How to disable Java on your Mac

With the news that some Apple, Facebook, and Twitter employees' Macs were hacked, and Apple and Oracle's subsequent software patches, it's time to revisit the question of whether Java can be used securely.

After the Flashback malware attack that occurred in the summer of 2012, I discussed the risks and offered some advice about the safest way to use Java. But due to changes in the way Java works on Macs and the recent rise in Java-based security threats, I'm altering my advice: You should do everything you can to remove Java from your Mac or, if that isn't possible, to isolate it to the fullest extent possible.

I don't make this recommendation lightly. Removing Java will be problematic for some people, especially those who use Macs at work; and isolating it isn't simple. But I can't overstate the risk: Nearly all recent Mac malware attacks rely on exploiting Java or Flash in your Web browser. (I also have some advice on isolating Flash.) If you plan to keep Java, make sure that you update it as soon as possible.

Why I now recommend removing Java

Java is more than a browser plugin. It's a complete application runtime environment. That means that Java applications are designed to run inside a Java Virtual Machine installed on your Mac. Theoretically, a developer can write a Java program to run inside the virtual machine, and it will run without modification on any platform--Mac, Windows, Linux, or whatever is running a valid JVM. (Practically speaking, getting something to work across platforms is rarely easy.) The JVM handles memory management and anything else that the application needs, and runs it inside a sandbox that isolates the Java application from your operating system.

The problem arises when a flaw exists in this sandbox (or in other aspects of the JVM), and someone writes malicious code that takes advantage of the flaw to break out and gain additional access to your computer. What makes environments like Java and Flash so problematic is that, when enabled in your browser, they run such programs without asking your permission to do so. Only the sandbox stands between you and any random attacker with a Java program on the Internet; and when that sandbox ceases to be impervious, simply browsing a webpage could enable bad guys to take full control of your computer.

This is exactly what happened in the attack against Apple's employees, and possibly in the attacks against Twitter and Facebook as well. The attackers compromised a site known to be used by mobile developers, and then used a previously unknown (or "zero-day") Java vulnerability to exploit computers through their browsers. This is known as a "watering hole" attack, because the bad guys targeted a place that the desired victims visited regularly and voluntarily. Since the exploit was unknown, antivirus software wouldn't necessarily be able to spot and disable it.

When I wrote about the the Flashback attacks at the end of August, I said, "although you likely aren't at risk today, it is clear that Java still represents one of the biggest, most persistent security problems facing users of all operating systems."

My conclusion has changed: You are at risk now. So how do you protect yourself?

How to remove Java

Your best option is to remove Java from your Mac altogether; then you won't have to worry about its security vulnerabilities. Not having Java on your system may break some websites, but I haven't permitted Java to run in my browser for quite a while now and I've run into very few problems. When I do, the culprits have most commonly been Web-based meeting software and some enterprise applications. That's because disabling Java also disables some other software programs, such as the popular CrashPlan backup tool. If you run into that situation, consider taking the steps outlined below for isolating Java; for other users, however, living without Java may be the most satisfactory course. That way, you avoid the risk that of having your Java reactivated at some point in the future.

The precise process to follow in removing Java depends on the version of OS X you run and the version of Java you use. Whatever those particulars may be, removing Java is fairly easy.

To see whether you have Java installed, launch Terminal and run the following command:

java -version

If you see 1.6 or 1.7 in the response, navigate to the /System/Library/Java/JavaVirtualMachines/ directory and delete it. Alternatively, use the command line:

sudo rm -rf /System/Library/Java/JavaVirtualMachines/

(As always, type very careful when using the sudo rm command.)

If your Mac suddenly asks you to install Java, either Java isn't on your system or you installed the nondeveloper version of Java 7 (the more common situation). In that case, remove Java 7 with these command lines:

sudo rm -rf /Library/Internet Plug-Ins/JavaAppletPlugin.plugin sudo rm -rf /Library/PreferencePanes/JavaControlPanel.prefpane

If you run into problems, select your Mac's hard drive in the Finder, search for those two files, and send them to the Trash.

How to isolate Java

Isolating Java means leaving it on your Mac, but removing it from your browser except when you want it to run. Apple now does this by default for all Macs (10.6 and later) and will re-isolate it after about a month even if you've turned it back on. Isolating Java is a bit more complex now that Apple has removed the Java preferences utility from Lion and Mountain Lion.

If you run Java 6 (the Apple supplied version), you need to restrict it on each of your browsers. In Google Chrome, type chrome://plugins in the address bar and click the link to disable Java. In Safari, go to Safari > Preferences and uncheck Enable Java in the Security pane. In Firefox go to Tools > Add Ons > Plugins and uncheck Java Plug-In.

If you use Java 7, you can disable it systemwide: Go to Preferences > Java > Security and uncheck Enable Java Content in the Browser.

I suggest that you isolate Java in all of your browsers, and then pick one that you don't use as your main browser and temporarily activate Java there as needed. Doing so will reduce the likelihood that you will forget to turn it off after using it and will leave yourself vulnerable during your day-to-day browsing.

This advice may seem extreme. But when Apple's own developers are hacked, it's time to protect yourself.

Join the CSO newsletter!

Error: Please check your email address.

Tags Applesecurityjavaflashsecurity software

More about AppleFacebookGoogleLinuxMacsOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Rich Mogull

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts