Helping people with computers... one answer at a time.
Another zero-day exploit has been discovered in Oracle's Java VM; something that has many security experts suggest that you disable or uninstall Java. I'll explain why and how.
Another vulnerability has been discovered in Java; if Java is installed on your machine, malware authors can exploit it to infect your computer with something as simple as your visiting a malicious or hacked website.
As I write this, there is no update to Java, which means that there is no fix. Technically that makes this a "zero-day exploit".
The fix that most experts, including myself, are recommending is to remove Java from your machine. Chances are you don't actually need it anyway.
But before we go further, we have to do the old "Java vs. JavaScript" dance.
•
Java and Javascript are two different and unrelated things
Because of another exceptionally poor choice of names, there's always instant confusion when we talk about Java because people often confuse it with JavaScript.
That's wrong. Java is not Javascript. They are completely unrelated to each other.
Javascript:
Javascript: (not to be confused with Java) is a computer programming language that is most commonly used to ... continue reading.
From the Ask Leo! Glossary
-
Comes with your web browser; it's part of Internet Explorer, Firefox, Chrome, and whatever other browser you might happen to have. There is no separate installation for JavaScript.
-
Is used by thousands and thousands of websites. Even Ask Leo! requires that JavaScript be enabled in order to post a comment (as part of a spam-prevention technique). Disabling JavaScript globally would render many if not most of the websites that you visit regularly partially to completely unusable.
-
Is considered a "scripting" language. While the term is somewhat vague, it generally means that JavaScript is a programming language used to augment some other environment, such as the display of HTML-based web pages in your web browser.
Java:
Java: (not to be confused with Javascript) is a general purpose programming language designed, as much as possible, to ... continue reading.
From the Ask Leo! Glossary
-
Is a separate download. Typically, the first time that you run into a need for Java, it is downloaded and installed at that time.
-
Is a programming language used to write larger, full-featured applications.
-
Uses a "common runtime" which is installed on your computer to provide features and functionality to the programs written in Java.
-
May be installed either by installing a program that happens to use Java or by visiting a web page that itself contains a program written in Java.
-
Is used by a more limited selection of applications and websites.
While JavaScript may have its own set of issues from time to time, that's not what this is about, at all. This is about Java.
You probably don't need Java
While you almost certainly need JavaScript, it's quite likely that you do not need Java.
Java is used only by certain applications and websites, and the majority of websites don't use it.
However, you may have Java installed if you visited such a website, or installed such an application, even once. The installation was required to make that site or application work, but it's not practical to somehow automatically uninstall it after your visit or after uninstalling the application because there's simply no way to know if it's also needed by some other application that remains or site that you visit.
It gets complex very quickly. As a result, once installed, Java remains installed until you explicitly uninstall it.
And that's exactly what I recommend you do.
Uninstalling Java
In Control Panel, go to Add/Remove Programs (Windows XP) or Programs and Features (Windows 7).
Look for lines titled "Java", "Java VM", "Java Update" and the like, all with the Java logo as an icon.
Right-click on each, and select Uninstall.
Once you're done, you've uninstalled Java.
Didn't find any Java items in the Programs list? Then you're done before you even started; you didn't have Java on your machine to begin with.
Disabling Java
Disabling Java in your browser without removing it can be a complex task. I strongly recommend that you follow the process above to uninstall it from your computer completely.
However, as we'll see in a moment, that might not be practical.
Rather than reinvent the wheel, here are instructions from Sophos' Naked Security site on disabling Java in Internet Explorer. At the end of their instructions are links to similar instructions for Firefox, Chrome, Safari, and Opera.
What if it turns out I need Java?
After successfully uninstalling Java using the instructions above, you may encounter this when you visit a website that requires or uses Java:
Depending on the browser, you may instead or also see a notification telling you that "Java(TM) is required to display some elements on this page."
If you run a program on your PC that uses Java, you'll see a similar error message (exact wording will depend on the program) indicating that Java is required, but not present.
You have a decision to make.
In my order of preference:
-
Live without that website or program. Perhaps find an alternative that does not use Java.
-
Reinstall Java on a separate "sacrificial machine" or virtual machine and use that to access these sites or run these programs, leaving it off the rest of the time.
-
Reinstall Java, but disable it in all browsers except for one, which you use only to access the sites that require it. Use a different browser with Java disabled for your day-to-day web surfing.
-
Reinstall Java and be super-extra-careful.
In any of the circumstances that involve re-installing Java, make certain to always keep Java up to date. Letting it update itself is the preferred approach, if offered.
Why is this such a mess?
The current situation isn't an indictment of Java as a programming language - it actually is a pretty cool language, and ironically was itself designed with security in mind. One of its original selling points ('write once, run everywhere'), while technically not 100% accurate, is a very popular reason for many to have adopted Java as a technology.
No, the devil here is certainly in the details.
All software has bugs, make no mistake. Even your favorite never-had-an-issue program that you use every day, whatever it is and whatever computer it's running on, has bugs.
And so does the implementation of Java. It's not the programs written in Java that are at issue (although they certainly have bugs of their own). The issue here is in that common runtime - often referred to as the "Java VM" or "Java Virtual Machine" - I mentioned earlier. It's just software too, and like all software, it has bugs.
It might even have more than average, although I'm not going to say that for certain.
And it's installed on a lot of machines.
As Java has become more popular over time, it's become worth the time of hackers to see if there are bugs that haven't been fixed that they can exploit. It's popularity for hackers may not be based on millions of people actively using it, but rather millions of computers that happen to have Java installed because a website requiring it was visited once upon a time.
Update
In response to some of the comments:
Yes, a fix was released for the most recent problem. I still encourage people to uninstall Java, simply because most don't need it, and this is not the first time we've been in this position, and it simply seems likely to happen again. If you do need to keep Java, then as I said above keep it (and all your software) up to date.
J2RE is a part of Java and can be removed.
Javascript (which is not Java) does not appear in the add/remove programs list, as it's part of your browser and not a separate install.
(Update added January 12, 2013.)
Update to the Update
Several people have noted that:
A fix was released.
Java version 6 didn't have the problem.
I have to stress that this is about much more than just a single vulnerability.
As it turns out, within days of the bug fix release hackers announced that they had found at least two more vulnerabilities in Java 7.
In my opinion the track record for Java vulnerabilities is poor enough that I continue to strongly recommend that you uninstall all versions unless you're certain that you need it. (And uninstalling it to find out if you need it is also, in my opinion, a valid approach.)
(Update added January 22, 2013.)
Additional references
How to be as safe as possible with Java, Michael Horowitz, Computerworld
Javatester.org, includes a partial list of applications and sites that use or require Java.
How do I disable Java in my web browser?, instructions from Oracle.
Article C6234 - January 12, 2013 « »
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
February 3, 2013 7:01 AM
I just got a new Macbook Pro. (Love) I had a tech savvy friend install some software, and while doing they installed Java. I've disabled it in Safari and Firefox...but is this enough? (Do I even need both browsers anyway?) I found a Java VM file when searching my applications. Can I remove it? And thanks for the article. I removed Java from my Netbook; not sure if it's related, but after doing so, it is running much more smoothly.
February 5, 2013 12:12 PM
Well, I agree that Java is unnecessary. But I think that for most sites JavaScript is also unnecessary! The content sites I visit display fine with JS disabled, and -- there are no JS-generated ads! Lovely! With Flash blocked as well, I can browse content without the crapola. Firefox add-ons will block JS with the option of allowing it on a case-by-case basis, and block Flash with the same case-by-case option. And yes, Java is disabled as well. Oracle does have a dismal record on security.
March 15, 2013 5:10 PM
I have Windows 8 and when I try to remove Java I get a pop-up asking if I want to allow Java to make changes to my computer. When I click "no" the uninstall discontinues. I tried clicking "yes" and Oracle proceeded to load an updated Java version (I assume). I cancelled the upload and tried uninstalling and again received the request to allow Oracle to update. What gives?
March 16, 2013 2:52 AM
@HW Pelt
Maybe you can click yes and allow the process to complete. It might be that that would uninstall Java from your system in spite of what the message is saying. I've had similar experiences with other programs. If not, at least you'll have a patched Java which is better than leaving it the way it is.
April 25, 2013 8:04 AM
Hi,
I have visited a website that need java so I have to install it again. And now, the firefox version 20 browser will ask if you want to run the java when you visit that website firstly.
So, am I safe now keeping the java installed in the windows 7? Or that I better uninstall and install again when I want to visit that website?
thanks