Skip to main content
Advertising

Originally published March 3, 2013 at 3:15 PM | Page modified March 3, 2013 at 3:15 PM

  • Share:
             
  • Comments (1)
  • Print

Java breaches and other security news

It’s time to disable or even remove Java from your Mac, and use a virtual private network for Wi-Fi.

Special to The Seattle Times

Most Popular Comments
Hide / Show comments
I left this comment on Rich Mogull's column and thought I'd post it here as well. Wh... MORE

advertising

Practical Mac

Apple security is in the news again, only this time with a different focus. A vulnerability didn’t just potentially expose Mac users to trouble. Computers within Apple itself were compromised.

The culprit? Java, the third-party development environment designed to let developers write apps that can run on any platform. Unfortunately, malicious hackers continue to find weaknesses in Java (and Flash) that are leading to disruptions. In this case, it was the Java Web plug-in used by browsers.

The company says no data left Apple, and it identified the malware and issued a quick fix to patch the hole. But the problem does affect Mac users outside the Apple wall. Be sure to run Software Update (found under the Apple menu) to get the latest version of Java supplied by Apple.

However, there’s a better solution: It’s time to disable or even remove Java from your Mac.

When you run Apple’s Java update, the company is doing half the job for you by disabling Java in Safari. The recent breach occurred when employees accessed an iOS development Web page that had a maliciously crafted Java applet; Web pages are common attack vectors.

You can turn Java back on in Safari’s preferences, in the Security pane, but if Safari doesn’t encounter any Java applets for a month it will disable the feature again. (Note that despite sharing letters, JavaScript has nothing to do with Java, so you don’t need to disable JavaScript.)

If you usually run Google’s Chrome as your browser, type chrome://plugins in the address bar. Then scroll down to Java(TM) and click the Disable link. Or, if you use Firefox, go to the Tools menu and choose Add-ons; click the Plugins button, find Java Applet Plug-in, and then click the Disable button.

My colleague Rich Mogull, a computer-security expert, now recommends removing Java entirely because of its vulnerabilities and level of damage an attacker can cause by exploiting them. He elaborates why and how to do it in an article at Macworld.

I can’t yet do that because I rely on CrashPlan (www.crashplan.com) to back up my Mac’s data, and CrashPlan’s application is currently built in Java. But I’ve disabled the Web plugins.

Cloak. This talk of security reminds me of a product I saw at Macworld/iWorld last month. Cloak (www.getcloak.com), developed in Seattle, secures wireless Internet connections by establishing a VPN (virtual private network). Any nefarious owner of a Wi-Fi hot spot, or even someone in the same cafe as you who is scanning traffic, can’t decrypt the data you send and receive.

VPNs for the Mac aren’t new; many companies require secure connections for employees working from home, and companies like WiTopia (www.witopia.net) offer accounts that you can set up in OS X’s Network preference pane or by using the company’s software.

What I like about Cloak is how unobtrusive it is. I’ve set it up so that it automatically secures the line when I connect to an untrusted network, such as a coffee shop’s Wi-Fi hot spot that doesn’t require a password. Cloak’s menu bar icon turns blue and a notification appears to indicate it’s running.

By default Cloak trusts password-protected Wi-Fi networks, but I disabled that option since many places I frequent do use passwords (which are posted at the register).

But more impressive to me is Cloak’s OverCloak mode on the Mac. One problem with VPN services is that they take a few seconds or minutes to start up, during which time email, Twitter, Messages, and other applications make network connections — bypassing the very need for a VPN. OverCloak locks down your Mac’s network and allows only essential data (DNS, HTTPS, and SSH). Once Cloak has established an encrypted connection, it releases the lock.

The Cloak application is free for OS X and iOS. A Basic Plan costs $8 per month for 20 GB of data transferred, and a Pro Plan costs $15 for 50 GB of data transferred. A free 30-day trial gives you 5 GB of data.

Jeff Carlson and Glenn Fleishman write the Practical Mac column for Personal Technology and about technology in general for

The Seattle Times and other publications. Send questions to p@mac.com. More Practical Mac columns at seattletimes.com.

News where, when and how you want it

Email Icon


Advertising