Oracle’s Java plug-in has become less and less common on the Web, but it’s become more and more common in the news. Whether Java is allowing over 600,000 Macs to be infected or Oracle is sitting on their hands and only patching a serious Java vulnerability four months after it’s initially reported, news about the Java plug-in is rarely good.
We’ve touched on why browser plug-ins in general are one of the biggest security problems on the web today. The reality is that you probably don’t need Java installed, and if you don’t need it, you should disable it to keep yourself safe. If you do need the Java plug-in for something (this is fairly rare), you should keep it up-to-date and consider running it in a separate browser so malicious websites can’t abuse Java.
The Case Against Java
One of the most famous cases of Java being used to exploit computers was the Flashback Trojan on Macs. Over 600,000 famously secure Macs succumbed to infection because of Java. Java runs on all platforms, so compromising Java allows you to compromise Windows, Mac, Linux, and all different browsers.
On August 30, 2012, Oracle released a patch for a serious Java security flaw. Days earlier, malicious websites were already using this flaw to infect people’s computers. However, it gets worse – this security bug was reported to Oracle four months earlier (Source). It took four months for Oracle to fix a critical Java problem, and they only did it after it was being exploited in the wild. Worse yet, Java’s default update setting is to check for updates one a month, so it’s possible that many users weren’t upgraded until weeks later – in fact, it’s likely that many people are still using a vulnerable version of Java.
Enough is enough — Java has been subject to a constant series of such vulnerabilities. The average person doesn’t actually use Java, although it’s still available for websites to use in their browser – so disabling Java will increase the average person’s security while not actually taking away anything the average person depends on.
If you don’t know whether you need Java, you probably don’t need it. However, if you aren’t the average person and do need Java, there are some steps you can take to minimize your risk.
How To Disable Java
If you don’t use Java for anything, you can uninstall it from your Control Panel. This will uninstall the Java browser plug-in as well as the Java runtime, which allows desktop applications written in Java to run on your computer.
If you don’t know whether you need the Java runtime for any desktop applications you use, you can always uninstall it and reinstall it later if an application tells you you need it.
However, if you do need the Java runtime, you can disable the Java plug-in in your browser – Java will still be available for desktop applications to use, but websites won’t be able to access it.
To disable Java in Google Chrome, type chrome://plugins into your address bar, press Enter, and then click the Disable link under the Java plug-in.
To disable Java in Mozilla Firefox, open the Add-ons window from the Firefox menu, select the Plugins category, and click the disable button next to each installed Java plug-in.
To disable Java in Safari, uncheck the Enable Java checkbox on the Security tab in Safari’s Preferences window.
To disable Java in Opera, type opera:plugins into your address bar, press Enter, and then click the Disable link next to each installed Java plug-in.
Disabling the Java plug-in for Internet Explorer is significantly more complicated than with other browsers. There are multiple ways for a web page to invoke a Java applet, and multiple ways to configure Java Plug-in support. Microsoft has released KB article 2751647, which describes how to disable the Java plug-in for Internet Explorer. However, we have found that due to the multitude of ways that Java can be invoked in Internet Explorer, their guidance (as well as our prior guidance) does not completely disable Java.
Many of their methods for disabling Java only disable specific versions, so Java will be re-enabled when it updates to a new version. Even deleting Java’s plug-in files won’t help – they’ll be recreated when Java updates. The most effective way to disable Java in Internet Explorer is by uninstalling it completely. If you do need Java installed on your computer, you probably shouldn’t use Internet Explorer.
Using Java Safely
If you do need Java, there are some steps you can take to reduce the security problems you’re exposed to.
First, update Java often! Oracle’s updates only help if you install them. As we mentioned, Java checks for updates once a month by default – this is not good; there’s a reason modern browsers and operating systems check for updates once a day.
You can increase the update-check frequency from the Java control panel. (Open the Windows Control Panel, click Programs, and select Java to open it.) Click the Advanced button on the Update tab and tell Java to check for updates daily. When a Java icon pops up in your system tray with an available update, install it as soon as possible.
Second, consider using a separate browser when you need Java. For example, you can use Chrome or Firefox with Java disabled for most of your web-browsing, your online banking, and everything else. When you need to use a website that requires Java, you can open Internet Explorer (or another browser with Java enabled) and use only the website that requires Java. This helps keep you secure – the majority of websites you visit won’t be able to use Java.
Do you still have the Java plug-in installed? Do you still use websites that depend on it? Or do you think we’ve gone overboard by recommending people disable it? Leave a comment and share your opinion!