With the news that some Apple, Facebook, and Twitter employees' Macs were hacked, and Apple and Oracle's subsequent software patches, it's time to revisit the question of whether Java can be used securely.
After the Flashback malware attack that occurred in the summer of 2012, I discussed the risks and offered some advice about the safest way to use Java. But due to changes in the way Java works on Macs and the recent rise in Java-based security threats, I'm altering my advice: You should do everything you can to remove Java from your Mac or, if that isn't possible, to isolate it to the fullest extent possible.
I don't make this recommendation lightly. Removing Java will be problematic for some people, especially those who use Macs at work; and isolating it isn't simple. But I can't overstate the risk: Nearly all recent Mac malware attacks rely on exploiting Java or Flash in your Web browser. (I also have some advice on isolating Flash.) If you plan to keep Java, make sure that you update it as soon as possible.
Why I now recommend removing Java
Java is more than a browser plugin. It's a complete application runtime environment. That means that Java applications are designed to run inside a Java Virtual Machine installed on your Mac. Theoretically, a developer can write a Java program to run inside the virtual machine, and it will run without modification on any platform--Mac, Windows, Linux, or whatever is running a valid JVM. (Practically speaking, getting something to work across platforms is rarely easy.) The JVM handles memory management and anything else that the application needs, and runs it inside a sandbox that isolates the Java application from your operating system.
The problem arises when a flaw exists in this sandbox (or in other aspects of the JVM), and someone writes malicious code that takes advantage of the flaw to break out and gain additional access to your computer. What makes environments like Java and Flash so problematic is that, when enabled in your browser, they run such programs without asking your permission to do so. Only the sandbox stands between you and any random attacker with a Java program on the Internet; and when that sandbox ceases to be impervious, simply browsing a webpage could enable bad guys to take full control of your computer.
This is exactly what happened in the attack against Apple's employees, and possibly in the attacks against Twitter and Facebook as well. The attackers compromised a site known to be used by mobile developers, and then used a previously unknown (or "zero-day") Java vulnerability to exploit computers through their browsers. This is known as a "watering hole" attack, because the bad guys targeted a place that the desired victims visited regularly and voluntarily. Since the exploit was unknown, antivirus software wouldn't necessarily be able to spot and disable it.
