Alex headshot

AlBlue’s Blog

Macs, Modularity and More

Remove old versions of Java from Mac OS X

Java 2009 Security Mac

I recently discovered that Mac OS X has a plethora of old versions of Java, installed by default, on Mac OS X. /System/Library/Frameworks/JavaVM.framework/Versions lists many ancient versions of Java, including those with known security holes. Given that both 1.3 and 1.4 are already End-of-Life (and the fact that everything will run on 1.5 or above), there doesn't seem to be a particularly compelling reason to keep them around.

In order to remove stale versions of the Java framework from your machine, execute:

sudo rm -rf /System/Library/Frameworks/JavaVM.framework/Versions/1.{3,4}*

For example, the buffer overflow in GIF processing for Java earlier (CR 6805998) affected not only current versions of Java, but also past versions as well. However, given that 1.3 and 1.4 are not being actively used any more, having them around invites an attack on Mac systems through use of (say) Applet tags that specifically request a 1.3 VM, or Java-based applications that request a 1.3 VM.

As usual, caveat emptor and once you start mucking around with stuff in /System, you're on your own. Having said that, Apple publicly ignored the do-anything-as-root Apple Remote Desktop vulnerability, it's not clear how long it will be before older versions of Java will get patched. In the meantime, there's no harm in protecting yourself against the possibility of a remote attack via use of stale versions of Java by removing them from your system.

Update: The Register has details of the security blunder