Is Java Unsafe & Should You Disable It?

bad java logo   Is Java Unsafe & Should You Disable It?Oracle’s Java plug-in has become less and less common on the Web, but it’s become more and more common in the news. Whether Java is allowing over 600,000 Macs to be infected or Oracle is sitting on their hands and only patching a serious Java vulnerability four months after it’s initially reported, news about the Java plug-in is rarely good.

We’ve touched on why browser plug-ins in general are one of the biggest security problems on the web today. The reality is that you probably don’t need Java installed, and if you don’t need it, you should disable it to keep yourself safe. If you do need the Java plug-in for something (this is fairly rare), you should keep it up-to-date and consider running it in a separate browser so malicious websites can’t abuse Java.

The Case Against Java

One of the most famous cases of Java being used to exploit computers was the Flashback Trojan on Macs. Over 600,000 famously secure Macs succumbed to infection because of Java. Java runs on all platforms, so compromising Java allows you to compromise Windows, Mac, Linux, and all different browsers.

On August 30, 2012, Oracle released a patch for a serious Java security flaw. Days earlier, malicious websites were already using this flaw to infect people’s computers. However, it gets worse – this security bug was reported to Oracle four months earlier (Source). It took four months for Oracle to fix a critical Java problem, and they only did it after it was being exploited in the wild. Worse yet, Java’s default update setting is to check for updates one a month, so it’s possible that many users weren’t upgraded until weeks later – in fact, it’s likely that many people are still using a vulnerable version of Java.

Enough is enough — Java has been subject to a constant series of such vulnerabilities. The average person doesn’t actually use Java, although it’s still available for websites to use in their browser – so disabling Java will increase the average person’s security while not actually taking away anything the average person depends on.

If you don’t know whether you need Java, you probably don’t need it. However, if you aren’t the average person and do need Java, there are some steps you can take to minimize your risk.

How To Disable Java

If you don’t use Java for anything, you can uninstall it from your Control Panel. This will uninstall the Java browser plug-in as well as the Java runtime, which allows desktop applications written in Java to run on your computer.

If you don’t know whether you need the Java runtime for any desktop applications you use, you can always uninstall it and reinstall it later if an application tells you you need it.

uninstall java in windows   Is Java Unsafe & Should You Disable It?

However, if you do need the Java runtime, you can disable the Java plug-in in your browser – Java will still be available for desktop applications to use, but websites won’t be able to access it.

To disable Java in Google Chrome, type chrome://plugins into your address bar, press Enter, and then click the Disable link under the Java plug-in.

disable java in chrome   Is Java Unsafe & Should You Disable It?

To disable Java in Mozilla Firefox, open the Add-ons window from the Firefox menu, select the Plugins category, and click the disable button next to each installed Java plug-in.

disable java in firefox   Is Java Unsafe & Should You Disable It?

To disable Java in Safari, uncheck the Enable Java checkbox on the Security tab in Safari’s Preferences window.

disable java in safari   Is Java Unsafe & Should You Disable It?

To disable Java in Opera, type opera:plugins into your address bar, press Enter, and then click the Disable link next to each installed Java plug-in.

disable java in opera   Is Java Unsafe & Should You Disable It?

Disabling Java in Internet Explorer is extremely complicated.  As US-CERT notes:

Disabling the Java plug-in for Internet Explorer is significantly more complicated than with other browsers. There are multiple ways for a web page to invoke a Java applet, and multiple ways to configure Java Plug-in support. Microsoft has released KB article 2751647, which describes how to disable the Java plug-in for Internet Explorer. However, we have found that due to the multitude of ways that Java can be invoked in Internet Explorer, their guidance (as well as our prior guidance) does not completely disable Java.

Many of their methods for disabling Java only disable specific versions, so Java will be re-enabled when it updates to a new version. Even deleting Java’s plug-in files won’t help – they’ll be recreated when Java updates. The most effective way to disable Java in Internet Explorer is by uninstalling it completely. If you do need Java installed on your computer, you probably shouldn’t use Internet Explorer.

Using Java Safely

If you do need Java, there are some steps you can take to reduce the security problems you’re exposed to.

First, update Java often! Oracle’s updates only help if you install them. As we mentioned, Java checks for updates once a month by default – this is not good; there’s a reason modern browsers and operating systems check for updates once a day.

You can increase the update-check frequency from the Java control panel. (Open the Windows Control Panel, click Programs, and select Java to open it.) Click the Advanced button on the Update tab and tell Java to check for updates daily. When a Java icon pops up in your system tray with an available update, install it as soon as possible.

increase java update frequency   Is Java Unsafe & Should You Disable It?

Second, consider using a separate browser when you need Java. For example, you can use Chrome or Firefox with Java disabled for most of your web-browsing, your online banking, and everything else. When you need to use a website that requires Java, you can open Internet Explorer (or another browser with Java enabled) and use only the website that requires Java. This helps keep you secure – the majority of websites you visit won’t be able to use Java.

Do you still have the Java plug-in installed? Do you still use websites that depend on it? Or do you think we’ve gone overboard by recommending people disable it? Leave a comment and share your opinion!

The comments were closed because the article is more than 180 days old.

If you have any questions related to what's mentioned in the article or need help with any computer issue, ask it on MakeUseOf Answers—We and our community will be more than happy to help.

30 Comments -

0 votes

Dimal Chandrasiri

whoa… good thing I read this article! O.o

0 votes

GrrGrrr

by default Mozilla is disabling Java.

0 votes

Chris Hoffman

Ah, are they? Just like Chrome did too. Browser vendors have to step up because Oracle isn’t.

0 votes

Scutterman

Mozilla has a blacklist of plugin versions that it knows to be dangerous. Usually these are patched and updated quickly, but people don’t seem to like updating Java. I know several people who will ignore the updater for months on end, despite trying to persuade them to update.

0 votes

Scutterman

I currently don’t have the plugin disabled, but I only visit a handful of sites I know to be safe. If, by some chance, one of those got compromised then I’ll rely on my AV to block the threat.

I still need java installed because I play Minecraft, which runs on java. There was talk about possibly moving it across to c++ but that would be a lot of work, especially since it would kill the modding community.

0 votes

Chris Hoffman

Minecraft seems to be one of the big reasons for having Java installed, but people can disable the browser plugin and still run Minecraft on the desktop, at least.

0 votes

r1ckr011

HOW?!!! I can’t figure out that damn part and no one is specifying how that works!! I disabled the browser plugins and now apparently java won’t run at all!

0 votes
0 votes

Scott

Well, in my case there are two users who both use FF under two profiles. The other user likes playing the Pogo games a lot, which requires Java. So, I guess my only option is to disable it in my own profile’s settings.

??

0 votes

Chris Hoffman

Yes, you can certainly do that. Plugin settings are profile-specific, I think.

0 votes

Stewart

Question: I frequently use one website that does not work with later versions of Java (it’s a government site that I use for my business), so I have not updated to the latest version. Is there a way to run the latest Java, but quickly switch to an earlier version when you need to?

0 votes

Chris Hoffman

Yeah, that’s another huge problem with Java — “sorry, you need an old, vulnerable version for this software.”

It looks like this may be possible somehow ( https://blogs.oracle.com/stevenChan/entry/running_multiple_java_plugins talks about it, but is very old), but I have no idea how. Oracle should make this easier.

0 votes

Henrique Dias

Use one browser with Java only for this website and another for everything else…

0 votes

macwitty

Thanks for easy-to-follow instructions

0 votes

Dave Parrack

I disabled Java in Firefox a couple of months ago and haven’t even noticed. Which says a lot.

0 votes

Chris Hoffman

Exactly. Most people won’t notice. I try to keep it disabled or uninstalled most of the time.

0 votes

Alan Wade

Java is just something that I accepted was there but thought no more about it – until I read many articles up and down the web that recommended disabling it.
As I didnt know enough about it to form my own opinion I disabled it as per many written instructions. As far as I can tell I hav’nt noticed anything awry or had any adverse comebacks over it so until I am told otherwise it will still stay disabled.
Knowledge is a wonderful thing, I just need to manage my time better so that I can read more. :)

0 votes

Chris Hoffman

Yup, if you don’t use it for anything, keeping it installed only increases your attack surface.

All it’s doing for most people is opening up security holes.

0 votes

Mitesh Budhabhatti

This was an essential info. Thanks. I strongly feel that the Great Java screwed up by Oracle.

0 votes

susendeep dutta

It’s fault of Oracle that it’s not taking Java so seriously.After acquisition of Sun Microsystems,it allowed to die OpenOffice and then Java is facing such situation.If this continues,then I think that Java will fade out and will never be of any value.

0 votes

Chris Hoffman

Java is still used a lot for backend stuff, but the browser plug-in needs to go away.

0 votes

Elena

I use Firefox with the NoScript extension. Since so many websites require java, disabling/enabling would be frustrating and boring. This way, I can disable it as default and turn it on on a single site basis, and if I have multiple tabs open I can disable it for a webpage and enable it for another.
Highly recommended.

0 votes

Chris Hoffman

You may be confusing Java with JavaScript. JavaScript is a modern technology used everywhere, while Java isn’t used as much these days (Okay, it’s used server-side, but Java applets are extremely rare.)

0 votes

Arron Walker

I only really use it for Minecraft, which is far too fun to stop using. I’ve not used it on a website though for… well, a very long time.

0 votes

Chris Hoffman

Sure, definitely don’t toss it if you use it! Still, the browser plug-in is unnecessary for most people.

0 votes

Gutha Gowtham

Java is safe unless you’ve got an unreliable application coded in it. Run the Java plugin only from the sites you trust, so all that is needed is not to allow Java plugin to enable for each and every site that you visit as it may harm your computer if the site that you’ve visited is using the plugin to make same harm to your computer. For example, Chrome provides the facility which asks for the plugin to run, do this only for the sites you trust and not for every ones. It’s good if you make use of it in a good way.

http://java-demos.blogspot.com — For Rock Solid Java Examples, Written Logics

0 votes

Naida West

I rec’d the message about safety issues on Java. I think Java is on my hard drive IMac OS X (which can “come under threat”), but when I tried to following the directions to “temporarily disable Java software” in order to reload the saver version, I couldn’t find Java in my apps or utilities, though I found a Java “preference” containing a few lines about data. I couldn’t find the Java Control Panel. Does this mean I don’t have Java installed? I use Safari and Chrome browsers only. Naida

0 votes

LZ

Hi Chris,.

Great article, thanks.
Do you happen to know if there’s a way to find out which desktop applications use Java (if at all) – before uninstalling it from a server causes SomethingOldAndSilly(TM) to stop working? A small company can’t really afford ‘trial & error’ discovery…

Cheers
LZ

0 votes

Chris Hoffman

That’s actually a really interesting question. I’m not sure about how to answer this — although you’ll probably see the javaw.exe (or something similar) process running if a currently-running app is using Java. Either way, you should be able to disable the browser plug-in, which is the big security hole.

You might try asking on MakeUseOf Answers to see if someone else knows a clever trick I haven’t thought of: http://www.makeuseof.com/answers/

0 votes

robert

I think you are way off base. I noticed you have Flash installed…. compare the number of security holes, patches, breaches that have occurred with Flash to Java over the years. No comparison. Flash is way insecure, but you still run it…

Heck, just ads from the wrong site can corrupt your machine with Flash.

Actually, any plugin that does anything of substance can corrupt your machine. And hackers can exploit low-level bugs in various graphics libs as well. The opportunities are endless…

Only by proper use of user accounts, and file permissions, (on a secure OS) can you really control security.

You need to be more informed.