Helping people with computers... one answer at a time.

Recent vulnerabilities and exploits relating to Java have people scrambling to turn it off. Unfortunately, because of another unfortunate choice of names, many are turning off the wrong thing.

As you know, there is much talk on the web about the latest Java vulnerability, presumably coming from China. As I use Java a lot (being a non-geek !!) and that this is rumored to be quite serious, I would like your opinion on the matter. The usual remedy on the web is either to uninstall/disable Java altogether!

When I did this, however, I found that a lot lot of my favorite websites just did not function (at least not fully!). In particular, my online crosswords which I really like. So then as I use Firefox exclusively, I downloaded no-script (can remember that you use it yourself from previous article) and have used it sparingly (no whitelist's as yet).

That's actually just one example of several questions that I received this week relating to a recently discovered zero-day exploit of an unpatched vulnerability in Java. My understanding is that a fix is now available, but the scenario has brought to light something very important:

Many people confuse Java and Javascript.

Java is not Javascript. In fact, other than the first four characters of their names, Javascript and Java are not related to each other at all.

Let's look at each and why in situations like this it's so critical to understand that there is a difference.

Disclaimer: I'll definitely be over-simplifying here. The pesky details and the nuances aren't really that critical and I don't want them to distract from the main issue.

Javascript

Javasscript is a programming language that is supported natively by most modern web browsers. That means that the browsers come with the means to understand and execute Javascript using what's called an "interpreter."

Programs or "scripts" written in Javascript are often contained directly in the HTML pages in which they are used. View the source of even this article on the Ask Leo! website and you'll see a few snippets of Javascript used for various purposes.

Javascript enables richly interactive web pages, turning them from static displays of text and pictures into small applications capable of often impressive functionality. Sites like Gmail, Facebook, and others use Javascript to display, animate, and change content without requiring you to visit a new "page" for each change. Scroll down your Facebook wall and it's Javascript that keeps downloading and adding more content to the page the further you scroll.

"Javascript and Java are not related to each other at all."

Javascript has become so popular and so prevalent in web design that it's difficult to use many sites without it.

Java

Java is a programming language that's not natively supported by browsers, but when used on websites, requires the download and installation of a "Java Virtual Machine" or JVM, now more commonly referred to as the Java Runtime Environment (JRE).

Programs written in Java are typically compiled into an intermediate form that is more efficiently executed by the JRE than the original source would be. As such, Java programs are typically separate downloads referenced by, but not actually included within, web pages that happen to make use of Java applications.

Java programs are not limited to being embedded in web pages or other containers. There are many standalone applications written directly in Java that run and execute like any other program and may not be related to the web or internet at all. Fundamentally, Java is just another programming language that can be used for almost any purpose, only one of those purposes being embedded into web pages.

Regardless of where or how it's used - embedded in a web page or as a standalone program - it's the same Java Runtime that's used in each case.

Visibility

Whereas Javascript tends to be part of and interact with the web page on which it is hosted, Java applications on web pages tend to be more self-contained and restricted to a rectangle on the page (which, sometimes, can be the entire page).

Unless you're using advanced configurations or extensions such as NoScript, Javascript is typically either on or off - usually on. This means that its presence on or use by a web page may not be obvious.

Java must first be downloaded and installed before it's available for use in either web pages or standalone applications. Once downloaded, there's often no real indication that a standalone application is using Java.

Browsers will often often ask for permission before running Java on a web page.

Chrome asking permission to execute Java used on a web page

Internet Explorer asking permission to execute Java used on a web page

Javascript is typically updated with your browser. Keep your browser up-to-date and you'll be keeping Javascript up-to-date.

In Windows, Java is a separate application on your computer. It includes its own update functionality and automatic check.

Java Update Notification

If Java is installed, you may also find a Java control icon in Control Panel that will allow you to check for updates immediately.

Enabling and disabling

Javascript

Javascript is enabled and disabled via a setting in your browser's options.

In internet Explorer, it's buried in Tools, Internet Options, Security, Custom level..., in the Scripting section:

Scripting setting in Internet Explorer

In Chrome, it's in Settings, Advanced, Javascript:

Enable Javascript in Chrome

While a similar setting exists in Firefox, the best approach is to use the NoScript plugin to control scripting on a site-by-site basis.

Java

The easiest and safest way to disable Java is to simply not have it installed and uninstalling it if it is:

Java in Control Panel Programs

Simply locate Java in the list of installed programs, right-click on it, and select Uninstall.

This is safe to do, even if you regularly visit a website that required Java, as the next time you visit, it will automatically prompt you to re-download and install Java. If you prefer not to have Java installed, you can decline and that website's Java-based functionality will not be available.

Web browsers can also disable Java without needing to uninstall it, typically using settings in the browser's advanced options, but in general, uninstalling is by far the easiest approach.

As you can see, disabling Javascript has nothing directly1 to do with disabling Java and vice versa. Thus disabling one when you think you are disabling the other (or because you don't understand that they are unrelated) can lead to a false sense of security.

Java & JavaScript: Should you or shouldn't you?

Given the current application and security landscape, I'll make the following recommendations:

  • Javascript: In general, leave Javascript enabled and stay away from questionable sites. The practical fact is that many, many websites simply will not work if Javascript is disabled. If you are concerned, then the only true solution is to use Firefox with the NoScript add-on to allow selective choice of which websites are allowed to use Javascript. Similar-sounding add-ons for Chrome apparently don't work reliably and give a false sense of security. Managing this through IE's security zones is a confusing nightmare.

  • Java: Uninstall Java unless you're certain you need it. It's not at all uncommon to end up with Java installed because of a website you visited only once. Uninstall it, and if something you care about breaks, re-install it. In this case, some security-minded folks recommend having it enabled in only one browser that you don't use regularly and explicitly disabling it in the browser you use day-to-day.

As for me, I just uninstalled Java. I know of only one program that I use that may eventually require it2. Until then, I'll run without.

References

JavaScript - Wikipedia includes all of the details, shy of a full language definition, as well as a summary of the history of JavaScript.

Java (programming language) - Wikipedia - more details including a history of Java's origins.

JavaTester.org includes additional background on Java, as well as a Java version tester if you have Java installed.

1: In some browsers, disabling Javascript has the side effect of also rendering Java inoperable. When folks realize how many websites are affected by disabling Javascript and re-enable it, they're still left vulnerable to Java issues, when they needn't be.

2: GoToMeeting / GoToWebinar

Article C5762 - September 1, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

14 Comments
Kevin
September 4, 2012 9:06 AM

Noscript seems to be blocking me posting a comment on your article

It would. In order to keep spammers from flooding this site with automated spam I require the use of Javascript to make comments. You need to add an exception for ask-leo.com. As to the cross-site scripting issue that also encounter when previewing - I understand it, but don't know a way of preventing it other than not previewing. The scripts do cross to another domain of mine when previewing, and unfortunately it would take a fairly large architectural change to the site to fix that.
Leo
05-Sep-2012
Daniel
September 4, 2012 9:28 AM

When I heard about the vulnerability, I decided to uninstall Java 7 and go back to 6 (I have a proprietary program at work I must use that is written in Java). Both versions 6 update 22 and version 7 update 5 were in the 'Programs and Features' part of control panel to uninstall. I unintstalled version 7. When I open the Java control panel, it say Java 7, but the version is 1.6.0_22-b04. I find that to be very weird. I'm considering uninstalling it also then reinstalling version 6 from scratch. There is also a JavaFX 2.1.1. Should that be uninstalled?

I uninstalled all of the above with no ill effect.
Leo
05-Sep-2012
connie
September 4, 2012 10:54 AM

@Kevin,
All of your posts have posted. Try refreshing your browser and see if clearing the cache that way works.

bob price
September 4, 2012 11:34 AM

Many thanks for this explanation as it has confused me for a long time. Unfortunately, I am an old widowed senior living alone, and worry about mental deterioration. [we seniors worry about such things] So i play a lot of Sudoku and crossword puzzles every day to exercise the mind. All of them seem to require java and flash. So, I'm stuck with them, but use the FF update links to maintain the most current versions.

Lester
September 4, 2012 11:40 AM

I use gotomeeting on a regular basis on my home compter, since I work at home but need to attend online meetings. I also need to regularily access government websites that require Java, but have not been updated to Java 7. They ask for IE 7 and Java 6. I guess they don't worry about me being an open target....

Jennifer
September 4, 2012 1:34 PM

Hi, Leo. thanks for the article! I never realized this. lately, profiles on Facebook in both IE and Firefox have been crashing and on both my computers with both browsers installed. I do regular updates with them and plugins and am wondering if javascript is part of my problem for my frequent crashes that just started a month ago? I updated flash but it didn't make a difference. Other people are having similar experiences but nobody can determine what is causing it and somebody said it hmay have to do with flash or javascript. What do you think? I don't know much about it. thanks.

It's rare that Javascript would be responsible for browser crashes - it's one of the last things's I'd consider. At the top of the list, however, would be browser addons and toolbars.
Leo
05-Sep-2012
Macon Richardson
September 4, 2012 2:57 PM

Leo, thanks a million for the quick and very easy lesson on Java vs. Javascript. I've been confused about them since the last millennium and in a few short paragraphs you have illuminated my understanding. That's why I keep coming back to Ask Leo.

Bill Casey
September 4, 2012 3:28 PM

Leo
Your explanation of the difference between Java and Javascript really helped. I've decided to disable the former in my usual browser, Firefox. I'll leave it enabled in IE.

BaliRob
September 4, 2012 8:45 PM

Dear Leo, I cannot find JavaScript in " Settings, Advanced, JavaScript" as you say in Chrome. I go to Wrench, Settings, Advanced - but no mention of JavaScript.

fran kaye
September 5, 2012 12:02 AM

Today I just got a notice to download a java critical update. However, they thought it is not ready to be released until October. In any event I have removed the Java 6 that I had on my system. Should I download this new update?

Oracle performed an emergency update due to this problem. Unfortunately the update has other problems and most security minded folks will recommend uninstalling Java unless you actually need it.
Leo
05-Sep-2012
Mark J
September 5, 2012 7:31 AM

@BaliRob
It appears Leo may have inadvertently left out a step. After advanced settings, scroll down to Privacy and click on the "Content settings" button and then select "Do not allow any sites to run JavaScript"

A Richter
September 5, 2012 12:30 PM

Based on 2011 data, applying JavaScript in exploits became exceedingly fashionable. It seems using NoScript in Firefox provides the best protection, and is worth the little hassle. Also, for practical purposes not all the scripts on a site need to be allowed as long as the resulting level of functionality satisfies the user.

Java is the second worst culprit as far as vulnerabilities are concerned, so its absence may indeed be desirable. Next, documents are increasingly being used for nefarious purposes, while in comparison, Flash might be considered relatively safe nowadays.

artysmithy
September 5, 2012 10:15 PM

I subscribe to Fine Art Webinars from USA. These will not run on my Comp. without Java. However last week advised Java's" Plugin" out of date & I cannot find where I can access Java "Plugin", Have updated Java but warning plugins out of date still appears - & I miss my Webinar! I really would appreciate your advice Leo as these Art Tutorials come in each Sat @ 3am AEST. Thankyou artysmithy


Updating Java should have updated the plugins, but you should be able to get all at java.com.
Leo
06-Sep-2012

Lane
September 7, 2012 9:55 AM

The option in Chrome is under settings , advanced , privacy , contents settings , javascript ....

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.