Dec 22, 2012 - The Chrome/Chromium developers have a bug to show progress. I tried Oracle's JRE 7 installer and Apple's old Java update for Lion first, but.
While security is a common concern for Windows systems, most Mac users don’t have to worry about running an antivirusAre Antivirus Programs Necessary for Mac?Are Antivirus Programs Necessary for Mac?Read More or enabling a firewall on OS XDoes Your Mac Really Need A Firewall?Does Your Mac Really Need A Firewall?Dig through your Mac's settings and you'll find a firewall, turned off by default. Isn't that insecure? Why would Apple be so irresonsible?Read More. However, this doesn’t mean that Macs are impenetrable.
Java, a Web plug-in that was once ubiquitous but is dropping out of use in favor of HTML5, is still a valid security concern for Mac users. Chris explained why browser plug-ins are the worst security problems plaguing the Web todayBrowser Plugins - One of the Biggest Security Problems on the Web Today [Opinion]Browser Plugins - One of the Biggest Security Problems on the Web Today [Opinion]Web browsers have become much more secure and hardened against attack over the years. The big browser security problem these days is browser plugins. I don’t mean the extensions that you install in your browser...Read More, and Java fits into that category perfectly.
Let’s take a look at what Java is up to on OS X, and why you should chuck it to make your computer even more secure.

What is Java?

Unfortunately, Java often gets confused with JavaScript. Java itself comprises multiple items, so it’s easy to get them mixed up. Here’s a quick rundown:
  • JavaScript is a programming language that allows Web pages to be dynamic. Without JavaScript, the Web would consist of mainly boring text instead of interactive buttons, sliders, and fancy website integrations. Matt has elaborated further on JavaScriptWhat is JavaScript, And Can the Internet Exist Without It?What is JavaScript, And Can the Internet Exist Without It?JavaScript is one of those things many take for granted. Everybody uses it.Read More if you’re interested in learning about it.
  • Java is a programming language, like C++ or Python. Android apps are written in JavaSo, You Want To Develop Android Apps? Here's How To LearnSo, You Want To Develop Android Apps? Here's How To LearnAfter so many years, one would think that the mobile market is now saturated with every app imaginable to man - but that's not the case. There are plenty of niches that still need to...Read More, as a practical example.
  • When you install Java on your Mac, you’re installing the Java Runtime Environment, which is relatively secure and a place to run Java-based applications on their own, though it’s not used often. The problem is the included Java Browser plug-in, which enables Java content to run inside any browser on your system.
Recently, Google announced that Chrome will no longer support JavaThe Web Just Became More Secure: Google Drops Support for JavaThe Web Just Became More Secure: Google Drops Support for JavaWhen Java was first released in 1995, it was revolutionary. But now, it's safe to say that Java has lost its shine, and Google is about to drop support for it in Chrome.Read More, meaning that anything online that needs Java will fail to run. This will greatly increase security across the Web, but why?

What’s Wrong With Java?

As Matt explained, Chrome is cutting support for Java because it’s terrifyingly insecure. Security company Kaspersky found that Java caused half of all security attacks affecting computers in 2012; and even people who were using a Windows antivirus weren’t protected.
So what’s the issue here? Essentially, the Java plug-in doesn’t do any sort of check to ensure the content it’s about to run is safe, and with its universal installation base, it’s a perfect target for attack.
Stupidly, Java also doesn’t update itself. Chrome, Firefox, Flash Player, and Adobe Reader all update themselvesWhy Do Apps Nag Me to Update & Should I Listen? [Windows]Why Do Apps Nag Me to Update & Should I Listen? [Windows]Software update notifications seem like a constant companion on every computer. Every app wants to update regularly, and they nag us with notifications until we give in and update. These notifications can be inconvenient, especially...Read More so you don’t have to worry about doing it; why Java can’t implement this critical functionality is anyone’s guess. This leads to a large number of Web users using an outdated version of the plug-in that malicious folks have already picked apart. Most people aren’t going to update softwareHow to Install Mac Apps in Terminal Using HomebrewHow to Install Mac Apps in Terminal Using HomebrewDid you know you can install Mac software in the Terminal? Here's how to use Homebrew to install Mac apps easily.Read More if they don’t see a prompt for it, and many probably don’t even realize that Java is installed on their system.
Of course, we can’t forget the atrocious Ask Toolbar that’s been bundled with Java for years. Every time you install or update Java, you have to remember to uncheck the “sponsored offer” box or else you end up with an ugly Chrome-hijacking toolbar3 Essential Steps To Get Rid Of Chrome Hijackers In Minutes3 Essential Steps To Get Rid Of Chrome Hijackers In MinutesHave you ever opened your browser of choice and been greeted with a bizarre-looking start page or an unsightly toolbar glued to the top of the page? Restore your browser to tip-top shape.Read More glued to your browser. The toolbar can be removed4 Annoying Browser Toolbars and How to Get Rid of Them4 Annoying Browser Toolbars and How to Get Rid of ThemBrowser toolbars just don't seem to go away. Let's look at some common nuisances and detail how to remove them.Read More and even suppressed in the first place, thankfully, but it’s ridiculous that Oracle imposes this on users, contributing to the issue of people failing to update Java.
Seeing the Ask toolbar on my parents PC. It's ok. I know it is tough times for @larryellison and he needs that extra cash, hope it helps!
— Chet Faliszek (@chetfaliszek) September 8, 2015

How to Disable Java

Knowing all this, it’s a good idea to just purge Java from your Mac. Don’t have it installed already? That’s wonderful; certainly don’t start now. For those of you with Java, now’s a great time to completely remove it. If you’re unsure about whether you need it, it’s extremely likely that you don’t.
To check for its presence, open System Preferences and if there’s an entry for Java, it’s installed.
How To Update Java On Mac For Chrome
Removal is thankfully a breeze. You’ll need to open a Terminal window4 Cool Things You Can Do With The Mac Terminal4 Cool Things You Can Do With The Mac TerminalThe Terminal is the Mac OS X analogue of the Windows command prompt, or CMD. It's a tool, as you probably already know, that allows you to control your computer using text commands, as opposed...Read More by pressing Command + Space to open Spotlight, then simply search for Terminal to open the prompt. Run the following line (you’ll need to type an administrator password):
Then run:
Java is now extinct from your system; can you feel the safety rushing over you?
If you’re sure you need to leave Java installed for some reason, be sure to take precautionsThe Top 6 Things To Consider When You Install Java SoftwareThe Top 6 Things To Consider When You Install Java SoftwareOracle’s Java runtime software is required to run Java applets on websites and desktop software written in the Java programming language. When installing Java, there are a few things you should consider, especially regarding security....Read More. Here are a few ways you can minimize Java’s risk to your system if you’re keeping it around.
The safest option is to disable Java in all browsersIs Java Unsafe & Should You Disable It?Is Java Unsafe & Should You Disable It?Oracle’s Java plug-in has become less and less common on the Web, but it’s become more and more common in the news. Whether Java is allowing over 600,000 Macs to be infected or Oracle is...Read More. To do this globally, open up the Java Control Panel by going to System Preferences > Java and selecting the Security tab. Uncheck the Enable Java content in the browser box to shut it off everywhere. However, if you need Java for a particular website, this isn’t going to do much good. Instead, you should keep multiple browsers around3 Unmissable Reasons Opera Is the Right Browser for Your Mac3 Unmissable Reasons Opera Is the Right Browser for Your MacChrome and Firefox rule on Windows, but on OS X, Opera is the browser to beat. Eternal favorites Chrome and Firefox can give you flexibility, but not without some heavy compromises.Read More and allow Java in only one of them.
Newer versions of Safari allow Java on a per-site basis; head to Safari > Preferences > Security and choose Website Settings… next to Internet plug-ins. Select Java from the left panel and you can see a list of sites that you’ve given the green light. At the bottom, changing the setting to Block will ensure Java only runs on sites you explicitly allow.
Java automatically checks for updates, but it’s a good idea to ensure you haven’t missed any by occasionally going to the Java Control Panel again and paying a visit to the Update tab, where you’ll be notified of new versions.
Finally, make sure you don’t get hammered with junkware when updating by going to Java Control Panel > Advanced and scrolling all the way down to Suppress sponsor offers… Checking this box puts Java in its place and stops you accidentally installing adware you don’t need.

The Hole in Your Mac’s Security

These security problems aren’t just theory. In the past, Java has been responsible for Mac threats, most notably the Flashback Trojan that took advantage of Java in OS X and affected some 600,000 users. It wasn’t short-lived, either: we reported on Flashback in October 2011New Trojan For Mac Disables XProtect Auto Update [News]New Trojan For Mac Disables XProtect Auto Update [News]A Trojan recently made the rounds for Mac that appeared to be an update for Flash, but was actually a piece of malicious software called Flashback.A. Apple has since updated XProtect to block this dangerous...Read More, February 2012Flashback Mac Trojan Is Back, With A Vengeance [News]Flashback Mac Trojan Is Back, With A Vengeance [News]Read More, and then again in April 2012. Flashback wouldn’t quit, and those without Java installed were safeguarded against the infection.
trying to download bootlegged music to my mac, ended up downloading a virus how ironic
— Val? (@ooohval_) September 13, 2015
Apple computers are generally rock-solid when it comes to security (aside from a few slip-ups like the fake MACDefender antivirus programMalware Disguised As Antivirus Targets Mac Users [News]Malware Disguised As Antivirus Targets Mac Users [News]A bogus version of the MacDefender antivirus application has recently fooled many Apple Mac OSX users into downloading and installing the malware on their computers. The fake antivirus, called MAC Defender, specifically targets Mac users...Read More), so it makes sense that one of the biggest infections on the platform originated from a third-party plug-in. Zero-day vulnerabilitiesWhat Is a Zero Day Vulnerability? [MakeUseOf Explains]What Is a Zero Day Vulnerability? [MakeUseOf Explains]Read More aren’t something to mess around with, and no operating system is immune. Your Mac is secure; keep it that way by obliterating Java’s residence on your machine.
Take a minute to make your Mac even more secure by spotting the signs of a virus3 Signs Your Mac Is Infected With a Virus (And How to Check)3 Signs Your Mac Is Infected With a Virus (And How to Check)If your Mac is acting weird, it could be infected with a virus. How can you check for a virus on your Mac? We'll show you.Read More and putting a stop to annoying pop-upsPop Ups on Your Mac? How to Stop Them Once and For AllPop Ups on Your Mac? How to Stop Them Once and For AllThey break your focus, get in the way and sometimes baffle you. Why won't these pop ups go away?Read More.
Will you be removing Java on your Mac? If you still need Java, what’s making you keep it on your system? Let us know what you think about the plug-in by leaving a comment!
Explore more about: Computer Security, Java.
  1. This article is good, but has some inaccuracies and bias.
    The most obvious claims are that most people don't need Java, that Java does not perform any checks on the software it runs, and the very obvious contradiction of 'Stupidly, Java also doesn’t update itself' followed later by 'Java automatically checks for updates.'
    Java was the first mainstream programming environment to implement the sandbox model of application execution, preventing applications from performing any action outside of the sandbox (aka. virtual machine). When Java applications are written and run properly you do not need to disable this sandboxing. The Australian government clearly violated best practices in having an unsigned application that needs the ability to write to disk, thus requiring the running of Java in an 'unsafe mode.' The new OS model of only running 'signed' applications was actually brought to the mainstream by Java in the 1990's, with jar signing and sandboxing. Besides these obvious misrepresentations of Java, many applications utilize Java, without the user even being aware. It is the exclusion of Java from the OS that has led to each of these applications installing its own version of Java within the application. A perfect example of this is Minecraft, which was written in Java, and ported to .Net after its acquisition by Microsoft. Most parents have this installed and don't even know that it contains the Java Runtime.
    To be fair and unbiased, ALL applications have vulnerabilities and Macs are only safer than Windows and Linux/BSD because the user base is relatively low when compared to these other platforms. The following applications and platforms all have had at least as many security issues as Java, in most case far more, as Java performs extensive bytecode validation before running an application, looking for invalid sequences or known attack vectors, and can easily run applications within a sandbox.
    Adobe's Acrobat Reader, Flash, and Shockwave,
    Microsoft's .Net, Word, Outlook, and the rest of the office suite,
    Open Office, Libre Office, Internet Explorer, Google Chrome, the Safari browser, and any and all means of file/information sharing (torrents, file shares,SSH, web servers, FTP servers, MySQL, all database for that matter, and the list goes on and on) are all vulnerable to exploitation, Zero day or otherwise. This includes all versions of OS X, Windows, and Linux. All software is vulnerable, period. Safe browsing and computer usage should always be executed at all times, not just singling out one of many platforms/applications. Google Chrome's support of Java was terminated when Google stopped supporting the NSAPI, in favor for their browser plugin API. It was not specifically targeted at Java, but the media hyped it as targeted at Java.
    2 very clear examples of vulnerabilities that impacted almost all browsers and OS's were the JPEG and PNG exploits of years past. These vulnerabilities allowed malicious code to bypass the browser and image viewing application using malformed images that trick the computer into executing the malicious code contained within the image. These vulnerabilities were primarily because of the open source/reference implementations written in C/C++ that were vulnerable.
    My point is that just simply uninstalling Java or targeting Java will not secure your system. No one should be using Java Applets or Active X anymore, but the Java Runtime is more secure than most Objective C and C/C++ applications, due in large part to its open public source code review process and security being one of Java's primary design goals. Java is has proven over time to be more secure that Microsoft .Net and Javascript. Javascript, when running in an unsafe mode (allowing the 'eval' operation) is far less secure than any browser plugin.
    Java's largest failing actually being that the automatic updates of the Java runtime has been hampered or disabled by some OS upgrades, which is Apple's fault, not Oracle's or Java's.
    If you want to secure your system, you must disable the Java browser plugin, Flash, Shockwave, and most importantly Javascript, on Windows you must also disable Active X.
  2. Sorry for this late comment; I've just read this great article from Ben. I just have to say this, and it really only affects Australians.
    As a business owner with what's called an Australian Business Number (ABN), I am required to submit a Business Activity Statement (BAS) each quarter. To do that, I have to logon to the Business Portal, but there is a critical step that must be done - authentication using AUSkey, another form of digital ID.
    BUT, guess what? Before any of that happens, Java has to be installed!
    And just to make Java run properly I have to select 'run in unsafe mode' in Safari Preferences.
    So, the ATO requires me to install a vulnerable system on my mac before I can proceed with my civic duty.
    Crazy?
  3. I never really what a terrible piece of software I had on my Mac.
    I just tried to update it as recommended, and it told me it was downloading the update, then that it was extracting the update, then the little window closed and I was back where I started!
    Sorry Java, you are the weakest link - goodbye!
  4. These commands will remove just the browser plugin and the preferences panel, it will leave the Java runtime in your system.
  5. Another great how-to article. But why fill it with other lies that take away from it's awesomeness? Just write your great how-to instructions, and leave it at that.
    '...most Mac users don’t have to worry about running an antivirus or enabling a firewall on OS X.' I have removed viruses multiple times from people that bought into this sentiment. And it cost them hundreds of dollars for each instance. Keep up the good advice (secure everything you hold dear all the time) and stop it with the bad (you don't even need anti-virus because you bought brand 'x').
  6. What about Flash Player is that safe? or does it fall in the same category as java
  7. Why oh why do people continue to promote the fallacy that Mac's are 'rock solid when it comes to security'? Do you read anything other than your own BS?
    http://www.techweekeurope.co.uk/workspace/macs-immunity-to-malware-exposed-as-fallacy-30566
    https://securityintelligence.com/news/new-mac-security-threats-the-perfect-storm/
    http://theartofthehack.com/20-of-the-most-misguided-beliefs-about-infosec/
    http://betanews.com/2015/08/03/macs-are-vulnerable-to-thunderstrike-2-firmware-malware-that-survives-formatting/
    I am not a Mac basher. I am a Security professional and this delusional approach to Mac security must stop.
    Your Mac is NOT secure unless you do something to make it so.
    • True. I've seen it happen in the real world, and it isn't pretty. But it's easier to believe the lie.
  8. I need the JRE and JDK on my mac for my Eclipse IDE to write Java projects.

I updated Java on my Mac OS X system and suddenly there’s an Ask toolbar in Google Chrome? What the heck?? How do I remove this malware?

I think it might be a bit much to call this malware as I don’t think it’s actually doing anything evil or bad to your computer or your browser, but the way that it’s installed as part of the Oracle Java 8.0 update is definitely more than a bit questionable. You do have to okay the install as part of updating your own Java runtime on your Mac system, but I expect that most people are just going to click thru the process without realizing what they’re saying “yes” to, so…

What’s frustrating is that it turns out that not only does the Ask toolbar get installed, but your default search engine is switched from whatever you have set up to Ask.com too. Not good, it’s not a very good search engine and in any case, that’s something you should do consciously, not something that’s done on the sly.

To start, when you go through the install, you will have to click past this window:

So it’s not like they’re entirely hiding the process from us users. Then again, I think this is relatively recent and that previous Java updates were a lot more sly about the process. In any case, if you did install the “Search App by Ask” and the Ask Toolbar, next time you’re on a Web page in your Google Chrome browser, it’ll look like this:

Definitely not to my taste. If I wanted my Web browser to look like a PC’s browser with its half-dozen toolbars, well, I’d be on a PC not a Mac system. ?

To uninstall the toolbar from your Google Chrome system, click on the gears icon on the right side of the Ask toolbar.

Again, that “Uninstall” button is pretty darn front and center.

Click on Uninstall to remove the Ask Toolbar from your Mac’s Chrome browser.

Done. Uninstalled.

Enable java on mac

Well, sort of.

Let’s go into your settings for Google Chrome by choosing Preferences… from the “Chrome” menu on the top left of your Mac’s screen, then click on “Settings” on the right side.

Now scroll down as needed until you see this section:

You can see the problem: “Ask Search” is not the default search engine I want from the omnibox, thank you very much.

To change it, just click on the pop-up menu, then pick your favorite search engine from the list:

That’s it. Done. Finally wiped the Search Toolbar from Ask from your Google Chrome system.

Worried it might have infected Safari too? It probably hasn’t, but you can check by going to Safari and just clicking on the address / search box without typing anything in. It looks like this:

As you can see, mine’s still set to Google. Phew.

Double check by going to the Extensions pane in Safari’s Preferences too:

No trace of anything from Ask or Oracle. Good.

Now you’re clear. And Oracle? I know you add the confirmation window, but it’s still really annoying to have this Ask toolbar even show up as a possibility. Ugh. No thanks.

Let’s Stay In Touch!

I do have a lot to say, and questions of my own for that matter, but first I'd like to say thank you, Dave, for all your helpful information by buying you a cup of coffee!