Removing that vulnerable Java browser plugin (and Flash) on OSX

Do you still have Java on your OSX desktop? Look for it in System Preferences. If you do, you should have received regular reminders to update the software, which I hope you have followed. This is because flaws in Java are regularly targetted and these updates are critical for the security of your Mac.

In 2013 in particular, the Java browser plug-in (and not Javascript) was loudly condemned for its insecurities. Most IT magazines recommended removing Java altogether.

By OSX 10.11 El Capitan, a clean install would have removed both the Java Runtime Environment (JRE) and the Java Software Development Kit (JDK).

Users who still need to use an app or webpage requiring Java may be prompted to install the software. Apple suggests downloading the current version of Java for OS X directly from Oracle, or the legacy (unsupported and out of date) Java SE 6 from Apple (see also the instructions at OSX Daily). But Oracle, which ships the Java installer for OSX, can be infuriating, shipping adware with the installer.

Java was installed on my Mac Book Pro, for a reason I now forget and when I was prompted yet again to upgrade, the nstaller tried to slip in Yahoo search as a default on my browser. Irritated, I checked the links above and deleted the files or directories in the following areas:

  1. /Library/Internet Plug-Ins/JavaAppletPlugin.plugin
  2. /Library/Java/JavaVirtualMachines/
  3. /Library/PreferencePanes/JavaControlPanel.prefPane

I do use CrashPlan 4 which requires Java, but JRE is packaged with the app and is not affected by the deletions – a restart confirmed this.

Is Java insecure? No, it is the web browser plug-in which is vulnerable and this is enhanced by poor housekeeping. A peek in /Library/Internet Plug-Ins/ of my intern revealed both an out of date Java plugin and Flash residing there. She had that sorted that out promptly, and you should too.