find_photog join_asmp login

Security Hole in Java for Mac

The Mac OS used to be relatively free from viruses, trojans and malware, but that has changed. The Mac has gained popularity, so it has become attractive to hackers and thieves. The latest hack exploits a hole in the Java plug-in for Mac web browsers.


What you should do. First, ask yourself whether you need Java at all. Most websites don’t use it, but a few web apps — notably Webex — won’t work without it. If you don’t need it, disable it. You can always re-enable it later.

  • In Safari, click Preferences and then the Security tab, and then uncheck “Enable Java.”
  • In Firefox, click Tools -> Add-ons -> Plugins and disable the Java plug-in.
  • In Google Chrome, click Preferences and enter “Java” in the search field. Scroll to the Plug-ins section and click the link that says “Disable individual plug-ins.”


If you do need Java, install the latest security update from Apple. (If you run Lion, you should be using Oracle’s version of Java; it’s much more current.) Even so, turn it off when you aren’t actively using it.


For more information about the security problem of Java on Mac, check the KrebsOnSecurity blog or this Ars Technica article.


Are You Already Infected?

As of mid-April 2012, there seems to be only one significant attack that uses Java on Mac: the Flashback trojan. A free Flashback Checker program has been posted to GitHub. It can tell you whether you are infected or not, but it will not attempt a disinfection. Disclaimer: ASMP staff used this program with good results, but there is no guarantee that it will work for you.


Detailed instructions for detecting and removing this infection are posted on this F-Secure page. (The Flashback Checker runs the first half of these instructions for you.) However, this page is written for computer experts. If you what you read on this page is unfamiliar territory, please hire a computer consultant.



1. "If you don't need it, disable it" is a good rule for Windows and Linux users as well. Java is designed to work the same on any operating system, so it will have the same security holes.


2. You may need to repeat the disabling process if you update Safari, as the updater may re-enable Java without asking you. Firefox usually does not enable plug-ins that were disabled, but you should still check.


3. Java is not the same thing as Javascript. Despite the names, they are completely different. You need Javascript to browse many websites, including Do not disable Javascript.