The Java Exploit: How Dangerous Is It?

The world of Mac Web sites lit up this week with news of a potentially dangerous Java exploit. Essentially, the situation is this:

Any Web site may include a Java applet. In most cases, the applet performs some useful and needed function for the Web site. So far, so good.

However, an unscrupulous developer could create a Java applet that executes some "evil" action, such as deleting files from your hard drive.

In Safari, the first time a Java applet attempts to launch, a message should pop up asking whether or not your "trust" the app. This is a security protection. If you are visiting an unfamiliar Web site and you're unsure how safe the applet is, you can decline to trust the applet, and it won't run. So far, still so good.

The ultimate problem is that it is possible to create Java applets that run without triggering the Safari warning message. Other browsers may offer more reliable early-warning systems (as covered in this Macworld article by Rob Griffiths), but all of them are subject to some degree of risk. This means that you could get in trouble simply by visiting a Web site that contains a exploitive Java applet. No other action would be required.

This risk exists because the root of the vulnerability is inherent in the Java implementation used by Mac OS X. People have known about this security hole for quite some time. Sun Microsytems provided a patch for it months ago. Unfortunately, Apple has still not updated Mac OS X to include the patched version.

Apple's lag in fixing the problem is what led Landon Fuller to post a "proof-of-concept" Java applet, showing just how potentially serious the vulnerability could be. This, in turn, is what led to the current round of news stories about the exploit (including the one you're now reading!).

Until Apple offers a fix, the only sure-fire way to prevent getting burned is to turn off the preferences setting in your browser that enables Java to run. For Safari, this means going to Safari > Preferences > Security > Web content and unchecking Enable Java. You should also go to General and uncheck "Open 'safe' files after downloading."

If you later go to a site that you trust and that requires Java, you can temporarily turn the preference settings back on.

Caveats. The preceding is the official advice and I'm agreeing with it. However, whenever these security topics come up, someone inevitably asks: "Just how real a threat is this? If I don't do anything to protect myself, how likely is it that something bad will happen to me?"

My answer is: The real world risk is very very low.

In order to be burned, someone would first have to put a dangerous Java applet out in the wild. To date, there are no known such applets.

Second, if such an applet did exist, there would be warnings about it all over the Web, as soon as it was discovered. If you are Web-savvy enough to be reading this column, chances are good you would see these warnings before there was even a remote chance of you being harmed.

Third, even if an exploitive Web site existed and you had not seen warnings about it, you would still have to be deceived into visiting the site. That means you'd have to receive some publicity about the site. Unless the exploiter is very good at generating phony publicity, this is not likely to happen.

Lastly, even if you did get some deceptive come-on, if you typically ignore invitations to go to unfamiliar Web sites and similarly trash all the spam email you receive, you would still be safe.

That's why the real world risk is very low.

The same logic applies to almost any security exploit you hear about. As a personal example, in the course of my work, I visit well above the average number of unfamiliar Web sites. And I sit in front of my computer for hours and hours every day. Yet I have never been a victim of any security exploit.

It's sort of like the warnings about how to avoid getting struck by lightning. You're not likely to ever be in danger even if you ignore the advice. But that doesn't mean you should cavalierly ignore the warnings. Especially if it doesn't otherwise cause any significant inconvenience, why take chances?

So, play it safe, and disable Java for now. Even though it probably won't matter whatever you do.