20130112

Apple and Mozilla - 'Just say no to Java'

Apple and Mozilla - 'Just say no to Java'



No Java

As if advice from SophosLabs own Fraser Howard and the US Department of Homeland Security are not enough reason to ditch Java, Apple and Mozilla have both decided to join the party.

This afternoon, Friday January 11th here on the North American West coast, Apple released an updated malware definition list for their XProtect pseudo-antivirus protection in OS X Snow Leopard and newer.
Instead of identifying a new virus, this updated definition temporarily disabled the Java Web Start browser plugin that enables Java applications to run inside of Safari/Firefox/Chrome.

XProtectJava500

While the reports have been stating the issue is with Java 7, there are reports from researchers that Java versions 1.4 and higher are all vulnerable to this flaw.

It appears that Apple has learned an important lesson from this time last year. CVE-2012-0507 was fixed by Oracle in February, but Apple didn't make the patch available until April.

The result? Over 600,000 Macs were infected with malware in the interim.

Mozilla is no slouch when it comes to security and has implemented an almost identical procedure. Mozilla has added all current releases of Java to its add-on blocklist.

FFClickToPlay170

In Mozilla's announcement they explain that plugins on the blocklist are forced into utilizing Firefox's Click to Play functionality.

This can be a double-edged sword when it comes to known vulnerable plugins.

The advantage to this approach is that you are prompted every time a website wants to launch a Java applet and you can make an informed decision as to whether you truly need that applet.

The problem is you need to be informed and know enough to choose the right option. Most people are conditioned to click through warning messages and may not get the protect they need against drive-by attacks.

It is good to see everyone agree on the risk this vulnerability poses and getting the word out or actively protecting users against the threat.

Want to understand more about Java? Why Java isn't JavaScript? Listen to this Techknow where Paul Ducklin and I explain what you need to know.

No comments: