Is Java Unsafe & Should You Disable It?

Chris Hoffman 28-09-2012

is java safeOracle’s Java plug-in has become less and less common on the Web, but it’s become more and more common in the news. Whether Java is allowing over 600,000 Macs to be infected or Oracle is sitting on their hands and only patching a serious Java vulnerability four months after it’s initially reported, news about the Java plug-in is rarely good.


We’ve touched on why browser plug-ins in general are one of the biggest security problems on the web today Browser Plugins - One of the Biggest Security Problems on the Web Today [Opinion] Web browsers have become much more secure and hardened against attack over the years. The big browser security problem these days is browser plugins. I don’t mean the extensions that you install in your browser... Read More . The reality is that you probably don’t need Java installed The Top 6 Things To Consider When You Install Java Software Oracle’s Java runtime software is required to run Java applets on websites and desktop software written in the Java programming language. When installing Java, there are a few things you should consider, especially regarding security.... Read More , and if you don’t need it, you should disable it to keep yourself safe. If you do need the Java plug-in for something (this is fairly rare), you should keep it up-to-date and consider running it in a separate browser so malicious websites can’t abuse Java.

The Case Against Java

One of the most famous cases of Java being used to exploit computers was the Flashback Trojan on Macs. Over 600,000 famously secure Macs succumbed to infection because of Java. Java runs on all platforms, so compromising Java allows you to compromise Windows, Mac, Linux, and all different browsers.

On August 30, 2012, Oracle released a patch for a serious Java security flaw. Days earlier, malicious websites were already using this flaw to infect people’s computers. However, it gets worse – this security bug was reported to Oracle four months earlier (Source). It took four months for Oracle to fix a critical Java problem, and they only did it after it was being exploited in the wild. Worse yet, Java’s default update setting is to check for updates one a month, so it’s possible that many users weren’t upgraded until weeks later – in fact, it’s likely that many people are still using a vulnerable version of Java.

Enough is enough — Java has been subject to a constant series of such vulnerabilities. The average person doesn’t actually use Java, although it’s still available for websites to use in their browser – so disabling Java will increase the average person’s security while not actually taking away anything the average person depends on.

If you don’t know whether you need Java, you probably don’t need it. However, if you aren’t the average person and do need Java, there are some steps you can take to minimize your risk.


How To Disable Java

If you don’t use Java for anything, you can uninstall it from your Control Panel. This will uninstall the Java browser plug-in as well as the Java runtime What Is the Java Virtual Machine & How Does It Work? Though it isn't strictly necessary to know it works in order to program in Java, it's still good to know because it may help you become a better programmer. Read More , which allows desktop applications written in Java to run on your computer.

If you don’t know whether you need the Java runtime for any desktop applications you use, you can always uninstall it and reinstall it later if an application tells you you need it.

is java safe

However, if you do need the Java runtime, you can disable the Java plug-in in your browser – Java will still be available for desktop applications to use, but websites won’t be able to access it.


To disable Java in Google Chrome The Best Chrome Extensions A list of only the best extensions for Google Chrome, including suggestions from our readers. Read More , type chrome://plugins into your address bar, press Enter, and then click the Disable link under the Java plug-in.

is java safe to use

To disable Java in Mozilla Firefox The Best Firefox Addons Firefox is famous for its extensions. But which addons are the most useful? Here are the ones we think are best, what they do, and where you can find them. Read More , open the Add-ons window from the Firefox menu, select the Plugins category, and click the disable button next to each installed Java plug-in.

is java safe to use


To disable Java in Safari 4 Reasons I'll Be Switching to Safari 6 on OS X Mountain Lion Until now I’ve put Safari firmly in the same box of horrible things as Internet Explorer - a sluggish, default browser that’s only purpose in life is to download other shinier and faster browsers. Safari... Read More , uncheck the Enable Java checkbox on the Security tab in Safari’s Preferences window.

is java safe to use

To disable Java in Opera Five Irresistable Reasons Why You Should Take Opera 11 For A Serious Spin In truth, Opera 11 is an absolutely amazing browser. If you take Opera as a “secondary” browser and only use it now and then, you may just fall in love with it. Here are some... Read More , type opera:plugins into your address bar, press Enter, and then click the Disable link next to each installed Java plug-in.

are java updates safe


Disabling Java in Internet Explorer 7 Useful Tips & Tricks For Internet Explorer 9 Users Tech websites write a lot about Google Chrome and Mozilla Firefox, so it’s easy to feel a bit left out if you use Internet Explorer. Internet Explorer 9 is easily the best version of Internet... Read More is extremely complicated.  As US-CERT notes:

Disabling the Java plug-in for Internet Explorer is significantly more complicated than with other browsers. There are multiple ways for a web page to invoke a Java applet, and multiple ways to configure Java Plug-in support. Microsoft has released KB article 2751647, which describes how to disable the Java plug-in for Internet Explorer. However, we have found that due to the multitude of ways that Java can be invoked in Internet Explorer, their guidance (as well as our prior guidance) does not completely disable Java.

Many of their methods for disabling Java only disable specific versions, so Java will be re-enabled when it updates to a new version. Even deleting Java’s plug-in files won’t help – they’ll be recreated when Java updates. The most effective way to disable Java in Internet Explorer is by uninstalling it completely. If you do need Java installed on your computer, you probably shouldn’t use Internet Explorer.

Using Java Safely

If you do need Java, there are some steps you can take to reduce the security problems you’re exposed to.

First, update Java often! Oracle’s updates only help if you install them. As we mentioned, Java checks for updates once a month by default – this is not good; there’s a reason modern browsers and operating systems check for updates once a day.

You can increase the update-check frequency from the Java control panel. (Open the Windows Control Panel, click Programs, and select Java to open it.) Click the Advanced button on the Update tab and tell Java to check for updates daily. When a Java icon pops up in your system tray with an available update, install it as soon as possible.

is java safe

Second, consider using a separate browser when you need Java. For example, you can use Chrome or Firefox with Java disabled for most of your web-browsing, your online banking, and everything else. When you need to use a website that requires Java, you can open Internet Explorer (or another browser with Java enabled) and use only the website that requires Java. This helps keep you secure – the majority of websites you visit won’t be able to use Java.

Do you still have the Java plug-in installed? Do you still use websites that depend on it? Or do you think we’ve gone overboard by recommending people disable it? Leave a comment and share your opinion!

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. CVZalez
    January 27, 2016 at 11:12 am

    Still people confuses Java Browser Plug-In with Java Runtime Enviroment, the one that had security flaws was Java Browser Plug-In!! Java Runtime Enviroment is lot more secure even compared with native apps!!

  2. robert
    March 25, 2013 at 4:24 pm

    I think you are way off base. I noticed you have Flash installed.... compare the number of security holes, patches, breaches that have occurred with Flash to Java over the years. No comparison. Flash is way insecure, but you still run it...

    Heck, just ads from the wrong site can corrupt your machine with Flash.

    Actually, any plugin that does anything of substance can corrupt your machine. And hackers can exploit low-level bugs in various graphics libs as well. The opportunities are endless...

    Only by proper use of user accounts, and file permissions, (on a secure OS) can you really control security.

    You need to be more informed.

  3. LZ
    January 17, 2013 at 11:33 pm

    Hi Chris,.

    Great article, thanks.
    Do you happen to know if there's a way to find out which desktop applications use Java (if at all) - before uninstalling it from a server causes SomethingOldAndSilly(TM) to stop working? A small company can't really afford 'trial & error' discovery...


    • Chris Hoffman
      January 28, 2013 at 2:22 am

      That's actually a really interesting question. I'm not sure about how to answer this -- although you'll probably see the javaw.exe (or something similar) process running if a currently-running app is using Java. Either way, you should be able to disable the browser plug-in, which is the big security hole.

  4. Naida West
    January 14, 2013 at 9:40 pm

    I rec'd the message about safety issues on Java. I think Java is on my hard drive IMac OS X (which can "come under threat"), but when I tried to following the directions to "temporarily disable Java software" in order to reload the saver version, I couldn't find Java in my apps or utilities, though I found a Java "preference" containing a few lines about data. I couldn't find the Java Control Panel. Does this mean I don't have Java installed? I use Safari and Chrome browsers only. Naida

  5. Gutha Gowtham
    November 9, 2012 at 7:39 pm

    Java is safe unless you've got an unreliable application coded in it. Run the Java plugin only from the sites you trust, so all that is needed is not to allow Java plugin to enable for each and every site that you visit as it may harm your computer if the site that you've visited is using the plugin to make same harm to your computer. For example, Chrome provides the facility which asks for the plugin to run, do this only for the sites you trust and not for every ones. It's good if you make use of it in a good way. -- For Rock Solid Java Examples, Written Logics

  6. Arron Walker
    October 11, 2012 at 10:59 am

    I only really use it for Minecraft, which is far too fun to stop using. I've not used it on a website though for... well, a very long time.

    • Chris Hoffman
      October 20, 2012 at 8:41 pm

      Sure, definitely don't toss it if you use it! Still, the browser plug-in is unnecessary for most people.

  7. Elena
    October 1, 2012 at 8:21 pm

    I use Firefox with the NoScript extension. Since so many websites require java, disabling/enabling would be frustrating and boring. This way, I can disable it as default and turn it on on a single site basis, and if I have multiple tabs open I can disable it for a webpage and enable it for another.
    Highly recommended.

    • Chris Hoffman
      October 20, 2012 at 8:39 pm

      You may be confusing Java with JavaScript. JavaScript is a modern technology used everywhere, while Java isn't used as much these days (Okay, it's used server-side, but Java applets are extremely rare.)

  8. susendeep dutta
    September 29, 2012 at 9:46 am

    It's fault of Oracle that it's not taking Java so seriously.After acquisition of Sun Microsystems,it allowed to die OpenOffice and then Java is facing such situation.If this continues,then I think that Java will fade out and will never be of any value.

    • Chris Hoffman
      September 30, 2012 at 3:49 am

      Java is still used a lot for backend stuff, but the browser plug-in needs to go away.

  9. Mitesh Budhabhatti
    September 29, 2012 at 8:24 am

    This was an essential info. Thanks. I strongly feel that the Great Java screwed up by Oracle.

  10. Alan Wade
    September 29, 2012 at 6:13 am

    Java is just something that I accepted was there but thought no more about it - until I read many articles up and down the web that recommended disabling it.
    As I didnt know enough about it to form my own opinion I disabled it as per many written instructions. As far as I can tell I hav'nt noticed anything awry or had any adverse comebacks over it so until I am told otherwise it will still stay disabled.
    Knowledge is a wonderful thing, I just need to manage my time better so that I can read more. :)

    • Chris Hoffman
      September 30, 2012 at 3:48 am

      Yup, if you don't use it for anything, keeping it installed only increases your attack surface.

      All it's doing for most people is opening up security holes.

  11. Dave Parrack
    September 28, 2012 at 11:22 pm

    I disabled Java in Firefox a couple of months ago and haven't even noticed. Which says a lot.

    • Chris Hoffman
      September 30, 2012 at 3:48 am

      Exactly. Most people won't notice. I try to keep it disabled or uninstalled most of the time.

  12. macwitty
    September 28, 2012 at 10:54 pm

    Thanks for easy-to-follow instructions

  13. Stewart
    September 28, 2012 at 6:49 pm

    Question: I frequently use one website that does not work with later versions of Java (it's a government site that I use for my business), so I have not updated to the latest version. Is there a way to run the latest Java, but quickly switch to an earlier version when you need to?

    • Chris Hoffman
      September 30, 2012 at 3:47 am

      Yeah, that's another huge problem with Java -- "sorry, you need an old, vulnerable version for this software."

      It looks like this may be possible somehow ( talks about it, but is very old), but I have no idea how. Oracle should make this easier.

    • Henrique Dias
      November 10, 2012 at 11:03 pm

      Use one browser with Java only for this website and another for everything else...

  14. Scott
    September 28, 2012 at 6:39 pm

    Well, in my case there are two users who both use FF under two profiles. The other user likes playing the Pogo games a lot, which requires Java. So, I guess my only option is to disable it in my own profile's settings.


    • Chris Hoffman
      September 30, 2012 at 3:45 am

      Yes, you can certainly do that. Plugin settings are profile-specific, I think.

  15. GrrGrrr
    September 28, 2012 at 6:35 pm

    by default Mozilla is disabling Java.

    • Chris Hoffman
      September 30, 2012 at 3:45 am

      Ah, are they? Just like Chrome did too. Browser vendors have to step up because Oracle isn't.

      • Scutterman
        September 30, 2012 at 9:17 am

        Mozilla has a blacklist of plugin versions that it knows to be dangerous. Usually these are patched and updated quickly, but people don't seem to like updating Java. I know several people who will ignore the updater for months on end, despite trying to persuade them to update.

      • Scutterman
        September 30, 2012 at 9:22 am

        I currently don't have the plugin disabled, but I only visit a handful of sites I know to be safe. If, by some chance, one of those got compromised then I'll rely on my AV to block the threat.

        I still need java installed because I play Minecraft, which runs on java. There was talk about possibly moving it across to c++ but that would be a lot of work, especially since it would kill the modding community.

        • Chris Hoffman
          October 20, 2012 at 8:40 pm

          Minecraft seems to be one of the big reasons for having Java installed, but people can disable the browser plugin and still run Minecraft on the desktop, at least.

        • r1ckr011
          January 11, 2013 at 10:07 pm

          HOW?!!! I can't figure out that damn part and no one is specifying how that works!! I disabled the browser plugins and now apparently java won't run at all!

        • r1ckr011
          January 11, 2013 at 10:46 pm

          Oh btw, I'm here due to the very recent Ars Article (http://arstechnica[.com]/security/2013/01/critical-java-zero-day-bug-is-being-massively-exploited-in-the-wild/ {depending on the properties of this site i blocked the url so you'll need to unstaple the url}) talking about the holes in java. apparently They are lagging extremely far behind themselves, judging by the date stamps on all the comments here

  16. Dimal Chandrasiri
    September 28, 2012 at 5:45 pm

    whoa... good thing I read this article! O.o