Friday, February 22, 2013

Java on the Mac is malware - and how to turn ALL of Java on or off as needed.

US-CERT recommend disabling Java in all web browser on all platforms

... This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available. As with any software, unnecessary features should be disabled or removed as appropriate for your environment...

They don't mention removing Oracle Java [3] entirely, and they don't specifically address the Mac. By nature, they must be sober and governmental.

I am not so constrained. I can just say ...

DO NOT PUT ORACLE JAVA ON YOUR MAC ANYWHERE, ANYTIME. IT IS MALWARE.

Let me name the ways:

  1. It always installs for all users. You can't install for a single user.
  2. It installs with root privileges in System/Library, not /Library as it should.
  3. There's no uninstaller for Oracle Java and Oracle's online instructions for manually uninstalling Java 7 only uninstall the browser plugin. Full Oracle Java uninstall requires sudo/root privileges.
  4. The Preference Panel is merely a pointer to Oracle's ugly control panel, and that control panel disregards OS X Admin/User/Managed User controls. Any user can enable Java plug-in. You can't turn off all Java, just the plug-in.
  5. You can disable the Java plug-in in Safari or Chrome, and in Chrome you can use Fretty's brilliant Click to Run Extensions in Chrome tip, but you have to do this for every user on a Mac, and they can all turn it back on regardless of privileges.

Even if we didn't know about Java's global record of frequent security failures, the implementation of Java on Mac reeks of hacks, bad design, and high risk.

This thing is bad, and most recommendations for managing the risks on a Mac are inadequate. There's really no way to make this thing safe even if:

I have to put Java on my MacBook Air for work reasons, but based on what I've learned I'm hunting it down to remove it from every machine at my home. Java-dependent Mac apps are unacceptable (Sorry Crashplan, Fugu, XMind and more).
 
Meanwhile, on my Air, I'm going to see if I can sudo into /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/bin/java and rename the Java Folder to Java_DIE to prevent it from running except when I absolutely need it. [1] [2] See Update below.

See also:

[1] su [admin_user_name], sudo mv Java java_die does the rename, but I think I need a permission fix.

[2] via GigaOM: Mac Apps that need java: Minecraft, Runescape, CrashPlan, Illustrator, OpenOffice, NeoOffice, FreeMind, Xmind, Gantt, Vuze, Screenr, Cisco and Juniper VPN Clients.

[3] - added 2/24/2013: I added the word Oracle here, because there's a big difference between Oracle/Sun's Java on the Mac, the Java JRE on the Mac, and the Java language. From a security perspective the language is no worse than most alternatives and better than many. The JRE is problematic because it bypasses the App Store/SignedCode framework that is our current best hope for the future of personal computing, but that's similar to distribution of any software outside of the App Store. The real crime is the installation of the JRE into System with root privileges.

Update 2/23/2013 (rewritten):

I asked on app.net about a way to turn ALL of Java on the Mac on or off as needed. alextrott replied and recommended these terminal commends to enable and disable (Since sudo -u doesn't seem to work on Mountain Lion, if you run from a non-admin account you have to enter "su YourAdminAccountName" first.):

disable

  • sudo chmod 000 /System/Library/Java/JavaVirtualMachines/
  • sudo chmod 000 /Library/Java/JavaVirtualMachines [on my machine this is unnecessary, there's nothing there]

enable:

  • sudo chmod 755 System/Library/Java/JavaVirtualMachines/  
  • sudo chmod 755 /Library/Java/JavaVirtualMachines [on my machine this is unnecessary, there's nothing there]

Alex tells me he's working on a small Mac app to toggle Java on or off as needed.

When I tried this on my Mac chmod 000 did disable Java. XMind wouldn't run. However my attempt to reenable failed; probably due to user error.

Which was when I realized I could easily do this in the Finder:

Screen Shot 2013 02 23 at 10 55 26 PM

I can set JavaVirtualMachines to allow No Access or Read & Write. With No Access XMind won't run, with Access it will. I put a shortcut to the Java folder on my desktop for easy access to this JVM Folder.

Update 8/29/2013: With Mountain Lion as of 8/2013, if type 'java' at the command line OS X will download Apple's version of Java 6 and will remove the old preference panel. (It's not supposed to install a browser plugin). If you go to Oracle's site and install Java 7 you get their preference panel.

Oracle's Java 7 can be uninstalled -- albeit with difficulty. (Plugin is easy to uninstall, Java 7 is not easy.)

Apple's Java 6 cannot be uninstalled. It has permissions like this:

- system: read & write

- wheel: read only

- everyone: read only.

Curiously when I unwittingly installed Apple's Java 6 there was no option from a non-admin account to set Privileges to 'No access'. From an admin account I could set to "no access" or "write only" but command line java still ran. So clearly there's much of this I don't understand.

2 comments:

Martin said...
This comment has been removed by the author.
Yash J said...
This comment has been removed by a blog administrator.