Apple's latest Safari updates add site-by-site Java plugin controls

Apple has added new tools in Safari 5 and 6 that allow users to control which sites the Java plugin is enabled for.

The security tools came with the latest tweaks to Java SE 6, which Oracle stopped supporting in February but which Apple still provides updates for, and Java SE 7, which is still maintained by Oracle.

The more granular controls will help tackle the persistent security risks posed by the Java browser plugin, which attackers have exploited to silently install malware on a target system by, for example, embedding malicious Java applets on websites.

The features were enabled this week in updates bringing Safari to version 6.0.4 for Mountain Lion and Lion, and Safari to version 5.1.9 for Snow Leopard.

The new Java plugin controls in Safari are accessible through Preferences --> Security, where users can click on the 'manage website settings' button.

Sites that contain an embedded Java applet should appear in a dialogue box when a user tries to visit them. Users can then choose to set preferences for the site in Safari, including 'Ask Before Using', 'Block Always', 'Allow' or 'Always Allow', Mac security firm Intego notes.

Apple explains at the bottom of the dialogue box that "Websites set to 'Allow' can run Java applets as long as the installed version of Java has no known critical security issues".

It's unclear how that functions, however Apple has previously used its inbuilt and largely hidden anti-malware system XProtect to block versions of Java with known security issues. 

Separately, Oracle released its scheduled April patch update for Java SE on Tuesday, which contained 42 new critical security fixes, including 39 that could be exploited remotely without authentication. The next update is set for 18 June 2013.