Java in Crisis?

Posted on the 22 October 2012 by Andyxl @e_astronomer

We all use Java every day : stand-alone Java applications like Topcat and Aladin; in-web-page Java applets (Aladin again); and on the server side (e.g. WSA and VSA). But now it seems there is a security crisis; serious people are telling us to disable or remove it. Wuh ? At the risk of boring the ungeeks let me explain how I just stumbled into this understanding. Its a classic tale of confusion, coincidence, and mysterious disappearances.

I am a big fan of Tiddlywiki. Its a personal wiki – a kind of hyper-notebook. You run it on your own computer, or even from a memory stick. Its very clever. Just a single html file, containing both your text, and the javascript needed to edit it. The tricky bit comes when you want to save your changes. That requires your browser to write a file onto your computer – a new version of that single html file. Thats done with Java, as opposed to javascript. You place a file called “tiddlysaver.jar” in the same directory and it does the work. You have to give explicit permission to write onto your disk of course. We ain’t nuts.

So… recently … for reasons I won’t bore you with, I wiped my Firefox installation and made a new one. (Well ok – my wordpress front page widgets weren’t working, and after many tortured days, it was the only fix that worked.) A few days later I tried to update one of my tiddlywiki notebooks. It wouldn’t save. Trawled through various FF settings but couldn’t fix it. So I tried to do my edits in Safari. Same. And Chrome. Same. Oh. Maybe the FF change was a coincidence ? If it fails everywhere, it must be a MacOS problem? Then I suddenly remembered I’d had the identical problem when I upgraded to Mountain Lion. Sensible chap that I am, I’d left myself a wee note. It said “go to the Java Preferences app and tick the box that says enable applet plugin“. So, off I goes. Hmm. No such checkbox. Must have been removed in some recent system upgrade.

Now… a few weeks back I had a hair tearing Time Machine problem. Apparently my backup was going to take 11,158 days. I spent several days fretting about this on and off and wondering what I had screwed up. Then  lo! A new Software Update was announced which amongst other things said “this also fixes a problem some users may have been having with Time Machine backups”. And yea, indeed, verily did the SU completely fix this problem. Grrr. Wasn’t me at all. Wish I’d known.

So… maybe its another Apple SNAFU. Is there a new SU ? Yup. And look! Its a Java update! But … (a) it still didn’t fix the problem and (b) the Java Preferences app has completely disappeared !! I check out the “more detail at apple support” page . This says

This update uninstalls the Apple-provided Java applet plug-in from all web browsers. To use applets on a web page, click on the region labeled “Missing plug-in” to go download the latest version of the Java applet plug-in from Oracle.

This update also removes the Java Preferences application, which is no longer required to configure applet settings.

Click on the region ? What region ? What the hell does that mean?

Then I read a bit more on the Tiddlywiki home page. It seems all the major browsers are clamping down on Java, disabling by default, and making you jump through more hoops. For Firefox there is a specific Tiddlywiki fix – a FF extension called TiddlyFox. So at least I am (temporarily) sorted…

On Chrome, if you try to run an applet like Aladin, you get a banner saying”Java(TM) is needed to run some elements on this page” and there is button labelled install plug-in. This takes you to an Oracle page which says

Chrome does not support Java 7. Java 7 runs only on 64-bit browsers and Chrome is a 32-bit browser.

If you download Java 7, you will not be able to run Java content in Chrome and will need to use a 64-bit browser (such as Safari or Firefox) to run Java content within a browser. Additionally, installing Java 7 will disable the ability to use Apple Java 6 on your system.

OK, screw that then. How about Safari ? The Aladin applet seems to run ok. But Tiddlywiki does not. This is because it wants to write to your disk. Some documentation on the Tiddlywiki site told me what to do … open Safari preferences, go to “Advanced” and tick “Show Develop menu in menu bar”. Then a new menu items appears in your menu bar called “Develop” with options for grown-ups. (Don’t forget to open the door marked “beware of the leopard”.) Finally move down that menu and mark “Disable local file restrictions”. Yay !! But guess what. That menu item no longer exists. Somebody really doesn’t want us to do this.

Finally … I started roaming around the interwebs the way you do, seeing if other folk had the same probs. I stumbled over this nice Java Tester Page. This is where I first saw the scary words “Java Security Flaw”…  I then followed the link to this article by Michael Horowitz and things began to make sense … sort of.

It seems there are serious security flaws that won’t be fixed until February 2013. Horowitz says

Java is used by both installed applications and websites. If you only need Java for an application, disable it in all your browsers. OS X users on Lion and Mountain Lion had Apple do this for them (more below). Windows users in this situation may want to consider the portable version of Java available at portableapps.com.   If you need Java for a website, enable Java in a browser used only on the site that needs it. For all other websites, use a browser that has Java disabled.

I can remember back when Java was the next big thing. Now, it’s all but a curse word.

Jeez.  Gordon Bennett. Is it really true ?