New in Safari 7: Improved Java Security
Computer security is war of increments. Though Apple seems to be a step ahead of late, the company isn’t resting on its laurels and Safari 7, included in OS X 10.9 Mavericks, changes how JAVA is handled.
In the panoply of new features in Safari 7, this one’s pretty minor. Nevertheless, it’s notable in that, although JAVA security issues have faded from public view of late, Apple is pressing ahead.
In OS X Mountain Lion, users could blanket enable JAVA apps via a checkbox in Safari’s top-level Preferences. That said, OS X would automatically turn off JAVA after 90 days and Apple could also disable JAVA via OS X’s integrated malware blocker, XProtect.
Apparently, that behind the scenes hand holding wasn’t enough for Apple.
When OS X 10.9 Mavericks ships this Fall, Apple will adopt a new, more prejudicial approach to JAVA. Although it will be possible to configure Safari to allow all JAVA apps to run without restriction, the default out-the-box setting encourages users to whitelist individual sites/pages where JAVA is used.
Apple has removed the “Allow Java” checkbox (image above) in the top-level of Safari 6′s Preferences. Users are pushed, by design, farther into Safari 7′s preferences where they are presented with conscious choice to whitelist an individual site/page vs applying a blanket “Allow.”
Safari 7: JAVA Done Right?
Fundamentally, if user gets hit by a JAVA drive by attack when visiting some random (infected) webpage — these days it could be literally any webpage, not just porn or warez — it will because he sought out and then enabled the “Allow Always” setting buried deep in Safari 7′s Preferences.
Moreover, the same settings and individual page/site level of control can be applied to other plugins, like Flash, QuickTime and Silverlight.
Bottom line is you’ve gotta wanna be a bonehead because Apple’s really pushing users to do the right thing in Safari 7 — whitelist JAVA only on sites they actually use…
What’s your take?