There's some concern over the use of Java in OS X following a recent finding that Flashback malware variants are now taking advantage of currently unpatched vulnerabilities in the Java runtime.
Even though this malware development should not affect the majority of Mac users running OS X 10.7 or later since Apple no longer includes Java with the OS, some people may nonetheless be wondering what the Java runtime is, and how they can go about checking for and removing it from their systems to ensure they are safe.
What is Java?
Some other programming languages that use runtimes are Unix shell scripts, whose runtime is the shell itself (bash, sh, csh, etc.); Objective-C, which is the core programming language of OS X and whose runtime is a core library in OS X; and Java, whose runtime can be installed in an operating system and then activated when Java code needs to be executed.
Java's runtime has been a popular programming environment because its programming language is object-oriented, meaning it is well-suited for creating applications that have objectlike components to them, such as the buttons, scroll bars, and other features of a user interface. In addition, Java is built to be cross-platform, so programmers should only need to build one version of their Java code and then be able to deploy it to any operating system that has the Java runtime installed. In this sense the cross-platform effort is isolated to the runtime, instead of being a burden to the developer.
These features have seen Java used in numerous programs, including Adobe's Creative Suite and other professional and scientific applications like Matlab. Even if Java is not used in the entire program, by using it in common components a developer can make porting the application to different platforms much easier.
Problems with runtimes
While runtimes such as Java offer support of new programming languages and thereby allow increased functionality to your system, they do open up more possibilities for security breaches. Code running in them will need to be isolated with sandboxing routines and other security measures to prevent unauthorized access to private or critical resources, but these measures will have to be implemented within each runtime and then tested to ensure that they cannot be breached. If a security hole is discovered, then the runtime will need to be updated to correct the problem.
With regard to Java, the runtime for Windows has been given more attention than that for OS X, so when security holes are discovered, it takes longer for the OS X version to be patched and therefore provides a better window of opportunity for malware developers to tackle it. With its latest variant, the Flashback malware has taken advantage of this window and is now targeting the unpatched Java runtime for the Mac OS.
In this case the vulnerability allows the malware to break the Java sandbox rules and write code to the disk, followed by executing it.
Checking for Java
Luckily unless a specific program needs Java, then the Java runtime is not required for OS X. None of the operating system's features need Java to run, and it's components are only present in the OS to support the runtime if you choose to install it for your needs.
Starting with OS X 10.7 Apple stopped including a Java runtime in OS X, but still provides a quick link to install it if you run a program that requires Java. When such a program is launched, you will first be prompted to install the Java runtime but if you choose not to, then the program will quit. As a result, if you have not purposefully taken steps to install Java on a new system, then it will not have a Java runtime and therefore will not be vulnerable to these latest malware attacks; however, if you are unsure whether you have Java installed, there are a couple of ways to check.
- Open a Java application
A simple way to see if you have Java installed is to open an application that requires it, and one of these that is included with OS X is the Java Preferences utility. Go to the /Applications/Utilities/ folder in OS X and launch the Java Preferences program, and if it opens and shows various configuration options, then you have Java installed; however, it if shows a message stating you need Java and provides you with an option to install it, then you do not have Java installed.
- Use the Terminal
The OS X Terminal (in the /Applications/Utilities/ folder) provided access to a number of commands that can be used for looking up system information, and by running the following one in the Terminal you should be able to see in the output what Java runtimes (if any) are installed on your computer:
If you do have Java installed on your system and would like to disable it, you can easily do so in the Java Preferences utility. When you open the utility you will be presented with a list of the Java runtimes installed on your system, and a check box next to each. By unchecking the runtimes you will prevent them from being used, and unchecking all will disable Java entirely.
Once disabled, if you have a program on your computer that requires Java, then the program will simply not run until you enable it again. Therefore, while disabling Java does require an extra step when you want to run Java applications, it does put the control in your hands over what Java programs are allowed to run.
Unfortunately there is no direct or easy way to uninstall Java, so once installed the only way to remove it and all of its components completely is to reinstall OS X; however, you can remove the Java virtual machine (the runtime) from your system and thereby perform a similar routine as an uninstall. To do this, go to the /System/Library/Frameworks/ directory and remove the file "JavaVM.framework," which contains the Java runtimes. Additionally, empty the contents of the following directories on the system which link to the runtimes in the framework: