Security & Privacy + Security News

Critical Patches for Java Released – Patch Now or Put it Out of its Misery

Posted on July 16th, 2014 by

Critical patches for Java released - patch now or put it out of its miseryOracle, the maker of Java, has released a flood of security patches affecting a wide array of its products.

In all, Oracle has released some 113 security fixes in its July Critical Patch Update, addressing holes in a plethora of products and services.

But what most computer users are likely to be interested in are the newly-released security patches for Java.

In total, Oracle's security update is said to fix 20 vulnerabilities in Java, all of which can be exploited by remote hackers bent on breaking into and compromising your iMac or MacBook.

If that sounds far fetched, then you don't have a very good memory, because Java security holes have caused considerable problems for Mac users in the past.

MalwareFor instance, back in 2012, the biggest Mac malware attack of all time - known as Flashback - hit more than 600,000 Macs after exploiting a Java vulnerability.

In that case, simply visiting a malicious webpage on a Mac that was running an out-of-date version of Java could cause the Flashback malware to infect the computer without any user interaction.

So, what should you do?

Well, firstly you need to decide if you want to carry on using Java or not.

The vast majority of modern websites these days don't require Java, so chances are that you don't need Java enabled in your browser. (By the way, note that Java and JavaScript - despite the similarity in names - are entirely different things)

If you don't think you need Java on your home computer, then my advice is to disable Java in your browser and see if you notice any repercussions.

In all likelihood, you won't notice any difference at all - but you have just made your online experience much safer.

Things get more complicated, however, in a corporate environment where it is possible your IT team wants staff to use legacy applications that require Java to be installed and enabled. Again, the easy way to find out is to disable Java in your browser and see if anything stops working - but it might be better politically if you ask your IT support department first.

If you still really do need Java

If you find that you do need to use Java for particular websites or applications, then make sure to update it on your Mac today.

If you ignore Java security updates, then you are effectively playing a dangerous game of Russian Roulette with your computer. Because of its reputation for being riddled with security holes, Java has become one of the top targets for cybercriminals.

To reduce the threat, you could consider only enabling Java in one particular browser (say, Firefox rather than your normal Safari) and only use that browser for those particular websites or applications that require Java support. That way you'll have a safer browser without Java for your regular online activity.

If you don't need Java

Put it out of its misery. It's a technology that is slow and clunky and has been beset with security problems. You'll be doing yourself a favour if you can afford to remove it entirely from your computer.

Oracle has published instructions on how Mac users can uninstall Java 7 on its website.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →
  • Coyote

    Re: “(By the way, note that Java and JavaScript – despite the similarity in names – are entirely different things)”
    It is indeed unfortunate that Netscape decided to change the name. I never thought of it in this way (as in confusing some) but it is actually quite good you point it out. And actually, it is more complicated than I knew. W3:
    “… the original name was Mocha, …, was changed to LiveScript, then upon receiving a trademark license from Sun, the name JavaScript was adopted …”

    I do not remember the fact that Sun had anything to do with it but it in retrospect it makes sense, given the name. That leads me to point two: I find it unfortunate that of all companies to take over Sun Microsystems, it would be Oracle. Not that Java was perfect before, but… Oracle has a terrible record. And unfortunately they are able to claim being the creators of but they are more like the adopters of. Shame that, as I have fond memories of SunOS and later Solaris… and I know that if they modified it (which I know they claim rights to it and I somehow imagine they modified it too) then it is not what it used to be…

    I’ll refrain from any remarks on Java otherwise.