Keeping your Mac secure: Java, Flash and Acrobat

This week we learned about a new zero-day attack targeting Java. The attack targets Java on all platforms, making both Mac & Windows users vulnerable. (Note: Java is not JavaScript1)

According to the Symantec’s 2011 Internet Security Threat Report, just three browser plugins accounted for 59% of all malware attacks using browser plugins.

  • Oracle Java plugin: 20%
  • Adobe Acrobat plugin: 19%
  • Adobe Flash plugin: 20%

Most Mac users don’t need any of those plugins!

Java is used on very few websites. None of the websites I visit regularly require it, and unless you’re sure you need it, I strongly suggest turning it off, if not removing it completely from your computer, be it Mac or Windows.

OS X has PDF support built-in, so you don’t need the Adobe plugin.

Flash is commonly used on the web, and most users don’t want to give up Flash entirely. I uninstalled the Flash plugin, meaning that I don’t see any Flash content in Safari, my preferred browser. On those occasions when I need to view Flash content, my workaround is to use the Chrome browser, which has Flash built-in. Since Chrome is a self-updating app, it will auto-install new versions of Flash as Adobe finds and fixes security exploits.

Since I prefer Safari, I’ve installed a Safari extension called Eject to Flash. Now when I come across a web page with Flash content, I just press ⌘-E, and whatever page I’m viewing in Safari is automatically loaded in Chrome.

If your preferred browser is Chrome, then just uninstall Flash; don’t worry, it will keep working in Chrome.

You can check to see if the Flash plugin is installed by clicking this link. That page also has  instructions for uninstalling Flash. (Note: Don’t use Chrome when you check that page, since it will always show Flash as being installed when using Chrome.)

You can check to see if Java is installed by clicking this link. If it says “Your Java is working,” then you have Java installed. Note that it may falsely report “An old version of Java has been detected on your system.” If you see that message, look for this text, and click on the link on that page: “Skip installation of the current version and test the currently installed version of Java

Instructions for uninstalling Java on a Mac can be found here.

Addendum for iOS users: You don’t need to worry about this, because Java and Flash aren’t (and cannot be) installed on iOS devices like the iPhone, iPad, or iPod touch.

  1. Despite their similar names, they are two different and unrelated things. JavaScript is fine; it’s Java about which you should worry.

    JavaScript is found on a huge number of websites (including this one). It’s generally considered safe, and I don’t recommend turning it off. In contrast, Java is sparsely used.. []

2 thoughts on “Keeping your Mac secure: Java, Flash and Acrobat

    • It was disabled using the Xprotect feature added in Mac OS X 10.6 Snow Leopard. Every day your Mac checks Apple’s servers for an updated Xprotect.plist file. If Apple reports a newer version than the one already installed, the Mac downloads the new version of that file.

      Xprotect.plist is stored here:
      /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/

      As I write this, the most recent version shows a modification timestamp of January 12, 2013 10:33 AM.

      Addendum (February 10): Apple only blocks plugins for the Safari browser. It does not affect plugins in other browsers like Firefox or Chrome.

Comments are welcome. (Please be civil!)