Apple Strips Java Browser Plug-Ins From Mac OS X

Apple’s latest Java update for Mac OS X not only fixes a number of security flaws, it also removes the browser plug-in from the user’s system, according to the company.

“This update uninstalls the Apple-provided Java applet plug-in from all web browsers,” Apple said in documentation accompanying the update last week.

Java applets removed

The move, which follows a series of security incidents in recent months, means that users who install the update will no longer be able to run Java applets in their browsers. If Java is required, users will see a “Missing Plug-in” notification and a download button.

To run Java applets, users will need to download Oracle’s runtime and run this alongside the Apple-provided software already on their system. Previously Apple’s Mac OS X-tuned Java carried out all of the operating system’s Java functions.

Java has been hit by a number of security incidents over the past few months. In August, Oracle issued an out-of-band security patch to fix a flaw found by Polish security firm Security Explorations. A few days following the patch’s release, however, Security Explorations found another potentially serious security flaw.

The new flaws were fixed in Oracle’s update last week, but not before hackers actively exploited them.

For Mac users the situation has been complicated by the fact that Apple handles Mac security patches for Java 6, meaning that each time Oracle issues a Java 6 patch Apple must adapt it for Mac OS X, a process that can take anywhere from one day to several weeks. In 2010 Apple handed full responsibility to Oracle for future versions, meaning that Oracle directly handles Java 7 updates for the Mac.

Flashback infections

In March and April hundreds of thousands of Macs were infected by the Flashback worm, which made use of a Java vulnerability. At that time Apple was criticised for its slowness to patch the flaw.

Apple’s response to Java’s security problems has been to progressively limit Macs’ use of Java in browsers, the vector through which Java attacks are generally carried out. Beginning with OS X 10.7 (Lion), Apple stopped shipping OS X with Java pre-installed, and a more recent update tells browsers to switch Java off if it hasn’t been used lately.

The company’s moves are a sound response which limits Mac OS X’s exposure to security problems, according to Paul Ducklin, head of technology at security firm Sophos.

“For some time (our) advice has been to get rid of Java altogether if you don’t need it, or to ban it from your browser if you use Java only for running pre-installed applications,” he wrote in a blog post.

He noted that the latest Java updates fixe 30 security holes in total, all of one but which could allow the execution of malicious code on a system.

Oracle’s next scheduled update for Java is planned for 19 February, 2013.

What do you know about Europe’s leading role in tech history? Take our quiz.