How safe is it for me to install Java on OS X 10.8

I know very little about how Java works and its interactions with OS X, so I'm partly looking for an expert and simple description on how Java works on the Mac, and why so much press includes "fear, uncertainty, doubt" but no concrete details about how and why Java is not safe..

I want to use the Bitcoin client Multibit, but to do so I will need to install Java which over the past six months I've only heard bad things about.

So my question is: How safe is it for me to install Java on Mac OS X 10.8.3?

(The hidden question inside this question is what version / source of Java I should select if I can depend on Apple to keep Java secure.)

I understand "safeness" is a fairly difficult thing to define, but just some general advice would be greatly appreciated. Even if someone could point me in the direction of some learning materials so I can work this out for myself, that would be great.


Solution 1:

The Java Runtime Environment (JRE) and the Java SDK are not inherently unsafe. The problem relies for the most part in certain ways the JVM (Java Virtual Machine) accesses (and can be fooled to) certain pieces of the operating system.

Like every other complex piece of software, Java is no different than, say, .NET on a Windows machine or Mono.NET on any flavor.

Java on a browser, however, is a different world (and hence why you can go ahead and disable it in most modern browsers), similar to (but not as bad as) what ActiveX was back in the days of Internet Explorer.

You can safely have the JRE in your Macintosh, Linux or Windows machine with little danger, since no element of the Java RE or SDK will expose remote vulnerabilities by default. It's just a lot of code sitting in your Hard Drive.

Now if you want to know if executing Java software is unsafe, then there's no way to answer that without diving into huge arguments. If you want to run Java Software, just go to Oracle, download the Runtime environment and run your Java program. It will not be activated by default on Safari (but double check to be sure) or any other browser.

With all that said, Java is annoying (especially their updater, which you can tone down or disable but never ceases to be as annoying or sometimes more than the Flash Updater if you have Flash). On the other hand, Oracle finally started rolling more periodic updates to Java so vulnerabilities are taken care more often (which is annoying but good). When Apple was in control of the SDK, this wasn't the case.

Of course, some "security experts" will cry out loud that having Java in your hard drive can lead to more insecurity since someone gains access to your computer, they could exploit local Java vulnerabilities. Trust me, if anyone gains access to your computer (even remote) to the point where they can execute anything (including Java), you have a bigger problem.

So if you need it, go ahead and get it.

Solution 2:

The Java exploits have been accessing through java on websites. You do not need to enable this e.g. in Safari you can set a preference to use Java or not.

If you have a command line java application (e.g. Bitcoin) this is then is as risky as an other application. You need to make sure you have the latest version of third party libraries and executables to keep up to date with security fixes.