With the news that some Apple, Facebook, and Twitter employees’ Macs were hacked, and Apple and Oracle’s subsequent software patches, it’s time to revisit the question of whether Java can be used securely.
After the Flashback malware attack that occurred in the summer of 2012, I discussed the risks and offered some advice about the safest way to use Java. But due to changes in the way Java works on Macs and the recent rise in Java-based security threats, I'm altering my advice: You should do everything you can to remove Java from your Mac or, if that isn’t possible, to isolate it to the fullest extent possible.
I don’t make this recommendation lightly. Removing Java will be problematic for some people, especially those who use Macs at work; and isolating it isn’t simple. But I can’t overstate the risk: Nearly all recent Mac malware attacks rely on exploiting Java or Flash in your Web browser. (I also have some advice on isolating Flash.) If you plan to keep Java, make sure that you update it as soon as possible.
Why I now recommend removing Java
Java is more than a browser plugin. It's a complete application runtime environment. That means that Java applications are designed to run inside a Java Virtual Machine installed on your Mac. Theoretically, a developer can write a Java program to run inside the virtual machine, and it will run without modification on any platform—Mac, Windows, Linux, or whatever is running a valid JVM. (Practically speaking, getting something to work across platforms is rarely easy.) The JVM handles memory management and anything else that the application needs, and runs it inside a sandbox that isolates the Java application from your operating system.
The problem arises when a flaw exists in this sandbox (or in other aspects of the JVM), and someone writes malicious code that takes advantage of the flaw to break out and gain additional access to your computer. What makes environments like Java and Flash so problematic is that, when enabled in your browser, they run such programs without asking your permission to do so. Only the sandbox stands between you and any random attacker with a Java program on the Internet; and when that sandbox ceases to be impervious, simply browsing a webpage could enable bad guys to take full control of your computer.
This is exactly what happened in the attack against Apple’s employees, and possibly in the attacks against Twitter and Facebook as well. The attackers compromised a site known to be used by mobile developers, and then used a previously unknown (or “zero-day”) Java vulnerability to exploit computers through their browsers. This is known as a “watering hole” attack, because the bad guys targeted a place that the desired victims visited regularly and voluntarily. Since the exploit was unknown, antivirus software wouldn’t necessarily be able to spot and disable it.
When I wrote about the the Flashback attacks at the end of August, I said, “although you likely aren’t at risk today, it is clear that Java still represents one of the biggest, most persistent security problems facing users of all operating systems.”
My conclusion has changed: You are at risk now. So how do you protect yourself?
How to remove Java
Your best option is to remove Java from your Mac altogether; then you won’t have to worry about its security vulnerabilities. Not having Java on your system may break some websites, but I haven’t permitted Java to run in my browser for quite a while now and I’ve run into very few problems. When I do, the culprits have most commonly been Web-based meeting software and some enterprise applications. That's because disabling Java also disables some other software programs, such as the popular CrashPlan backup tool. If you run into that situation, consider taking the steps outlined below for isolating Java; for other users, however, living without Java may be the most satisfactory course. That way, you avoid the risk of having Java reactivated at some point in the future.
The precise process to follow in removing Java depends on the version of OS X you run and the version of Java you use. Whatever those particulars may be, removing Java is fairly easy.Disabling Java in Safari.
To see whether you have Java installed, launch Terminal and run the following command:
If you see
1.7 in the response, navigate to the /System/Library/Java/JavaVirtualMachines/ directory and delete it. Alternatively, use the command line:
sudo rm -rf /System/Library/Java/JavaVirtualMachines/
(As always, type very careful when using the
sudo rm command.)
If your Mac suddenly asks you to install Java, either Java isn’t on your system or you installed the nondeveloper version of Java 7 (the more common situation). In that case, remove Java 7 with these command lines:
sudo rm -rf "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin" sudo rm -rf "/Library/PreferencePanes/JavaControlPanel.prefpane"
If you run into problems, select your Mac’s hard drive in the Finder, search for those two files, and send them to the Trash.
How to isolate Java
Isolating Java means leaving it on your Mac, but removing it from your browser except when you want it to run. Apple now does this by default for all Macs (10.6 and later) and will re-isolate it after about a month even if you've turned it back on. Isolating Java is a bit more complex now that Apple has removed the Java preferences utility from Lion and Mountain Lion.
If you run Java 6 (the Apple supplied version), you need to restrict it on each of your browsers. In Google Chrome, type
chrome://plugins in the address bar and click the link to disable Java. In Safari, go to Safari > Preferences and uncheck Enable Java in the Security pane. In Firefox go to Tools > Add Ons > Plugins and uncheck Java Plug-In.
If you use Java 7, you can disable it systemwide: Go to Preferences > Java > Security and uncheck Enable Java Content in the Browser.
I suggest that you isolate Java in all of your browsers, and then pick one that you don’t use as your main browser and temporarily activate Java there as needed. Doing so will reduce the likelihood that you will forget to turn it off after using it and will leave yourself vulnerable during your day-to-day browsing.
This advice may seem extreme. But when Apple’s own developers are hacked, it's time to protect yourself.
Isolate Adobe Flash by Using Google Chromehttp://tidbits.com/article/13545
On 7 February 2013, Adobe released an important security fix for Flash Player on the Mac, Windows, Linux, and Android. This release fixes a vulnerability that is actively being used to exploit both Mac and Windows users through Web browsers and via malicious Microsoft Word email attachments (with Flash embedded). While we at TidBITS don’t know currently the details of the Mac exploits, Adobe clearly states Macs are actually being attacked.
Under normal circumstances, we recommend updating immediately whenever an important security patch is released, but in this case, we have a somewhat different recommendation. Instead of leaving Flash on your Mac, you can instead isolate it and thus reduce the attack surface available to the bad guys. This is both easier and requires far less fuss going forward than you might think, and it is how I’ve been using my Mac for the past year or so.
The first step is to uninstall Flash by using Adobe’s official uninstaller application. This completely removes Flash from your operating system, making it impossible for an attacker to target it.
“But wait,” you say, “my kids will kill me if they can’t play those Flash-based Disney games.” Not to worry, there is an easy solution, thanks to Google.
The free Google Chrome Web browser includes its very own integrated version of Flash. Better yet, starting back in November 2012, Chrome sandboxes Flash from the rest of your Mac. This doesn’t mean that Chrome’s version of Flash is invulnerable, but an attacker must first compromise Flash and then break out of the sandbox to attack your Mac. This extra barrier makes it a lot less likely you will be compromised even when vulnerabilities are discovered in Flash. Plus, since Chrome automatically updates itself, you never have to fuss with the Flash Player installer again.
My recommendation is to install Google Chrome, even if you don’t plan on using it as your primary Web browser. Then simply launch Chrome whenever you want to see Flash content. I originally got this idea from John Gruber of Daring Fireball, and over time I’ve found that this simple method of isolating Flash to Chrome works great, especially since an ever-increasing number of sites push HTML5 video to Safari automatically if Flash is missing.
Personally, I decided to switch to Chrome completely since it is, overall, the most secure Mac browser on the market, especially once Google sandboxed Chrome’s version of Flash. After installing Chrome I do two things:
First, I go to Preferences > Settings > Show Advanced Settings > Privacy and disable everything except “Enable phishing and malware protection.” That reduces Google’s tracking, although turning off those other features also slows down both Chrome’s page fetching and your Web browsing speed.
Second, I install the following Chrome extensions (just click each link within Chrome, and then click the Add to Chrome button in the Chrome Web Store page that loads):
- Adblock Plus to remove ads (especially Flash ads)
- Ghostery and DoNotTrackMe to improve privacy and reduce tracking
Blocking ads and Flash trackers also reduces your attack surface, since ad networks in particular are targeted and sometimes used to distribute malware through banners on legitimate sites.
As I noted, Chrome automatically updates itself by default, which is generally good for security, although there can be a lag between Adobe Flash updates and when those are integrated into Chrome. Fortunately, the sandbox is still there to help protect you.
And that’s it! The entire process of uninstalling Flash and installing Chrome for those sites that still require it takes only a few minutes, and it provides a ton of extra security.