Keeping your Mac secure: Java, Flash and Acrobat

This week we learned about a new zero-day attack targeting Java. The attack targets Java on all platforms, making both Mac & Windows users vulnerable. (Note: Java is not JavaScript1)

According to the Symantec’s 2011 Internet Security Threat Report, just three browser plugins accounted for 59% of all malware attacks using browser plugins.

  • Oracle Java plugin: 20%
  • Adobe Acrobat plugin: 19%
  • Adobe Flash plugin: 20%

Most Mac users don’t need any of those plugins!

Java is used on very few websites. None of the websites I visit regularly require it, and unless you’re sure you need it, I strongly suggest turning it off, if not removing it completely from your computer, be it Mac or Windows.

OS X has PDF support built-in, so you don’t need the Adobe plugin.

Flash is commonly used on the web, and most users don’t want to give up Flash entirely. I uninstalled the Flash plugin, meaning that I don’t see any Flash content in Safari, my preferred browser. On those occasions when I need to view Flash content, my workaround is to use the Chrome browser, which has Flash built-in. Since Chrome is a self-updating app, it will auto-install new versions of Flash as Adobe finds and fixes security exploits.

Since I prefer Safari, I’ve installed a Safari extension called Eject to Flash. Now when I come across a web page with Flash content, I just press ⌘-E, and whatever page I’m viewing in Safari is automatically loaded in Chrome.

If your preferred browser is Chrome, then just uninstall Flash; don’t worry, it will keep working in Chrome.

You can check to see if the Flash plugin is installed by clicking this link. That page also has  instructions for uninstalling Flash. (Note: Don’t use Chrome when you check that page, since it will always show Flash as being installed when using Chrome.)

You can check to see if Java is installed by clicking this link. If it says “Your Java is working,” then you have Java installed. Note that it may falsely report “An old version of Java has been detected on your system.” If you see that message, look for this text, and click on the link on that page: “Skip installation of the current version and test the currently installed version of Java

Instructions for uninstalling Java on a Mac can be found here.

Addendum for iOS users: You don’t need to worry about this, because Java and Flash aren’t (and cannot be) installed on iOS devices like the iPhone, iPad, or iPod touch.

  1. Despite their similar names, they are two different and unrelated things. JavaScript is fine; it’s Java about which you should worry.

    JavaScript is found on a huge number of websites (including this one). It’s generally considered safe, and I don’t recommend turning it off. In contrast, Java is sparsely used.. []