Helping people with computers... one answer at a time.
Recent vulnerabilities and exploits relating to Java have people scrambling to turn it off. Unfortunately, because of another unfortunate choice of names, many are turning off the wrong thing.
As you know, there is much talk on the web about the latest Java vulnerability, presumably coming from China. As I use Java a lot (being a non-geek !!) and that this is rumored to be quite serious, I would like your opinion on the matter. The usual remedy on the web is either to uninstall/disable Java altogether!
When I did this, however, I found that a lot lot of my favorite websites just did not function (at least not fully!). In particular, my online crosswords which I really like. So then as I use Firefox exclusively, I downloaded no-script (can remember that you use it yourself from previous article) and have used it sparingly (no whitelist's as yet).
That's actually just one example of several questions that I received this week relating to a recently discovered zero-day exploit of an unpatched vulnerability in Java. My understanding is that a fix is now available, but the scenario has brought to light something very important:
Let's look at each and why in situations like this it's so critical to understand that there is a difference.
Disclaimer: I'll definitely be over-simplifying here. The pesky details and the nuances aren't really that critical and I don't want them to distract from the main issue.
Java is a programming language that's not natively supported by browsers, but when used on websites, requires the download and installation of a "Java Virtual Machine" or JVM, now more commonly referred to as the Java Runtime Environment (JRE).
Programs written in Java are typically compiled into an intermediate form that is more efficiently executed by the JRE than the original source would be. As such, Java programs are typically separate downloads referenced by, but not actually included within, web pages that happen to make use of Java applications.
Java programs are not limited to being embedded in web pages or other containers. There are many standalone applications written directly in Java that run and execute like any other program and may not be related to the web or internet at all. Fundamentally, Java is just another programming language that can be used for almost any purpose, only one of those purposes being embedded into web pages.
Regardless of where or how it's used - embedded in a web page or as a standalone program - it's the same Java Runtime that's used in each case.
Java must first be downloaded and installed before it's available for use in either web pages or standalone applications. Once downloaded, there's often no real indication that a standalone application is using Java.
Browsers will often often ask for permission before running Java on a web page.
In Windows, Java is a separate application on your computer. It includes its own update functionality and automatic check.
If Java is installed, you may also find a Java control icon in Control Panel that will allow you to check for updates immediately.
In internet Explorer, it's buried in Tools, Internet Options, Security, Custom level..., in the Scripting section:
While a similar setting exists in Firefox, the best approach is to use the NoScript plugin to control scripting on a site-by-site basis.
The easiest and safest way to disable Java is to simply not have it installed and uninstalling it if it is:
Simply locate Java in the list of installed programs, right-click on it, and select Uninstall.
This is safe to do, even if you regularly visit a website that required Java, as the next time you visit, it will automatically prompt you to re-download and install Java. If you prefer not to have Java installed, you can decline and that website's Java-based functionality will not be available.
Web browsers can also disable Java without needing to uninstall it, typically using settings in the browser's advanced options, but in general, uninstalling is by far the easiest approach.
Given the current application and security landscape, I'll make the following recommendations:
Java: Uninstall Java unless you're certain you need it. It's not at all uncommon to end up with Java installed because of a website you visited only once. Uninstall it, and if something you care about breaks, re-install it. In this case, some security-minded folks recommend having it enabled in only one browser that you don't use regularly and explicitly disabling it in the browser you use day-to-day.
As for me, I just uninstalled Java. I know of only one program that I use that may eventually require it2. Until then, I'll run without.
Java (programming language) - Wikipedia - more details including a history of Java's origins.
JavaTester.org includes additional background on Java, as well as a Java version tester if you have Java installed.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.