We all use Java every day : stand-alone Java applications like Topcat and Aladin; in-web-page Java applets (Aladin again); and on the server side (e.g. WSA and VSA). But now it seems there is a security crisis; serious people are telling us to disable or remove it. Wuh ? At the risk of boring the ungeeks let me explain how I just stumbled into this understanding. Its a classic tale of confusion, coincidence, and mysterious disappearances.
I am a big fan of Tiddlywiki. Its a personal wiki – a kind of hyper-notebook. You run it on your own computer, or even from a memory stick. Its very clever. Just a single html file, containing both your text, and the javascript needed to edit it. The tricky bit comes when you want to save your changes. That requires your browser to write a file onto your computer – a new version of that single html file. Thats done with Java, as opposed to javascript. You place a file called “tiddlysaver.jar” in the same directory and it does the work. You have to give explicit permission to write onto your disk of course. We ain’t nuts.
So… recently … for reasons I won’t bore you with, I wiped my Firefox installation and made a new one. (Well ok – my wordpress front page widgets weren’t working, and after many tortured days, it was the only fix that worked.) A few days later I tried to update one of my tiddlywiki notebooks. It wouldn’t save. Trawled through various FF settings but couldn’t fix it. So I tried to do my edits in Safari. Same. And Chrome. Same. Oh. Maybe the FF change was a coincidence ? If it fails everywhere, it must be a MacOS problem? Then I suddenly remembered I’d had the identical problem when I upgraded to Mountain Lion. Sensible chap that I am, I’d left myself a wee note. It said “go to the Java Preferences app and tick the box that says enable applet plugin“. So, off I goes. Hmm. No such checkbox. Must have been removed in some recent system upgrade.
Now… a few weeks back I had a hair tearing Time Machine problem. Apparently my backup was going to take 11,158 days. I spent several days fretting about this on and off and wondering what I had screwed up. Then lo! A new Software Update was announced which amongst other things said “this also fixes a problem some users may have been having with Time Machine backups”. And yea, indeed, verily did the SU completely fix this problem. Grrr. Wasn’t me at all. Wish I’d known.
So… maybe its another Apple SNAFU. Is there a new SU ? Yup. And look! Its a Java update! But … (a) it still didn’t fix the problem and (b) the Java Preferences app has completely disappeared !! I check out the “more detail at apple support” page . This says
This update uninstalls the Apple-provided Java applet plug-in from all web browsers. To use applets on a web page, click on the region labeled “Missing plug-in” to go download the latest version of the Java applet plug-in from Oracle.
This update also removes the Java Preferences application, which is no longer required to configure applet settings.
Click on the region ? What region ? What the hell does that mean?
Then I read a bit more on the Tiddlywiki home page. It seems all the major browsers are clamping down on Java, disabling by default, and making you jump through more hoops. For Firefox there is a specific Tiddlywiki fix – a FF extension called TiddlyFox. So at least I am (temporarily) sorted…
On Chrome, if you try to run an applet like Aladin, you get a banner saying”Java(TM) is needed to run some elements on this page” and there is button labelled install plug-in. This takes you to an Oracle page which says
Chrome does not support Java 7. Java 7 runs only on 64-bit browsers and Chrome is a 32-bit browser.
If you download Java 7, you will not be able to run Java content in Chrome and will need to use a 64-bit browser (such as Safari or Firefox) to run Java content within a browser. Additionally, installing Java 7 will disable the ability to use Apple Java 6 on your system.
OK, screw that then. How about Safari ? The Aladin applet seems to run ok. But Tiddlywiki does not. This is because it wants to write to your disk. Some documentation on the Tiddlywiki site told me what to do … open Safari preferences, go to “Advanced” and tick “Show Develop menu in menu bar”. Then a new menu items appears in your menu bar called “Develop” with options for grown-ups. (Don’t forget to open the door marked “beware of the leopard”.) Finally move down that menu and mark “Disable local file restrictions”. Yay !! But guess what. That menu item no longer exists. Somebody really doesn’t want us to do this.
Finally … I started roaming around the interwebs the way you do, seeing if other folk had the same probs. I stumbled over this nice Java Tester Page. This is where I first saw the scary words “Java Security Flaw”… I then followed the link to this article by Michael Horowitz and things began to make sense … sort of.
It seems there are serious security flaws that won’t be fixed until February 2013. Horowitz says
Java is used by both installed applications and websites. If you only need Java for an application, disable it in all your browsers. OS X users on Lion and Mountain Lion had Apple do this for them (more below). Windows users in this situation may want to consider the portable version of Java available at portableapps.com. If you need Java for a website, enable Java in a browser used only on the site that needs it. For all other websites, use a browser that has Java disabled.
I can remember back when Java was the next big thing. Now, it’s all but a curse word.
Jeez. Gordon Bennett. Is it really true ?
The e-Astronomer 
I can remember back when Java was the next big thing. Now, it’s all but a curse word.
I can remember it too, and I think the comment may be justified. Simple explanation: Java isn’t a programming language with an ISO Standard like C, or Fortran, or SQL. It’s the property of a company. That company used to be Sun Microsystems, now it’s Oracle Corporation. Oracle also gained ownership of OpenOffice of course, but fortunately that was an open source product, so many users (like me) have switched to a still open branch called Libre Office. It seems significantly better, and not just because of the ownership.
More complicated explanation: it’s all the fault of John von Neumann. He invented the architecture in which a single memory space is shared by programs and data. That’s very handy. For one thing, high-level language programming pretty much depends upon it: after all whey you feed source-code into a compiler and it translates it into machine-code, it’s just a program reading one data stream and producing another. Then the magical thing happens, and you execute the second data stream, and you are running the program you just wrote. This would be much harder if we didn’t have a single memory space for everything.
Given the power you have over a computer when you run a program, most cpus and operating systems make it possible to partition your memory space into data space and executable program space. The problem is, this doesn’t match very well what humans want to do with applications. Take a spread-sheet, it’s a horrible mess of intermingled data and instructions. Or a word processor: people wanted to run mailing lists and macros and so a word document isn’t just text, it’s an executable program as well.
Or an HTML document. Once upon a time it was just some text with simple annotations to get different font effects etc. Then people wanted images and animaged GIFs and other fripperies, and the rot set in. The web browser needed a programming language built in to do all this. Javascript does a whole lot, but it was deliberately crippled e.g. so it couldn’t write to disc directly, to avoid the execution of malware. But it wasn’t powerful enough (as you found with Tiddliwiki). Unfortunately any language like Java which is powerful enough to be useful, is also powerful enough to be misused. Which is what seems to have happened here.
I should note that, after I read the much the same stuff as you, I also disabled Java from my usual web browser, expecting lots of web sites to break. But so far none of them have. That’s a very limited sampling of the web, but it makes me wonder if Java is indeed on its way out as something you really need to load in a web browser? As you say, for stand-alone applications like TOPCAT Java is fine (though I still worry about it having a private owner).
Andy,
I think you are mixing a few things..:)
Apple announced last year that it is dropping support for Java because its custom JDK was months behind issuing updates compared to the default sun now oracle implementation. What they did was support Java 6 for old systems and suggest you get Java 7 from Oracle. Oracle provides auto updates on installed JRE installations. That means that now Apple does not have to worry about Java issues. For them to do that they open sourced and handsomely provided all code from their implementation (such as their way nicer Java GUI) to sun to be merged with their default implementation.
In Mountain Lion default apps + App Store apps are sandboxes like the ones on iOS. That means that apps can only access files within themselves and to go outside they go through API’s. that means that if an exploit for Safari is found all that will happen is Safari to crash and your system will remain uncompromised. Old java applets need to be updated if they access files outside of the browser without using proper API’s (possibly why a particular applet crashes)
I think all the above actually make Java more secure and put the responsibly to its creators ie Oracle.
Safari is 64 bit so installing java 7 from oracle (http://www.oracle.com/technetwork/java/javase/downloads/jdk7u9-downloads-1859576.html) will give you a prefpane under the system preferences with all of the usual options. You will also be able to define the default version using the Java Preferences app as always.
To summarise, Java is stronger than ever because you get the same update at the same time for all platforms. Security patches are available immediately instead of being months late.
All you need is to install Java 7 from oracle and use a decent browser such as Safari :p
Hopefully the applet author will update their code to make it compatible also.
My final word is that making software better and more secure sometimes means breaking old code. That sometimes annoys but it always proves the right approach in the long term.
Hope I helped 🙂 let me know if I answered your question 🙂
Has anyone actually seen a Java 7 update notification automatically appear on their Mac OS X desktop (or else an automatic update install itself in the background)?
I had Oracle’s Java 7 Update 6 installed and a month after they had released the “critical” Update 7 security patch release I still hadn’t received any notification that the release had been made. I had to do the update myself after having heard about it by chance. I think this is a much bigger security problem than Apple being slow with updates; it’s no good having releases made quickly if they don’t appear on users’ desktops.
Note, this article has reminded me to check what the latest version of Java 7 is – I now see they have released Update 9. Still no notification and my system is still running Update 7, unless I update manually…
Ah, I can answer my own question… since these updates only apply to the Java plugin within the browser, their automatic updates are only triggered when you view embedded Java in a webpage with an outdated Java plugin, which I’ve just tested and confirmed as working in Safari. Jolly good.
My terminal is still running an old version, but that requires a manual re-install (no automatic system updates any more – which explains why andyxl is still on 1.6 there) as Alex points out, and is less of a security risk than Java in the browser.
Alex – I understand what you are saying but you are not addressing the point. There are people saying “there are security issues with Java. Switch it off”. So are they wrong ?
Now if you really want to be helpful… I have a java panel in system preferences. This tells me I have Java 7 version Update 9 aka 1.7.0_09
But in Terminal if I do “java -version” it says I have 1.6.0_37
Hmmm
You are confusing the JDK (developer ie terminal) and JRE (runtime environment)
The prefpane is the JRE ie web browsers and generally user run apps on the GUI.
The JDK is configured by running java preferences.app (applications/utilities or use spotlight)
The distinction is simple. For exposed apps oracle will self update. For your developer system ie JDK update whenever you want 🙂
Alex – no I am not. Java – version reports the version numbers of the RE and the VM. I think I don’t even have the JDK because I don’t write software for a living 🙂
The Java panel in System Preferences just reports the version of the Java web browser plugin installed on your system – as you can see from the Java Tester webpage. Your system installation of Java (that you run in the terminal) is still the original Apple version, not the latest Oracle JDK, which won’t be updated before version 1.6, but I presume still receives system security updates. If you move onto the Oracle JDK, like me, you won’t receive automatic security updates for your system install of Java (for terminal use).
Ross – ok, so this makes sense, because since Apple stoppped doing Apple Java, I haven’t done any Oracle updates. So my auto updates have only been browser-plugins..
One more note.
Java is not used as much as it did to enhance the web browsing experience due to the huge progress in html5, JavaScript, CSS etc. same thing is happening with Flash.
That does not mean that it is not needed anymore. Java is number one for web services and even is the language google android operating system uses for all of its apps.
It’s just that its getting more mature and its not filling any gaps (compared to the old days where HTML was basic and JavaScript immature ) in end users web browsing experience 🙂
Just my thoughts 🙂
Andy,
If I understand your experiences correctly, this is a problem with java applets in browsers, but not with java applications. If that’s true, then it affects (on MacOS only?) e.g. in-browser Aladin and VOPlot, as well as yer tiddlything, which of course is not good. However, it doesn’t affect ability to use, or security of using, either standalone Java applications like desktop Aladin and that TorpCat, or server-side things. Java in web pages was the wave of the future quite a long way back in the past, but has been rather niche for a while now, so “Java in Crisis” may be a wee bit alarmist.
I think this is all about applets. JSPs should be fine I guess, and stand alone apps ok. Although … as Topcat communicates with the internet, and can write to your disk, maybe you should find out what these bugs are ! As Alex says, applest are used less these days anyway, but its still scary.
I will say that at the moment Safari does seem to do the sesnible thing – i.e. when you try to the Aladin applet in your browser, it does do it, but asks you take responsibility
I haven’t actually followed the links, but I’m pretty sure that the problem will be an issue with the sandboxing.
Java in a browser (unsigned applets) differs from java on the desktop in that it is supposed to be blocked from doing potentially harmful things, like reading your emails, deleting all your files, looking out through your webcam, etc, even if it tries to do so. The point of that is that if you visit a web page, you expect that it’s not going to do anything too bad, while if you download, install and run an application (outside the browser) you will, or at least should, have your wits about you. You (have to) trust the author of a desktop application, whether it’s written in Java, C, F77 or whatever because there’s nothing to stop it doing the same things you can type at the command line. You don’t have to trust the author of an applet, because special measures are in place to prevent an applet being able to do anything bad, even if it tries to. This bug will be a hole in that security model; a sufficiently capable *and* ill-intentioned applet author is able to do things that he’s not supposed to be able to.
Whatever the problem is, it’s not going to make desktop java any more dangerous than C, Fortran or anything written in a normal non-sandboxed environment. In the worst case, it will make applet-java as dangerous as those things.
So, really, don’t start losing sleep over whether a desktop java application like TOPCAT is going to corrupt your filesystem or steal your AGP notes. It would only do that if the author
was an evil sociopath. Heh.
Java in crisis? Java is a crisis!
“a few weeks back I had a hair tearing Time Machine problem”
I note that your WordPress mug shot doesn’t show the top of your head. 🙂
There’s a short article in Ars Technica http://arstechnica.com/information-technology/2012/10/java-still-has-a-crucial-role-to-play-despite-security-risks/ which mentions this, with a couple of extra links, but without going into much detail.
As Mark said, it appears that this only affects Java in the browser, which has never really taken off — the ‘browser language’ now appears to be Javascript which, as well as being secretly a much more interesting language than it first appears, now has the support to be much more performant within the browser, than one might at first expect. Also, there are now several languages which compile to Javascript, so you can produce Javascript software without having to deal with the curly brackets and a rather poorly-supported core language.
That’s also true of Java, by the way — I’ve written a fair bit of JRE software in the last few years, but only a minority of it had curly brackets.
Java’s still heavily used these days, but more and more on the server side.
I read this just after I had let my Mac update its Java and thought “bugger” – however, as I am still on Snow Leopard and using Apple JVM – so everything was left alone…
They are serious security holes in Java, but I still think that there is excessive FUD being spread about java in general when the real threat is that you can get redirected unknowingly at a malicious applet – so go ahead and disable java in the browser, but you really do not have to remove it from your machine. It will be interesting when the first really dangerous HTML5 threat comes along – you won’t be able to disable your browser….
Java is undoubtedly past its peak in popularity as a programming language (though still probably No 2 if you look at various web sites trying to measure this), and this decline probably started before Oracle took over. Howerver, it is clear that Oracle does not lavish as much love on maintaining and improving Java as Sun did and have let various security problems over the last year or so go unpatched for too long which has left room for the anti-java campaign to take hold.
This is a shame as I still think when you weigh all the qualities of programming languages, in my opinion Java does come pretty close to being the best compromise in terms of programmer productivity especially if you are having to maintain someone else’s code (and I speak as someone who spends most of his time programming in C++ and python nowadays) – it has enough static typing so that you can quickly find out what all the objects are, but is dynamic enough in terms of recompilation speed and run-time type information to do fairly rapid prototyping that the “scripting” languages are good for. In addition it has the whole ecosystem of top quality libraries and IDEs that are really unmatched elsewhere.
Java did come closer to the write once run anywhere dream than anything else too…
Paul – sorry to panic you ole chum. I am still slightly nervous about whether there can be security holes for a Java app making VO service calls …
Well security holes can exist on the server side only. That means that the client can be anything since dell the server receives is an http request.
Son of a biscuit! I had my TW working under Safari, with saving working by checking “Disable Local File Restrictions,” but the latest SU just broke it. Again.
Some details regarding TiddlyWiki aren’t quite right. I use a different single-file system (WoaS) that uses some of TiddlyWiki’s file load/save code along with the Java applet for some browsers.
The Java applet is only used by browsers that can’t read/write local files natively. IE (on Windows) and Firefox have native (proprietary) capabilities, others do not. HTML5 changes this, but I am talking about TiddlyWiki’s method.
Firefox v15 changed the way this access works, v16 did some more, and v17 will completely remove the code we are using for file access, breaking Woas in Firefox. The TiddlyFox extension basically moves the JavaScript filesystem code to the extension as extensions have more capabilities allowed and can still save local files (for now?).
So the Firefox problems you saw were actually not Java issues but JavaScript issues resulting from a policy change at Mozilla. Just thought I’d mention that.
I was going to quick-fix the Woas Firefox mess by using the Java plugin instead; now I’m not so sure. Thanks for the info.
I really cannot understand why browsers don’t allow local HTML files to have user-defined capabilities. Restricting their activities to the directory the file is in (making it their root) makes sense. It gives them less power than the simplest local program, so what’s the problem?
informative post for me.. thanks for sharing this article.. 🙂
[…] geekier readers will remember an earlier possibly somewhat alarmist post by moi, within the comment stream of which it became clarified that the problems concerned the Java […]
Thanks on your marvelous posting! I truly enjoyed reading it, you’re a great author.
I will be sure to bookmark your blog and will often come back in the future.
I want to encourage one to continue your great posts, have a nice holiday weekend!
Hi there it’s me, I am also visiting this site on a regular basis,
this website iis truly pleasant and the users are truly sharing fastidious thoughts.