The Top 6 Things To Consider When You Install Java Software

java logo   The Top 6 Things To Consider When You Install Java SoftwareOracle’s Java runtime software is required to run Java applets on websites and desktop software written in the Java programming language. When you install Java, there are a few things you should consider, especially regarding security. Java is used by an ever-decreasing number of websites and is a frequent target of attacks.

Most people could remove Java and not notice a difference. If you do use Java, you should be aware of the security problems and take proper precautions. You’ll also need to know whether you need the Java Runtime Environment (JRE) or the Java Development Kit (JDK).

You May Not Need To Install Java

Do you use a specific website or program that requires Java? If not, you don’t actually need it installed. Java just allows you to run software written in Java, and you may be surprised by how few websites and programs actually require Java.

If you’re not sure whether you need Java, try going without it for a while. You may not notice the difference. As we’ll detail later, there are good reasons not to have Java installed — if you can help it. Even LibreOffice (formerly OpenOffice.org), doesn’t require Java for most of its functionality.

JRE vs. JDK

The main Java download website offers the Java Runtime Environment, also known as the JRE. This is the one you probably need. It includes the basic software that lets you run Java applets and desktop applications on your computer.

There’s also the Java Development Kit, also known as the JDK. This is what you need if you want to develop Java applications. Some development-related software, including the Android SDK, also requires the JDK on your system. If you need the JDK, you’ll have to download it from Oracle’s website. The JDK also includes the JRE, so you only have to install one of them.

image45   The Top 6 Things To Consider When You Install Java Software

Security Problems

The elephant in the room when it comes to installing Java is security. Browser plugins – particularly Oracle’s Java and Adobe’s Flash and PDF reader – are major targets. Java is a prime target because it’s installed on so many computers and exploits will work across multiple browsers and operating systems. Keeping Java updated doesn’t fully alleviate this problem – just having Java installed increases your browser’s attack surface.

Update Java Often

If you need Java installed, you’ll want to update it often. By default, Java checks for updates once every month – not a very reassuring default setting for a program that’s so frequently exploited. You can fix this, though.

To do so, open the Control Panel from the Start menu, click the Programs category, and click the Java icon.

image46   The Top 6 Things To Consider When You Install Java Software

Use the Advanced button on the Update tab to select a better update frequently, such as “Daily.”

image47   The Top 6 Things To Consider When You Install Java Software

If you see the coffee-cup-shaped Java Update icon and its notification in your system tray, be sure to perform the update as soon as possible.

Some Software Requires Older Versions

Depending on the the software you use, you may not be able to run the latest, secure versions of Java. Some websites and applications specify a specific version of Java and force you to use an outdated, vulnerable version of Java. This is why it’s possible to have multiple versions of Java installed on the same system, although Oracle recommends against this.

Oracle maintains an archive where you can download older versions if you need to, while noting that they’re full of security holes and vulnerable to attack.

If you must run an older version of Java, make sure you have an antivirus installed, ask the application vendor or website for an update, and remove the old version of Java as soon as possible.

Installing Java Applets Can Be Dangerous

Web browsers and plugins such as Flash isolate web content from your computer. A website with a Flash-based video player can’t break out of your browser and tamper with your computer (barring security vulnerabilities). Java does the same thing for most applets, which it runs by default – but it also allows applets to prompt you for full permissions.

If you see a security warning box and click the Run button, your computer could be at risk. Think of clicking the Run button like downloading and installing an application onto your computer – it’s basically the same thing. Only do this if you trust the publisher.

image48   The Top 6 Things To Consider When You Install Java Software

Be sure to check out our free, full guide to PC security: HackerProof.

Do you use Java, or did you not even install Java on your computer? Let us know in the comments. If you have any other questions, feel free to ask those, too.

The comments were closed because the article is more than 180 days old.

If you have any questions related to what's mentioned in the article or need help with any computer issue, ask it on MakeUseOf Answers—We and our community will be more than happy to help.

15 Comments -

0 votes

Ron

Wow. No idea how you managed to publish such a half-baked article. It’s one thing to warn people of potential security risks, it’s another thing to make them completely paranoid regarding Java applications.

This may be fine to a very specific target audience, but I doubt this is the audience you address to. Even then, it should be more elaborated explaining that there’s nothing to fear about Java more than there is to fear about basically any other application that you run on your computer (or web browser).

This article is embarrassing. I implore people to take it under consideration and look for better resources.

0 votes

Mike

I disagree with your view. This is a great article. They’re simply pointing out the reality. And all these things are correct. Who wants to run software that’s out of date? not me. And i’m sure you don’t either. And this is specifically about _JAVA_!!

0 votes

Ron

You basically just strengthened my argument.

0 votes

gant

yes agree

0 votes

Chris Hoffman

Do you have more specific objections? Is there anything here that isn’t actually true?

Browser plugins are the biggest security risk, let’s be honest. While many people need Flash for a variety of websites, the Java plug-in isn’t anywhere near as common. In fact, Google Chrome blocks Java from running by default and Google advises users to only run it on specific websites they trust ( source: http://support.google.com/chrome/bin/answer.py?hl=en&answer=1247383 )

Browser plug-ins like Flash and Java are much bigger security risks than other types of software on your computer. Any website can access a browser plug-in, while other software — say, a Windows game you’ve installed — isn’t accessible from every website. This dramatically increases your attack surface.

The Flashback infection on the Mac, which is all over the media right now, was caused by a Java security problem.

Many other websites are saying that “The best defense against this kind of attack is to remove the vulnerable runtime engine so that it can’t be exploited.” (source: http://www.zdnet.com/blog/bott/how-big-a-security-risk-is-java-can-you-really-quit-using-it/4749 )

Like it or not, browser plug-ins like Java are a big target, bigger than most other programs on your computer. Uninstalling any browser plug-in is a security win.

0 votes

Mike Degatano

Hey Chris just wanted to add two things. While I totally agree with you about the security risks of Java, you can actually head off all plugin problems in general in Chrome really easily. In the settings menu of Chrome under Plugins you can turn on “Click to Play”. It’s pretty fantastic since it blocks all plugins unless you click on them to start playing, really stops rogue websites cold since you would have no reason to play them unless you are on a site you trust.

In addition you can set a flag or a setting (I forget which) to warn you when a plugin that is trying to run is out of date so you can update it before you do anything. Obviously this only applies to Chrome users but since there is a fair amount of them out there it’s probably worth mentioning especially since it has very little downside (you can put exceptions for sites you use all the time so it doesn’t slow you down at all), it solves problems for all plugins, and combined with Chrome’s sandbox it makes a plugin attack extremely difficult if not impossible.

Also it appears the Update tab you mentioned is removed from the latest version of Java’s Control Panel (at least the 64-bit Windows one). I liked your idea a lot though (I actually develop in Java after all at work so even if I feel pretty secure why would I want to work in an old version of Java for up to a month) so I found a way to get it back. It involves the registry unfortunately making it a bit technical but it’s pretty painless as far as registry hacks go.

If you open up regedit and browse to HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy there should be a string called “EnableJavaUpdate” that needs to be set to 1 for the tab to appear. If the string isn’t there at all (it wasn’t for me) just add a new string with that name and set it to 1. That made it appear for me, if it didn’t for you you might have current user settings overriding it. There is a matching spot in HKEY_CURRENT_USER, check and see if it’s set to 0 there (also if for some reason you only wanted to do this for you instead of everyone then only do it there and not LOCAL_MACHINE).

My source is here http://brianmorristech.com/?p=363, they were trying to disable the updating entirely but the trick works both ways :)

Also if there is two posts from me I’m sorry, the first one disappeared so I wasn’t sure if it posted.

0 votes

Chris Hoffman

Thanks for the agreement, Mike. It’s nice to see someone who uses Java that doesn’t think this post was a personal attack.

And thanks for providing all that information! Very useful.

0 votes

Fernando Cassia

Wow, what a piece of crap. OpenOffice.org is now handled by the Apache Foundation, and called Apache OpenOffice.

http://incubator.apache.org/openofficeorg/

It will continue to use Java.

The claim that “few programs” use Java is ludicrous, and shows your total ignorance of the java marketplace and the depth of -often open source- Java apps.

I use several on a daily basis. But here are some: Bloom (Facebook photo uploader), Art of Illusion (3D modeling), Vuze (the Bittorrent client), jDownloader, jDiskReport, muCommander (file manager), jEdit, the Netbeans IDE, OmegaT (translation software), Earth3D, FreeMind (mind mapper-productivity tool), Frinika (music workstation), JShot (taking screenshots and uploading them to social sites), PowerFolder (cloud storage/sync), PetrusBlogger (blogging client for Blogger,Wordpress, etc), ProjectX (MPEG4 TS demuxer), UptheSync (Google Docs synchronizer/uploader written in Java), Burp Suite (security testing), jHome (home automation)

http://aoi.sourceforge.net/
http://antaki.ca/bloom/
http://www.vuze.com
http://www.jdownloader.org/
http://ho.io/jdiskreport
http://ho.io/mu-commander
http://www.jedit.org/
http://www.netbeans.org
http://omegat.sourceforge.net/webstart.html
http://venus.schunter.etc.tu-bs.de/~gunia/webstart/earth3d_dev.jnlp (earth3d.org)
http://freemind.sourceforge.net/wiki/index.php/Main_Page
http://frinika.appspot.com/
http://jshot.info/jshot/webstart/jshot.jnlp
http://download.powerfolder.com/pro/webstart/PowerFolder.jnlp
http://code.google.com/p/petrus-blogger/
http://sourceforge.net/projects/project-x/
http://upthesync.sourceforge.net/
http://portswigger.net/burp/
http://www.eletronlivre.com.br/jhome/

So much for your lie that “few software uses Java” huh? I just typed the ones I had on my system.

But let’s take a step further, let’s search for software “written in Java” in Google Code: 75,000+ results
http://goo.gl/sPnPA

and SourceForge: 128,000+ results
http://goo.gl/X9arn

Not only that, but the suggestion of “disabling Java” cripples one of Java’s hidden gems for desktop cross-platform software: Java Web Start (JWS).

I guess there are many interests promoting that people uninstall Java, starting with Microsoft, and Google, which promotes its cloud apps against which the Java paradigm, for some of us, has many advantages.

To which of these you have connections -or perhaps you’re speaking out of your ass- remains to be seen.

FC
PS: Finally, it’s no surprise that Google sabotages Java with its browser, further from a validity claim, it shows there’s a power play at stake. Chrome is the only browser that refuses to run JWS apps seamlessly, instead popping up the totally useless download manager when the jnlp file is run, worsening the end user experience.

0 votes

Chris Hoffman

As I said on Google+:

I’m getting really sick of people accusing me of having connections to companies because I publish something they disagree with. You seem to think I have some kind of malicious agenda, but in actuality we just disagree.

As far as the merits of your argument, I’m sure lots of people use java programs on the desktop. Clearly you do. However, I don’t (aside from the Android SDK, I guess). And my parents don’t. And most people I know don’t. They’d be better off with Java uninstalled, especially since I often see “average user” PCs with out-of-date Java plug-ins — sure, install it if you need it, but if you don’t use it, uninstall it. (Java running on servers and such is different.) That’s all I said. I’d say the same as far as other plug-ins — if you watch Netflix, install Silverlight. If not, get rid of it. One day we’ll hopefully be able to all uninstall Flash, too.

You obviously have a well thought out argument, so it’s really tragic that you want to spew venom and attack me personally.

0 votes

Harry

I opened the Java Control Panel and the Update tab is not there. I’m using Java 6 Update 31. Java reports this as the latest version. There’s also a process: jusched.exe *32 running that I thought kept Java up to date.
Is this article about Java 7? I do see Java SE 7u3 in the pic under JRE vs JKD section, so I’m not sure.
Please advise. Thanks

0 votes

Chris Hoffman

Hey Harry, check out Mike Degatano’s comment in this thread for a solution.

0 votes

ahmed

please visit pickurlife.com

0 votes

Chris Hoffman

I’ve explained my feelings toward browser plugins in a more recent article, for those of you who think I was off-base in this post: http://www.makeuseof.com/tag/browser-plugins-one-of-the-biggest-security-problems-on-the-web-today-opinion/

0 votes

Shakir Abbas

I installed java software in PC but java applications does not run. Why?

0 votes

Chris Hoffman

There could be lots of causes for that problem. I recommend you ask this question on MakeUseOf Answers to get more detailed troubleshooting help: http://www.makeuseof.com/answers/