not aware of any benefits to using Java 7, security issues aside.