SEARCH

How-To Geek

How to Protect Yourself From Java Security Problems if You Can’t Uninstall It

image

For years, Java has been the top source of browser exploits. Even after a recent emergency patch, Java is still vulnerable. To protect ourselves, we should assume that Java is always going to be vulnerable.

We’ve already recommended disabling Java completely. Most people with Java installed don’t need it – it’s just sitting on their computers waiting to be exploited. You should uninstall Java now, if you can.

However, some people still need Java installed, whether for playing Minecraft or using an old Java applet on their company’s intranet. If you’re one of them, these tips will help you stay as safe as possible.

Remove Java Entirely If You Can!

If you don’t use Java for anything, you should uninstall it right now. if it’s installed, you’ll find it in the list of installed programs in your Control Panel. If you’re not sure whether you need Java, try uninstalling it anyway. You probably won’t even notice that it’s gone.

If you can’t uninstall Java yet and still need it, we’ll give you some strategies for mitigating the security problems you face with Java installed.

image

If You Only Use Java Desktop Programs

If you need Java installed, there’s a good chance you only use it for desktop programs like Minecraft or the Android SDK. If you only need Java installed for desktop applications, you should ensure Java browser integration is disabled. This will prevent malicious websites from loading the Java browser plugin to silently install malware using one of the many Java vulnerabilities that regularly becomes exploited online.

First, open the Java Control Panel by pressing the Windows key, typing Java, and pressing Enter. (On Windows 8, you’ll need to select the Settings category after typing Java).

Click the Security tab and uncheck the Enable Java content in the browser checkbox. This will disable the Java plug-in in all browsers on your computer, although downloaded applications will still be able to use Java.

image

This option is fairly new and was introduced in Java 7 Update 10. Previously, there was no easy way to disable Java in all browsers on your computer.

If You Use Java in Your Browser

If you’re one of the minority of people who needs to use Java applets in your browser, there are some steps you can take to lock things down.

You should have multiple browsers installed –  your main browser with Java disabled and a secondary browser with Java enabled. Use the secondary browser exclusively for websites where you need Java. This will prevent websites from exploiting Java during your normal browsing.

Follow the steps here to disable Java in your primary browser. Use the secondary browser only to run Java applets on trusted websites, such as your company’s intranet. If you don’t trust a website, don’t run Java content from it.

You may also want to enable click-to-play plugins in Chrome or Firefox. This will prevent Java (and Flash) content from running until you allow it.

image

Keep Java Updated!

If you do keep Java installed, ensure you keep it updated. To change your Java update settings, open the Java Control Panel from earlier and use the Update tab.

Ensure Java is set to check for updates automatically. (You can also run a manual update by clicking Update Now.)

image

You should also click the Advanced button and set Java to check for updates once per day. By default, it checks once a month or week – way too infrequently for such as vulnerable piece of software. Whenever you see a Java update balloon appear in your system tray, update Java soon as possible.

image

Older Java versions left the old, vulnerable versions installed when they updated. Luckily, newer versions of Java clean up older versions properly. However, even the latest security patches won’t protect you from everything. The latest version of Java is still vulnerable, even after an emergency patch.


Note that Java isn’t the same as JavaScript – JavaScript is a completely different language built into web browsers. It’s a bit confusing, but we can blame Netscape and Sun for that.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 01/21/13

Comments (30)

  1. Nathan.D

    Good article. I was thinking of uninstalling java but I have minecraft.

  2. Lucky Man

    yeah Sun and Netscape need belt on their behind while i am giving them a whoop for disrespecting our computers lol :)

    so anyways good article though ;)

  3. GK

    I use java for minecraft and a lot of JavaScript on websites, but I don’t have to worry about security holes. Why? Because I have Linux, so my pc is safe from most viruses that use java as an entrance point as they are windows .exe files. Go linux!

  4. kelltic

    Hey thanks for the article. Somehow I’d forgotten I could access Java through Control Panel, so I was updating the hard way. All fixed up now. :)

  5. Willem

    My meteo uses java for looped radar scans. I have to use Java to see it. I do this 3 to 7 times a day. I can either not look at the radar, or enable Java. I enabled Java.

  6. andrew_berge

    Question: What about Google Chrome’s built in JavaScript?
    Because when you disable that, 90% of the Internet breaks.
    eBay, Twitter, banking; you even need enabled to post a comment here.

    Does JavaScript not equal Java?

  7. Dulwichdik

    Great just disabled Java, got this message when I tried to use reader.
    JavaScript must be enabled in order for you to use Reader.
    As others have mentioned to leave a comment on HTG java rears it’s leaky head
    Doh!!

  8. Ross

    andrew

    JavaScript does NOT equal Java. I found out the hard way when I disabled both in Safari. You need JavaScript for alot of web sites. Java …. not so much ….

  9. andrew_berge

    @Ross: Ah, thanks. I was kind of wondering why they said Java was rare, and yet nothing worked without it :)

  10. Brian H

    I need to Java enabled because some of the websites I regularly visit uses it.

    I have applied the latest Javav update and have been trying to change the update frequency but, although it says that it has changed it, the next time I look it has reverted to the default.

    Can you suggest what I might have wrong?

  11. Nelson

    JavaScript ≠ Java. JavaScript is a client-side scripting language; Java is a server-side programming language. You can uninstall Java without tampering with your browser’s ability to interpret JavaScript.

  12. german

    i use java just to develop using eclipse ide. but since eclipse only needs the folder where javaw.exe is located, then is very easy. just copy that x86 and 64 versions of that folder, uninstall javas and configure your eclipse to find the javaw.exe files it needs… that makes your eclipse portable/ stand alone without careing for java security holes…

  13. Brian H

    I have found the answer to my earlier query about update frequency not being saved – If anyone interested look here

    http://www.java.com/en/download/help/javacpl.xml

    Youhave to change jre6 to jre7 for version 7 of java.

    Brian

  14. ed

    You do not need to disable Javascript, it is not the same as Java at the end of the article it is clearly stated. And of course 90% of the internet will break if you disable Javascript…90% of the webpages use Javascipt..

  15. No So Fast!

    WRONG!!!

    Even Java SCRIPT can be used to attack a computer. I use “No Script” with Firefox to block a TON of scripts. So if you think Java SCRIPT is somehow safe you really should familiarize yourself with what the developers of the No Script add-on have to say about it. Problem is, a LOT of web sites do need to run scripts. But with No Script you can SELECTIVELY choose which ones to enable. But enabling all of them is just as stupid and installing Java 5/6 – or even Adobe Reader (which is totally unnecessary if you use Chrome or even know about Foxit or Sumatra)!!!

    I’d provide a link, but HTG seems to think I’m trying to crack their servers when I do that or something. Meanwhile, HTG continues to post those “Friday Fun” games, all of which require (ta da) JAVA! I mean, WT-F is that about?!

  16. Klaas

    I disabled Java in my browsers a long time ago, the only time I’ve come close to a virus/malware threat in the last 5-6 years has always been through Java exploits, thankfully each time my antivirus software has caught the threat immediately. In the last 2 years after disabling Java plugins in Firefox, I’ve had zero issues, to be honest I’ve not really needed Java in my browser for some time so I really should have disabled it a long time ago

    I still keep Java installed but this is only for local desktop programs like Minecraft, and for some reason which I can’t fathom, Sega use Java in order to launch some of their games that I’ve bought from Steam like Sonic 4 Episodes 1 and 2

  17. Joe Blow

    Drop Java 7 and go back to java 6. It’s not as vulnerable to new exploits as we are now seeing in Java 7. These recent vulnerabilities that have been discovered to not affect ANY version of Java 6. The most current version of Java 6 is update 38.

  18. Kiss My (Blank)

    @ Joe Blow

    If you’re really that stupid (to install and use Java 6) then I have a bridge in Brooklyn you might be interested in.

  19. Ushindi

    Interestingly, Vuze seems to require Java on your computer – it tells you to put it back.
    However, if you do ever use Vuze, Java can still be disabled from your browsers with no problem.

  20. Czechguy

    The article forgot to mention OpenOffice. Yes it unfortunately requires Java. I use the latest Java and disabled it for internet use. Some of can’t afford Microsoft products and Apache OpenOffice meets my needs and its free. It seems some of us are still stuck with Java on the desktop. No way I’ll go on the internet with it though and as I mentioned I shut it down using Java’s console and in the browser options too.

    I have not received any antivirus alerts from some rogue program getting into my temp folders as I used to get as I browsed the internet. Not saying it won’t happen, just not because of Java in my browser.

    BTW, you don’t have to go on porn sites to get Java based exploits installed in your browser’s temp folder. They can be an any site that has not been secured and some lowlife has managed to infiltrate.

  21. lol

    Im learning Java development right now and all of this ‘good news’ doesn’t help at all))

  22. dark_star

    Kill all java !!!

  23. ATL Computer Repair

    I disabled Javascript, but it breaks Facebook’s “See More” functionality. In reality, you can be running an exploit-ridden app but never encounter infection. Stay smart!

  24. KB Prez

    @Chris, THANKS for posting this article! I uninstalled Java and so far no issues at all.

  25. Mr Geeky

    I can’t believe they didn’t mention no-script (again!)…the single greatest addon for those concerned about browser security/privacy. Howtogeek has failed again! Anyone worried about security and/or privacy should be using http://noscript.net/

    ” The NoScript Firefox extension provides extra protection for Firefox, Seamonkey and other mozilla-based browsers: this free, open source add-on allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank).

    NoScript also provides the most powerful anti-XSS and anti-Clickjacking protection ever available in a browser.

    NoScript’s unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality…

    You can enable JavaScript, Java and plugin execution for sites you trust with a simple left-click on the NoScript status bar icon (look at the picture), or using the contextual menu, for easier operation in popup statusbar-less windows.
    Watch the “Block scripts in Firefox” video by cnet.

    Staying safe has never been so easy!”

  26. Noko

    Let’s call it “Assault Java” and have it banned!

  27. Major Gigabyte

    I love the smell of Java in the morning, fresh and hot, just not on my browser or on my keyboard for that matter, lol.

  28. MikeMoss

    Hi

    I tried uninstalling Java on both my computer and my wife’s.
    So much stuff needs Java to work that it just isn’t possible.

    The list of thing that stopped working was very long.

    It even changed the way web pages appeared in forums and ran all the lines together.

    Some video wouldn’t play etc.

    I had to put it back on both computers.

    Mike

  29. danar

    javascript is client side programming language it does not have any relation with JAVA cuz java runtime enviroment line .NET from microsoft and disabling javascript will cause cause lot of problem for navigating through websites because almost every websites need javascript to be enabled.

  30. surgec411

    Lawl when for the first time i went to the java control panel i realized i was on java 7 UPDATE 5!!!

Enter Your Email Here to Get Access for Free:

Go check your email!