While security is a common concern for Windows systems, most Mac users don’t have to worry about running an antivirus or enabling a firewall on OS X. However, this doesn’t mean that Macs are impenetrable.
Java, a Web plug-in that was once ubiquitous but is dropping out of use in favor of HTML5, is still a valid security concern for Mac users. Chris explained why browser plug-ins are the worst security problems plaguing the Web today, and Java fits into that category perfectly.
Let’s take a look at what Java is up to on OS X, and why you should chuck it to make your computer even more secure.
What is Java?
- Java is a programming language, like C++ or Python. Android apps are written in Java, as a practical example.
- When you install Java on your Mac, you’re installing the Java Runtime Environment, which is relatively secure and a place to run Java-based applications on their own, though it’s not used often. The problem is the included Java Browser plug-in, which enables Java content to run inside any browser on your system.
Recently, Google announced that Chrome will no longer support Java, meaning that anything online that needs Java will fail to run. This will greatly increase security across the Web, but why?
What’s Wrong With Java?
As Matt explained, Chrome is cutting support for Java because it’s terrifyingly insecure. Security company Kaspersky found that Java caused half of all security attacks affecting computers in 2012; and even people who were using a Windows antivirus weren’t protected.
So what’s the issue here? Essentially, the Java plug-in doesn’t do any sort of check to ensure the content it’s about to run is safe, and with its universal installation base, it’s a perfect target for attack.
Stupidly, Java also doesn’t update itself. Chrome, Firefox, Flash Player, and Adobe Reader all update themselves so you don’t have to worry about doing it; why Java can’t implement this critical functionality is anyone’s guess. This leads to a large number of Web users using an outdated version of the plug-in that malicious folks have already picked apart. Most people aren’t going to update software if they don’t see a prompt for it, and many probably don’t even realize that Java is installed on their system.
Of course, we can’t forget the atrocious Ask Toolbar that’s been bundled with Java for years. Every time you install or update Java, you have to remember to uncheck the “sponsored offer” box or else you end up with an ugly Chrome-hijacking toolbar glued to your browser. The toolbar can be removed and even suppressed in the first place, thankfully, but it’s ridiculous that Oracle imposes this on users, contributing to the issue of people failing to update Java.
Seeing the Ask toolbar on my parents PC. It's ok. I know it is tough times for @larryellison and he needs that extra cash, hope it helps!
— Chet Faliszek (@chetfaliszek) September 8, 2015
How to Disable Java
Knowing all this, it’s a good idea to just purge Java from your Mac. Don’t have it installed already? That’s wonderful; certainly don’t start now. For those of you with Java, now’s a great time to completely remove it. If you’re unsure about whether you need it, it’s extremely likely that you don’t.
To check for its presence, open System Preferences and if there’s an entry for Java, it’s installed.
Removal is thankfully a breeze. You’ll need to open a Terminal window by pressing Command + Space to open Spotlight, then simply search for Terminal to open the prompt. Run the following line (you’ll need to type an administrator password):
sudo rm -rf /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin/
sudo rm -rf /Library/PreferencePanes/JavaControlPanel.prefPane
Java is now extinct from your system; can you feel the safety rushing over you?
If you’re sure you need to leave Java installed for some reason, be sure to take precautions. Here are a few ways you can minimize Java’s risk to your system if you’re keeping it around.
The safest option is to disable Java in all browsers. To do this globally, open up the Java Control Panel by going to System Preferences > Java and selecting the Security tab. Uncheck the Enable Java content in the browser box to shut it off everywhere. However, if you need Java for a particular website, this isn’t going to do much good. Instead, you should keep multiple browsers around and allow Java in only one of them.
Newer versions of Safari allow Java on a per-site basis; head to Safari > Preferences > Security and choose Website Settings… next to Internet plug-ins. Select Java from the left panel and you can see a list of sites that you’ve given the green light. At the bottom, changing the setting to Block will ensure Java only runs on sites you explicitly allow.
Java automatically checks for updates, but it’s a good idea to ensure you haven’t missed any by occasionally going to the Java Control Panel again and paying a visit to the Update tab, where you’ll be notified of new versions.
Finally, make sure you don’t get hammered with junkware when updating by going to Java Control Panel > Advanced and scrolling all the way down to Suppress sponsor offers… Checking this box puts Java in its place and stops you accidentally installing adware you don’t need.
The Hole in Your Mac’s Security
These security problems aren’t just theory. In the past, Java has been responsible for Mac threats, most notably the Flashback Trojan that took advantage of Java in OS X and affected some 600,000 users. It wasn’t short-lived, either: we reported on Flashback in October 2011, February 2012, and then again in April 2012. Flashback wouldn’t quit, and those without Java installed were safeguarded against the infection.
trying to download bootlegged music to my mac, ended up downloading a virus how ironic
— Val? (@ooohval_) September 13, 2015
Apple computers are generally rock-solid when it comes to security (aside from a few slip-ups like the fake MACDefender antivirus program), so it makes sense that one of the biggest infections on the platform originated from a third-party plug-in. Zero-day vulnerabilities aren’t something to mess around with, and no operating system is immune. Your Mac is secure; keep it that way by obliterating Java’s residence on your machine.
Will you be removing Java on your Mac? If you still need Java, what’s making you keep it on your system? Let us know what you think about the plug-in by leaving a comment!