Java for OS X 2013-002 and Java for Mac OS X 10.6 Update 14
Less than two weeks after its last Java updates, Apple has released Java for OS X 2013-002 for OS X 10.8 Mountain Lion and 10.7 Lion and Java for Mac OS X 10.6 Update 14 for 10.6 Snow Leopard. Apple’s security page notes that these updates address two critical vulnerabilities (CVE-2013-0809 and CVE-2013-1493), the latter of which has been actively exploited to, according to Oracle, “maliciously install the McRat executable onto unsuspecting users’ machines.” Once installed, McRat can then download
further malware onto the affected computer. Both updates bring Java SE 6 up to version 1.6.0_43. The updates are available via the App Store app or Software Update and direct download, and Apple reminds you to quit any Web browsers and Java applications before installing either one.
If you don’t rely on Java for any critical apps, it might be time to remove Java entirely from your system. Over at Macworld, Rich Mogull recommends doing this, and describes how to extricate it from your Mac. If you need Java to run an app (such as the CrashPlan backup utility), Rich also explains how you can isolate Java by disabling it in the Safari, Chrome, and Firefox browsers. (Free, 63.8 MB and 69.3 MB)
"If you don’t rely on Java for any critical apps . . ."
How do I determine this?
There's no way to determine whether any given app uses Java, as fas I know, but there are some common apps that do. Notably:
* Adobe Creative Suite
See this article for others.
Aside from using specific apps like Adobe Creative Suite and Adobe Elements, I visit a number of financial service sites that rely on Java. In fact, both my banking and investment broker sites, which I visit daily, require Java. In short, it seems that I have no choice but to keep updating it.
I’m running OS X 10.6.8 and plan to continue using it for the foreseeable future. So far, I’ve experienced none of the Java-related issues that I read so much about. Same goes for Adobe’s much despised Flash plug-in.
I’ve filed the Macworld piece on removing/disabling Java, but for the time being I’ll keep doing what I’ve been doing: when I’m informed about updates, I download them, then nose around the web for any major issues related to them. If nothing serious surfaces in a week or two, I install them. So far, so good.