According to the post Critical Mac OS X Java Vulnerabilities by Landon Fuller, via Simon Willison, there’s a critical vulnerability in every Java installation which Apple includes in OS X, which can allow an attacker to easily run any arbitrary command on your system by simply loading a Java applet in a web page you visit.

(For our purposes, Java is a web browser plugin which, similar to Flash, lets your browser do advanced things like upload photos, etc.)

Therefore it’s recommended to disable Java in all of your web browsers until this is fixed.

The easy way to do this is to open the preferences of your browsers and find the checkbox labeled “Enable Java” and uncheck it.

However, I wasn’t comfortable merely doing that, and I don’t think anyone else should be, either. Not only do you have to remember to do this in every single browser you might ever use — including Fluid based browsers, browsers embedded in RSS readers, etc — but it’s always possible for the preference to get reset somehow. And some apps which use embedded browsers may not make that preference available at all.

Instead, I recommend moving the Java plugin from its usual location, which will prevent all Webkit-based browsers, including those embedded in other apps, Firefox, and Camino, from loading any Java applet, even if the preference isn’t available in one of those apps, or gets reset.

These two terminal commands will accomplish this:

(Please note: I have tested this solution only using a fully updated 64-bit Intel Mac as of today, using Safari 4 Beta, Camino 2 Beta, Firefox 3.5 Beta, and Fluid 0.9.6. I make no warranties or guarantees of any kind, and I disclaim any responsibility for any damage done to your computer, now or in the future, whether you follow my advice or not.)

Command One:
sudo mkdir "/Library/Internet Plug-Ins, disabled"


Command Two:
sudo mv "/Library/Internet Plug-Ins/JavaPluginCocoa.bundle" "/Library/Internet Plug-Ins, disabled/"

If you don’t know how to run terminal commands:

1. Trigger Spotlight by clicking on the magnifying glass in the upper-right-hand corner of your screen
2. type in “Terminal”
3. Once the application Terminal appears in the results, make sure it’s highlighted, then hit Enter to launch it
4. Switch to your browser, copy the first command into your clipboard
5. Switch back to Terminal and paste the line in
6. Hit Enter
7. You will probably be prompted to enter your password. Do so.
   • It’s possible that after this step you’ll see an error message, something to the effect of you not being in the sudoers file, and this will be reported. Don’t worry about this. It just means that someone set up your Mac so you’re running with a standard user account, not an administrator account. This is A Good Thing.
   • If that does happen, you should contact the person who set up your Mac and have them help you complete these steps.
8. As long as you don’t see any errors, the command probably worked
9. Copy-and-paste and run the second command
10. Quit Terminal

Restart your browsers for the change to take effect

Once you’ve done that, please take a moment to tell Apple that they’ve dropped the ball on this vulnerability, and they need to fix it ASAP. The best way to do that is by posting a message to Apple using their OS X feedback form. If you have the time, try to post something about it publicly too, on your blog, Twitter, Facebook, etc. Even just a link to the article: Critical Mac OS X Java Vulnerabilities and “Apple, fix this now!” would be great.

Crazy.