The Safe Mac

Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!


Using Java in Mac OS X

Posted on August 6th, 2012 at 4:33 PM EDT

no_java

Many people using the latest versions of Mac OS X (10.7, aka Lion, and 10.8, aka Mountain Lion) have had problems getting Java applets to run. This is causing a great deal of confusion, and even some hard feelings, especially amongst those who have upgraded from older systems where Java worked just fine. Fortunately, the problem is easily fixed. However, before you fix it, you need to ask yourself an important question: “Should I fix it?”

Background

A little background is important in understanding why these changes have been made. Apple has, for some time now, been trying to distance itself from Java. That strategy involved, among other things, no longer including Java as a part of the system by default, as Apple had done in Mac OS X 10.6 (Snow Leopard) and earlier. Apple’s reasons for doing this are many, but one of them may have been security. Java has suffered from serious security vulnerabilities from time to time, and Apple has always been responsible for Java updates on the Mac, and those updates have typically been released at a bit of a delay after they are available to other systems. By handing sole responsibility for updates of Java 7 (and up) in the future to Oracle, and by removing Java as a part of the system in Lion and up, Apple increased the security of Mac OS X.

Unfortunately, they acted too late, and in February of 2012, a new variant of the Flashback malware appeared that relied on Java vulnerabilities. All users of the versions of Java supplied by Apple were vulnerable. Lion users were safe unless they had installed Java, while all Snow Leopard users were fully vulnerable. Apple eventually managed to get a Java update out, but not until Flashback had infected more than 600,000 Macs and made international headlines.

Part of Apple’s response to Flashback involved an additional layer of security with respect to Java: disabling it. On machines that have Java installed, Java was disabled after Apple’s security updates. Further, the system now monitors Java usage, and if Java hasn’t been used in 35 days, it gets disabled once again. This makes for a far more secure system, but does cause some problems for users who need Java and who aren’t aware of this background!

Why you shouldn’t use Java

I know that you probably came here looking for a way to use Java, but I’m going to first tell you why that’s a bad idea. Unfortunately, some people simply need to use Java and don’t really have the choice of not using it, but it is still important to understand why using it is dangerous, so that you can take appropriate precautions.

As I mentioned earlier, Java can be a significant security risk. It has been used a lot recently as a method of installation by malware, such as Flashback, Tibet, Sabpab, Maljava, GetShell and Crisis. Some of those relied on vulnerabilities in Java that have already been fixed, while others used a Java-based “social exploit” to trick the user into allowing system modifications.┬áThen, in late August of 2012, another vulnerability surfaced and was exploited to install malware on Windows machines and, reportedly, on a few Macs. Based on Java’s history of vulnerabilities, it is highly likely that other vulnerabilities will be found and exploited at some point in the future. If you’ve got Java, you could end up infected. By not installing Java, or keeping it disabled, you are safe from the majority of the Mac malware that has appeared within 2012, at the time of this writing.

How to use Java if you need to

If you have to use Java, or if you just really, really want to, there are two things you need to do. First, if you are using Lion or Mountain Lion, you need to install Java. One way of doing that is by opening any app that relies on Java. The easiest way of doing that is to go to the Utilities folder, which is in the Applications folder, and open the Java Preferences app. When you do, you will be asked if you want to install a “Java SE 6 runtime.” Click the Install button and Java will be installed.

The problem with that method is that you’re getting an older version of Java. It has received recent security updates, but it’s not clear how long that will continue. Java 7 is available directly from Oracle, and because it is being actively updated by Oracle synchronously with Java for all other platforms, it is probably wiser to install that instead of relying on Java 6. Click the Download button in the JRE column, then agree to the terms and click the download link for the Mac OS X installer. (You must have JavaScript and cookies enabled in your browser or this process will fail.) Open the .dmg file that downloads, and then run the installer that it contains. (You can delete that .dmg file once the installation is finished.)

Once you have installed Java, or if you are using Snow Leopard or had Java installed previously, you have to enable it. Remember, Mac OS X from Snow Leopard up will disable Java by default, and if you enable it, will disable it again automatically if you don’t use it for 35 days! To enable Java, you simply need to open the Java Preferences app, select the General tab and check the box labeled “Enable applet plug-in and Web Start applications.”

If that doesn’t get Java working for you, it may be that Java is also turned off in your web browser. In Safari, you can turn on Java by going to the Security pane of Safari’s preferences and check the Java box. (Note that JavaScript is an entirely different, and unrelated, thing, despite the similarity of names.) Other browsers will hide this setting in other places.

There are some things you can do to minimize the risks incurred by enabling Java. The easiest thing to do is to use a secondary browser for any sites you need to use that require Java. For example, if Safari is your preferred browser, keep Java turned off in Safari, but turn Java on in another browser, like Firefox. Then, use Firefox only for sites that you trust and that require Java. For all other sites, use Safari. (Of course, that’s just an example… you could just as easily use Firefox as your primary browser and Chrome as your “Java-only” browser, or some other combination of browsers.)

If you are firmly committed to the use of one browser over all others, another option is to simply turn Java on and off in that browser’s preferences as needed. When you need to use a site that requires Java, turn it on, and don’t visit any other sites while in that mode. Then, when you’re done with that site, turn Java back off.

Of course, neither of these options are without flaws. Even a trusted site could be hacked. That is not a far-fetched idea; it happens all the time. Better would be to petition the sites you use that require Java to find a way do eliminate their reliance on Java. Java has been slowly falling out of fashion on the web, and with its history of security problems, the sooner it stops being used entirely, the better!

Update

On October 15, 2012, Oracle finally fixed a vulnerability in Java that had been there for quite some time. (Even Java 5, which is quite old at this point, contained the vulnerability.) The next day, Apple updated their version of Java 6, and yanked out the Java applet plug-in from Safari. If you absolutely must use Java in your web browser at this point, you will probably find it easiest to simply upgrade to Java 7.


14 Comments

  • R says:

    It seems all malware that is reported is gaining access through Java. Now this may seem like a silly question, but is this the only way that malware is gaining access on OS X?

    Obviously there are other means of getting infected from files, emails, downloads, etc. but I never see reports that this is the case. I run ClamXAV and scan periodically, and have never turned up anything. Having a fairly good handle on how to stay safe myself, I manage a few people who may not. And downloading something and entering their password seems trivial to them. I would just like to be aware of what to look for and whats currently out there; of course one cannot predict the future.

    As I have mentioned before, excellent website and thank you for your time!

    • Thomas says:

      Java isn’t the only way, no – FkCodec is just a normal trojan, and Sabpab used vulnerabilities in Microsoft Office – but Java certainly is the most-used method of installation for Mac malware in 2012. Whether that’s just a trend caused by the success of Flashback or it would have happened anyway, I don’t know, but keeping Java turned off, or not installing it at all, protect you from a lot.

      And thanks for the kind words!

  • Jay says:

    Do you know if the August 15 Java SE 7 Update 6 offers significant (important) security or bug/exploit fixes? I have read the release notes but not getting a clear picture of any security related fixes that may have been done. Any idea if the update affects the above guide and steps you describe?

    Great website with very useful information, thanks for doing this.

    • Thomas says:

      I don’t think there were any actual security fixes, but there’s always the chance that a hacker could find a way to use a couple of the bugs that were fixed maliciously. There’s nothing particularly promising-looking on the list, though.

  • david says:

    Any chance to uninstall all elements of java should I decide to give up. I’m sort of a binary guy: I’m either in or out.

  • M Broussard says:

    I am a new Mac Book Air user. Based upon your Tech Corner, I disabled Java. There is also a tab in preferences that allows you to disable javascript. What is the difference between Java and Javscript? Should I disable both?

    • Thomas says:

      Java and JavaScript are, despite the names, unrelated. You can leave JavaScript turned on. In fact, if you disable it, many websites will stop functioning properly or at all.

  • Scott says:

    My version of the Java Preferences App is 14.4.0 and does not have the tabs at the top of the window. After installing the latest Oracle version, version 7 does not show up in the Java Preferences App, even after a restart. Just 2 Java 6′s appear. Am I using an obsolete version of the application? Running OS X 10.8.1 on a 27-inch, Mid 2011, iMac.

    Any suggestions?

    Thank you very much.

  • Jonas says:

    There is so much contradictory information floating around concerning which Adobe Mac applications require Java (or run more reliably if it’s enabled) and which don’t… contradictory information even from different people at Adobe itself… that if anyone has *really* figured out the truth about all that, it would be very helpful to read about. Thanks.

  • Bill Halberstadt says:

    Like Scott (above), I am also confused by the identification of the installed version(s) of Java. I am running Mac OS 10.8.1. After installing Java 7 from Oracle, the preference pane item “Java” opens a new window with a tab “Java” that says I have 1.7.0_07. However, if I run the “Java Preferences” app in the Utility folder, it lists 32 bit and a 64 bit items, both version 1.6.0_35-b10-428.

    Can you help clear the confusion?

  • Campbell says:

    I’ve got the Java SE 6. How can I disable it or uninstall it if I want Java 7 from oracle to be my primary Java version?

    Thanks

This post is more than 90 days old and has been locked. No further comments are allowed.

This page and all contents (unless otherwise noted) copyright 2011-2014 by Thomas Reed.
For questions or comments, please contact me.