With the news that some Apple, Facebook, and Twitter employees’ Macs were hacked, and Apple and Oracle’s subsequent software patches, it’s time to revisit the question of whether Java can be used securely.
After the Flashback malware attack that occurred in the summer of 2012, I discussed the risks and offered some advice about the safest way to use Java. But due to changes in the way Java works on Macs and the recent rise in Java-based security threats, I'm altering my advice: You should do everything you can to remove Java from your Mac or, if that isn’t possible, to isolate it to the fullest extent possible.
I don’t make this recommendation lightly. Removing Java will be problematic for some people, especially those who use Macs at work; and isolating it isn’t simple. But I can’t overstate the risk: Nearly all recent Mac malware attacks rely on exploiting Java or Flash in your Web browser. (I also have some advice on isolating Flash.) If you plan to keep Java, make sure that you update it as soon as possible.
Why I now recommend removing Java
Java is more than a browser plugin. It's a complete application runtime environment. That means that Java applications are designed to run inside a Java Virtual Machine installed on your Mac. Theoretically, a developer can write a Java program to run inside the virtual machine, and it will run without modification on any platform—Mac, Windows, Linux, or whatever is running a valid JVM. (Practically speaking, getting something to work across platforms is rarely easy.) The JVM handles memory management and anything else that the application needs, and runs it inside a sandbox that isolates the Java application from your operating system.
The problem arises when a flaw exists in this sandbox (or in other aspects of the JVM), and someone writes malicious code that takes advantage of the flaw to break out and gain additional access to your computer. What makes environments like Java and Flash so problematic is that, when enabled in your browser, they run such programs without asking your permission to do so. Only the sandbox stands between you and any random attacker with a Java program on the Internet; and when that sandbox ceases to be impervious, simply browsing a webpage could enable bad guys to take full control of your computer.
This is exactly what happened in the attack against Apple’s employees, and possibly in the attacks against Twitter and Facebook as well. The attackers compromised a site known to be used by mobile developers, and then used a previously unknown (or “zero-day”) Java vulnerability to exploit computers through their browsers. This is known as a “watering hole” attack, because the bad guys targeted a place that the desired victims visited regularly and voluntarily. Since the exploit was unknown, antivirus software wouldn’t necessarily be able to spot and disable it.
When I wrote about the the Flashback attacks at the end of August, I said, “although you likely aren’t at risk today, it is clear that Java still represents one of the biggest, most persistent security problems facing users of all operating systems.”
My conclusion has changed: You are at risk now. So how do you protect yourself?
How to remove Java
Your best option is to remove Java from your Mac altogether; then you won’t have to worry about its security vulnerabilities. Not having Java on your system may break some websites, but I haven’t permitted Java to run in my browser for quite a while now and I’ve run into very few problems. When I do, the culprits have most commonly been Web-based meeting software and some enterprise applications. That's because disabling Java also disables some other software programs, such as the popular CrashPlan backup tool. If you run into that situation, consider taking the steps outlined below for isolating Java; for other users, however, living without Java may be the most satisfactory course. That way, you avoid the risk of having Java reactivated at some point in the future.
The precise process to follow in removing Java depends on the version of OS X you run and the version of Java you use. Whatever those particulars may be, removing Java is fairly easy.
To see whether you have Java installed, launch Terminal and run the following command:
If you see
1.7 in the response, navigate to the /System/Library/Java/JavaVirtualMachines/ directory and delete it. Alternatively, use the command line:
sudo rm -rf /System/Library/Java/JavaVirtualMachines/
(As always, type very careful when using the
sudo rm command.)
If your Mac suddenly asks you to install Java, either Java isn’t on your system or you installed the nondeveloper version of Java 7 (the more common situation). In that case, remove Java 7 with these command lines:
sudo rm -rf "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin" sudo rm -rf "/Library/PreferencePanes/JavaControlPanel.prefpane"
If you run into problems, select your Mac’s hard drive in the Finder, search for those two files, and send them to the Trash.
How to isolate Java
Isolating Java means leaving it on your Mac, but removing it from your browser except when you want it to run. Apple now does this by default for all Macs (10.6 and later) and will re-isolate it after about a month even if you've turned it back on. Isolating Java is a bit more complex now that Apple has removed the Java preferences utility from Lion and Mountain Lion.
If you run Java 6 (the Apple supplied version), you need to restrict it on each of your browsers. In Google Chrome, type
chrome://plugins in the address bar and click the link to disable Java. In Safari, go to Safari > Preferences and uncheck Enable Java in the Security pane. In Firefox go to Tools > Add Ons > Plugins and uncheck Java Plug-In.
If you use Java 7, you can disable it systemwide: Go to Preferences > Java > Security and uncheck Enable Java Content in the Browser.
I suggest that you isolate Java in all of your browsers, and then pick one that you don’t use as your main browser and temporarily activate Java there as needed. Doing so will reduce the likelihood that you will forget to turn it off after using it and will leave yourself vulnerable during your day-to-day browsing.
This advice may seem extreme. But when Apple’s own developers are hacked, it's time to protect yourself.
Updated 2/21/13 11:05 AM PT to correct command line formatting.