Disable Java on Mac OS X for a Secure System

Ben Stegner 24-09-2015

While security is a common concern for Windows systems, most Mac users don’t have to worry about running an antivirus Are Antivirus Programs Necessary for Mac? Read More or enabling a firewall on OS X Does Your Mac Really Need a Firewall? What You Need to Know Do you need a firewall on your Mac? Here's everything you need to know, including how to turn on and off your Mac's firewall. Read More . However, this doesn’t mean that Macs are impenetrable.


Java, a Web plug-in that was once ubiquitous but is dropping out of use in favor of HTML5, is still a valid security concern for Mac users. Chris explained why browser plug-ins are the worst security problems plaguing the Web today Browser Plugins - One of the Biggest Security Problems on the Web Today [Opinion] Web browsers have become much more secure and hardened against attack over the years. The big browser security problem these days is browser plugins. I don’t mean the extensions that you install in your browser... Read More , and Java fits into that category perfectly.

Let’s take a look at what Java is up to on OS X, and why you should chuck it to make your computer even more secure.

What is Java?

Unfortunately, Java often gets confused with JavaScript. Java itself comprises multiple items, so it’s easy to get them mixed up. Here’s a quick rundown:

Recently, Google announced that Chrome will no longer support Java The Web Just Became More Secure: Google Drops Support for Java When Java was first released in 1995, it was revolutionary. But now, it's safe to say that Java has lost its shine, and Google is about to drop support for it in Chrome. Read More , meaning that anything online that needs Java will fail to run. This will greatly increase security across the Web, but why?

What’s Wrong With Java?

As Matt explained, Chrome is cutting support for Java because it’s terrifyingly insecure. Security company Kaspersky found that Java caused half of all security attacks affecting computers in 2012; and even people who were using a Windows antivirus weren’t protected.


So what’s the issue here? Essentially, the Java plug-in doesn’t do any sort of check to ensure the content it’s about to run is safe, and with its universal installation base, it’s a perfect target for attack.


Stupidly, Java also doesn’t update itself. Chrome, Firefox, Flash Player, and Adobe Reader all update themselves Why Do Apps Nag Me to Update & Should I Listen? [Windows] Software update notifications seem like a constant companion on every computer. Every app wants to update regularly, and they nag us with notifications until we give in and update. These notifications can be inconvenient, especially... Read More so you don’t have to worry about doing it; why Java can’t implement this critical functionality is anyone’s guess. This leads to a large number of Web users using an outdated version of the plug-in that malicious folks have already picked apart. Most people aren’t going to update software How to Install Mac Apps in Terminal Using Homebrew Did you know you can install Mac software in the Terminal? Here's how to use Homebrew to install Mac apps easily. Read More if they don’t see a prompt for it, and many probably don’t even realize that Java is installed on their system.

Of course, we can’t forget the atrocious Ask Toolbar that’s been bundled with Java for years. Every time you install or update Java, you have to remember to uncheck the “sponsored offer” box or else you end up with an ugly Chrome-hijacking toolbar 3 Essential Steps To Get Rid Of Chrome Hijackers In Minutes Have you ever opened your browser of choice and been greeted with a bizarre-looking start page or an unsightly toolbar glued to the top of the page? Restore your browser to tip-top shape. Read More glued to your browser. The toolbar can be removed 4 Annoying Browser Toolbars and How to Get Rid of Them Browser toolbars just don't seem to go away. Let's look at some common nuisances and detail how to remove them. Read More and even suppressed in the first place, thankfully, but it’s ridiculous that Oracle imposes this on users, contributing to the issue of people failing to update Java.


How to Disable Java

Knowing all this, it’s a good idea to just purge Java from your Mac. Don’t have it installed already? That’s wonderful; certainly don’t start now. For those of you with Java, now’s a great time to completely remove it. If you’re unsure about whether you need it, it’s extremely likely that you don’t.

To check for its presence, open System Preferences and if there’s an entry for Java, it’s installed.

Removal is thankfully a breeze. You’ll need to open a Terminal window 4 Cool Things You Can Do With The Mac Terminal The Terminal is the Mac OS X analogue of the Windows command prompt, or CMD. It's a tool, as you probably already know, that allows you to control your computer using text commands, as opposed... Read More by pressing Command + Space to open Spotlight, then simply search for Terminal to open the prompt. Run the following line (you’ll need to type an administrator password):



sudo rm -rf /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin/

Then run:

sudo rm -rf /Library/PreferencePanes/JavaControlPanel.prefPane

Java is now extinct from your system; can you feel the safety rushing over you?

If you’re sure you need to leave Java installed for some reason, be sure to take precautions The Top 6 Things To Consider When You Install Java Software Oracle’s Java runtime software is required to run Java applets on websites and desktop software written in the Java programming language. When installing Java, there are a few things you should consider, especially regarding security.... Read More . Here are a few ways you can minimize Java’s risk to your system if you’re keeping it around.


The safest option is to disable Java in all browsers Is Java Unsafe & Should You Disable It? Oracle’s Java plug-in has become less and less common on the Web, but it’s become more and more common in the news. Whether Java is allowing over 600,000 Macs to be infected or Oracle is... Read More . To do this globally, open up the Java Control Panel by going to System Preferences > Java and selecting the Security tab. Uncheck the Enable Java content in the browser box to shut it off everywhere. However, if you need Java for a particular website, this isn’t going to do much good. Instead, you should keep multiple browsers around 3 Unmissable Reasons Opera Is the Right Browser for Your Mac Chrome and Firefox rule on Windows, but on OS X, Opera is the browser to beat. Eternal favorites Chrome and Firefox can give you flexibility, but not without some heavy compromises. Read More and allow Java in only one of them.


Newer versions of Safari allow Java on a per-site basis; head to Safari > Preferences > Security and choose Website Settings… next to Internet plug-ins. Select Java from the left panel and you can see a list of sites that you’ve given the green light. At the bottom, changing the setting to Block will ensure Java only runs on sites you explicitly allow.


Java automatically checks for updates, but it’s a good idea to ensure you haven’t missed any by occasionally going to the Java Control Panel again and paying a visit to the Update tab, where you’ll be notified of new versions.

Finally, make sure you don’t get hammered with junkware when updating by going to Java Control Panel > Advanced and scrolling all the way down to Suppress sponsor offers… Checking this box puts Java in its place and stops you accidentally installing adware you don’t need.


The Hole in Your Mac’s Security

These security problems aren’t just theory. In the past, Java has been responsible for Mac threats, most notably the Flashback Trojan that took advantage of Java in OS X and affected some 600,000 users. It wasn’t short-lived, either: we reported on Flashback in October 2011 New Trojan For Mac Disables XProtect Auto Update [News] A Trojan recently made the rounds for Mac that appeared to be an update for Flash, but was actually a piece of malicious software called Flashback.A. Apple has since updated XProtect to block this dangerous... Read More , February 2012 Flashback Mac Trojan Is Back, With A Vengeance [News] Read More , and then again in April 2012. Flashback wouldn’t quit, and those without Java installed were safeguarded against the infection.

Apple computers are generally rock-solid when it comes to security (aside from a few slip-ups like the fake MACDefender antivirus program Malware Disguised As Antivirus Targets Mac Users [News] A bogus version of the MacDefender antivirus application has recently fooled many Apple Mac OSX users into downloading and installing the malware on their computers. The fake antivirus, called MAC Defender, specifically targets Mac users... Read More ), so it makes sense that one of the biggest infections on the platform originated from a third-party plug-in. Zero-day vulnerabilities What Is a Zero Day Vulnerability? [MakeUseOf Explains] Read More aren’t something to mess around with, and no operating system is immune. Your Mac is secure; keep it that way by obliterating Java’s residence on your machine.

Take a minute to make your Mac even more secure by spotting the signs of a virus 3 Signs Your Mac Is Infected With a Virus (And How to Check) If your Mac is acting weird, it could be infected with a virus. How can you check for a virus on your Mac? We'll show you. Read More and putting a stop to annoying pop-ups Pop Ups on Your Mac? How to Stop Them Once and For All They break your focus, get in the way and sometimes baffle you. Why won't these pop ups go away? Read More .

Will you be removing Java on your Mac? If you still need Java, what’s making you keep it on your system? Let us know what you think about the plug-in by leaving a comment!

Related topics: Computer Security, Java.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Steve P.
    January 24, 2016 at 8:43 pm

    This article is good, but has some inaccuracies and bias.
    The most obvious claims are that most people don't need Java, that Java does not perform any checks on the software it runs, and the very obvious contradiction of "Stupidly, Java also doesn’t update itself" followed later by "Java automatically checks for updates."

    Java was the first mainstream programming environment to implement the sandbox model of application execution, preventing applications from performing any action outside of the sandbox (aka. virtual machine). When Java applications are written and run properly you do not need to disable this sandboxing. The Australian government clearly violated best practices in having an unsigned application that needs the ability to write to disk, thus requiring the running of Java in an "unsafe mode." The new OS model of only running "signed" applications was actually brought to the mainstream by Java in the 1990's, with jar signing and sandboxing. Besides these obvious misrepresentations of Java, many applications utilize Java, without the user even being aware. It is the exclusion of Java from the OS that has led to each of these applications installing its own version of Java within the application. A perfect example of this is Minecraft, which was written in Java, and ported to .Net after its acquisition by Microsoft. Most parents have this installed and don't even know that it contains the Java Runtime.

    To be fair and unbiased, ALL applications have vulnerabilities and Macs are only safer than Windows and Linux/BSD because the user base is relatively low when compared to these other platforms. The following applications and platforms all have had at least as many security issues as Java, in most case far more, as Java performs extensive bytecode validation before running an application, looking for invalid sequences or known attack vectors, and can easily run applications within a sandbox.

    Adobe's Acrobat Reader, Flash, and Shockwave,
    Microsoft's .Net, Word, Outlook, and the rest of the office suite,
    Open Office, Libre Office, Internet Explorer, Google Chrome, the Safari browser, and any and all means of file/information sharing (torrents, file shares,SSH, web servers, FTP servers, MySQL, all database for that matter, and the list goes on and on) are all vulnerable to exploitation, Zero day or otherwise. This includes all versions of OS X, Windows, and Linux. All software is vulnerable, period. Safe browsing and computer usage should always be executed at all times, not just singling out one of many platforms/applications. Google Chrome's support of Java was terminated when Google stopped supporting the NSAPI, in favor for their browser plugin API. It was not specifically targeted at Java, but the media hyped it as targeted at Java.

    2 very clear examples of vulnerabilities that impacted almost all browsers and OS's were the JPEG and PNG exploits of years past. These vulnerabilities allowed malicious code to bypass the browser and image viewing application using malformed images that trick the computer into executing the malicious code contained within the image. These vulnerabilities were primarily because of the open source/reference implementations written in C/C++ that were vulnerable.

    My point is that just simply uninstalling Java or targeting Java will not secure your system. No one should be using Java Applets or Active X anymore, but the Java Runtime is more secure than most Objective C and C/C++ applications, due in large part to its open public source code review process and security being one of Java's primary design goals. Java is has proven over time to be more secure that Microsoft .Net and Javascript. Javascript, when running in an unsafe mode (allowing the "eval" operation) is far less secure than any browser plugin.
    Java's largest failing actually being that the automatic updates of the Java runtime has been hampered or disabled by some OS upgrades, which is Apple's fault, not Oracle's or Java's.

    If you want to secure your system, you must disable the Java browser plugin, Flash, Shockwave, and most importantly Javascript, on Windows you must also disable Active X.

  2. Anonymous
    November 4, 2015 at 2:53 am

    Sorry for this late comment; I've just read this great article from Ben. I just have to say this, and it really only affects Australians.

    As a business owner with what's called an Australian Business Number (ABN), I am required to submit a Business Activity Statement (BAS) each quarter. To do that, I have to logon to the Business Portal, but there is a critical step that must be done - authentication using AUSkey, another form of digital ID.
    BUT, guess what? Before any of that happens, Java has to be installed!

    And just to make Java run properly I have to select "run in unsafe mode" in Safari Preferences.

    So, the ATO requires me to install a vulnerable system on my mac before I can proceed with my civic duty.

    • Ben Stegner
      November 4, 2015 at 3:50 am

      Thanks for your kind words!

      That's ridiculous! You shouldn't have to interact with vulnerable tools just to follow the rules. Hopefully, they change that to use more modern methods so you don't have to deal with Java anymore.

  3. Anonymous
    September 26, 2015 at 2:55 pm

    I never really what a terrible piece of software I had on my Mac.

    I just tried to update it as recommended, and it told me it was downloading the update, then that it was extracting the update, then the little window closed and I was back where I started!

    Sorry Java, you are the weakest link - goodbye!

  4. Anonymous
    September 26, 2015 at 6:36 am

    These commands will remove just the browser plugin and the preferences panel, it will leave the Java runtime in your system.

  5. Anonymous
    September 25, 2015 at 7:42 pm

    Another great how-to article. But why fill it with other lies that take away from it's awesomeness? Just write your great how-to instructions, and leave it at that.

    "...most Mac users don’t have to worry about running an antivirus or enabling a firewall on OS X." I have removed viruses multiple times from people that bought into this sentiment. And it cost them hundreds of dollars for each instance. Keep up the good advice (secure everything you hold dear all the time) and stop it with the bad (you don't even need anti-virus because you bought brand "x").

  6. Anonymous
    September 25, 2015 at 1:14 pm

    What about Flash Player is that safe? or does it fall in the same category as java

  7. Anonymous
    September 25, 2015 at 6:59 am

    Why oh why do people continue to promote the fallacy that Mac's are "rock solid when it comes to security"? Do you read anything other than your own BS?

    I am not a Mac basher. I am a Security professional and this delusional approach to Mac security must stop.

    Your Mac is NOT secure unless you do something to make it so.

    • Anonymous
      September 25, 2015 at 7:45 pm

      True. I've seen it happen in the real world, and it isn't pretty. But it's easier to believe the lie.

  8. Anonymous
    September 24, 2015 at 11:00 pm

    I need the JRE and JDK on my mac for my Eclipse IDE to write Java projects.

    • Ben Stegner
      September 25, 2015 at 2:19 pm

      That's a good reason to have Java still installed! You can still benefit from disabling the plug-in in your browsers, though.