Quick Links

For years, Java has been the top source of browser exploits. Even after a recent emergency patch, Java is still vulnerable. To protect ourselves, we should assume that Java is always going to be vulnerable.

We’ve already recommended disabling Java completely. Most people with Java installed don’t need it – it’s just sitting on their computers waiting to be exploited. You should uninstall Java now, if you can.

However, some people still need Java installed, whether for playing Minecraft or using an old Java applet on their company’s intranet. If you’re one of them, these tips will help you stay as safe as possible.

Remove Java Entirely If You Can!

If you don’t use Java for anything, you should uninstall it right now. if it’s installed, you’ll find it in the list of installed programs in your Control Panel. If you’re not sure whether you need Java, try uninstalling it anyway. You probably won’t even notice that it’s gone.

If you can’t uninstall Java yet and still need it, we’ll give you some strategies for mitigating the security problems you face with Java installed.

image

If You Only Use Java Desktop Programs

If you need Java installed, there’s a good chance you only use it for desktop programs like Minecraft or the Android SDK. If you only need Java installed for desktop applications, you should ensure Java browser integration is disabled. This will prevent malicious websites from loading the Java browser plugin to silently install malware using one of the many Java vulnerabilities that regularly becomes exploited online.

First, open the Java Control Panel by pressing the Windows key, typing Java, and pressing Enter. (On Windows 8, you’ll need to select the Settings category after typing Java).

Click the Security tab and uncheck the Enable Java content in the browser checkbox. This will disable the Java plug-in in all browsers on your computer, although downloaded applications will still be able to use Java.

image

This option is fairly new and was introduced in Java 7 Update 10. Previously, there was no easy way to disable Java in all browsers on your computer.

If You Use Java in Your Browser

If you’re one of the minority of people who needs to use Java applets in your browser, there are some steps you can take to lock things down.

You should have multiple browsers installed –  your main browser with Java disabled and a secondary browser with Java enabled. Use the secondary browser exclusively for websites where you need Java. This will prevent websites from exploiting Java during your normal browsing.

Follow the steps here to disable Java in your primary browser. Use the secondary browser only to run Java applets on trusted websites, such as your company’s intranet. If you don’t trust a website, don’t run Java content from it.

You may also want to enable click-to-play plugins in Chrome or Firefox. This will prevent Java (and Flash) content from running until you allow it.

image

Keep Java Updated!

If you do keep Java installed, ensure you keep it updated. To change your Java update settings, open the Java Control Panel from earlier and use the Update tab.

Ensure Java is set to check for updates automatically. (You can also run a manual update by clicking Update Now.)

image

You should also click the Advanced button and set Java to check for updates once per day. By default, it checks once a month or week – way too infrequently for such as vulnerable piece of software. Whenever you see a Java update balloon appear in your system tray, update Java soon as possible.

image

Older Java versions left the old, vulnerable versions installed when they updated. Luckily, newer versions of Java clean up older versions properly. However, even the latest security patches won’t protect you from everything. The latest version of Java is still vulnerable, even after an emergency patch.


Note that Java isn’t the same as JavaScript – JavaScript is a completely different language built into web browsers. It’s a bit confusing, but we can blame Netscape and Sun for that.