Java

Java is a security problem child for computers.  Do you need it?  Is it running on your PC? 

Java running in your browser is a dangerous security problem now.  Java on your PC not so much.  Unless you really need Java in your browser, disable it.  If you don’t need Java on your PC, uninstall it.

Here is how to test if you have Java enabled in your browser – Danger! – and how to turn it off.

Updated January 14, 2013.

Java is on about 70% of computers according to statowl.com.   Some web sites require Java according to betanews.com, for example, some games (Minecraft), bank and government logins, IT programs, real time stock quotes, menu systems and OpenOffice.

Most people don’t use or need Java and can disable or uninstall it.  If you take away Java and something breaks, you can always add it back.

In the last several months Java has had a series of serious security issues culminating January 10, 2013 with the US-CERT (United States Computer Emergency Response Team) to post “Due to the number and severity of this and prior Java vulnerabilities, it is recommended that Java be disabled temporarily in web browsers.”  Java security issues had become epidemic and increasingly exploited in the wild.  The security exploits had been added to hacker kits so that anyone could develop their own Java exploit.

Kaspersky Labs said that in 2012 “Java security holes were responsible for 50% of attacks.”  Attacks meaning exploits at web sites that allow computer malware (viruses) to be downloaded and installed on computers.

January 13, 2013 Oracle said that the Java 7 Update 11 fixes the problems but US-CERT and security experts say to continue to be wary and continue to recommend to disable/remove Java if you don’t need it. (eweek.com) (technewsworld.com) (abcnews.go.com)

The big problem is vulnerable Java running in browsers that visit infected web sites that will exploit the vulnerable Java to “drive by” download malware.

Malware (viruses) can be used to wreak all kinds of havoc – steal passwords for financial accounts, steal information used in identity theft, create botnets for DDOS attacks, install scare ware (a program that tells you that your computer is infected by viruses and offers to clean the infections for a fee), install ransom ware (a program that locks your data and demands a ransom be paid to unlock it), collect information for phishing and ransom attacks, and so on.

My recommendations are

  • Test to see if you have Java enabled in browsers that you use (see next paragraph).
  • Uninstall Java if you don’t need it.  You can always add it back if you need it.
  • If you require Java, enable Java on only one browser and only use that one browser for trusted sites that require Java.  Use a Java disabled browser for other sites.
  • Avoid using Internet Explorer browser.
  • Keep Java and all other computer software up to date.  Run anti-malware programs.
  • Stay informed about Java and all security issues.

Test to see if Java is enabled in your browser

http://www.java.com/en/download/installed.jsp

or http://javatester.org/version.html

It is a good idea to test again after disabling Java in your browser (see IE problems below).

Disabling Java in the browser

Disabling Java in Firefox, Chrome and Safari is straightforward and works.

Disabling Java in Internet Explorer fails.  Although IE says the Java Add-on is disabled, it really isn’t.

After making changes to browser configurations or Java, restart your browser for the changes to take effect.

Internet Explorer (IE)

For IE, disabling Java in the browser does not work!  Even though it says “Disabled” Java is really enabled.  A serious error in Oracle’s Java or Microsoft’s IE programming.  To really disable Java in IE, you must perform a registry hack, disable Java in all browsers via the Java Control Panel (see below) or uninstall Java completely (see below).

For the registry hacks, see http://nakedsecurity.sophos.com/how-to-disable-java-internet-explorer/

Best just to not use IE.

The steps that should work but don’t (note different versions of IE have differences in menus and windows) –

IE7 Tools, Manage Add-ons, Enable or Disable Add-ons - FAIL procedure
IE7 Tools, Manage Add-ons, Enable or Disable Add-ons – FAIL procedure
IE7 - Manage Add-ons - FAIL procedure
IE7 – Manage Add-ons – FAIL procedure

FAIL.  Again, do not rely on disabling Java in IE.

Firefox

Menu Bar

Firefox-menu_bar
Firefox-menu_bar

or Orange button

Firefox, Add-ons

Firefox Add-ons Manager
Firefox Add-ons Manager

Chrome

Chrome - disable Java
Chrome – disable Java

Safari

Safari, Settings, Preferences
Safari, Settings, Preferences
Safari, Settings, Security, Java
Safari, Settings, Security, Java

Java Control Panel

You can disable Java add-ons in all browsers with the Java Control Panel with Java  7 Update 10 and above.  This update also adds the Security Level slider defaulted at “Medium (recommended)”.

Java Control Panel Security tab
Java Control Panel Security tab

Java 7 Update 11

Java 7 Update 11, released Sunday January 13, 2013 looks like a rushed attempt to fix security.  It raises the Security Level to “High (recommended)” and in IE, Firefox and Chrome pops up a Security Warning.  This is good.  Safari does not pop up the security warning.  This is bad.

If you need Java, definitely update and keep updating.

Java Control Panel - Java 7 Update 11
Java Control Panel – Java 7 Update 11
Java pop-up Security Warning
Java pop-up Security Warning

More Java annoyances

Java has a confusing system for numbering their software, for example:  1.6.0_35 is called Java 6 Update 35 and 1.7.0_11 is called Java 7 Update 11.

Installing and updating Java will try to sneak in 3rd party software like the Ask Toolbar or McAfee Security Scan.  Really Oracle, ya need the money?

Oracle recommends installing the browser Add-on from Ask
Oracle recommends installing the browser Add-on from Ask
Oracle offers - McAfee Security Scan Plus
Oracle offers – McAfee Security Scan Plus
3 Billion Devices Run Java.  Scary.
3 Billion Devices Run Java. Scary.

Then the confusion between Java and JavaScript.  Java came first.  JavaScript later.  They have no connection.  Java is a security problem.  JavaScript not so much.

Uninstalling Java – Windows 7, Vista and XP

Windows 7

7, Start, Control Panel
7, Start, Control Panel
7, Control Panel
7, Control Panel
7, Control Panel, All Control Panel Items
7, Control Panel, All Control Panel Items
7, Control Panel, All Control Panel Items, Programs and Features
7, Control Panel, All Control Panel Items, Programs and Features

Vista

Vista, Start, Control Panel
Vista, Start, Control Panel
Vista, Control Panel Home, Uninstall a program
Vista, Control Panel Home, Uninstall a program
Vista, Control Panel, Classic View, Programs and Features
Vista, Control Panel, Classic View, Programs and Features
Vista, Uninstall
Vista, Uninstall

XP

XP, Start, Control Panel
XP, Start, Control Panel
XP, Control Panel, Category View
XP, Control Panel, Category View
XP, Control Panel, Classic View
XP, Control Panel, Classic View
XP, Add or Remove Programs
XP, Add or Remove Programs

 Java

java.com

java.com
java.com

 

Be safe out there!

 

Leave a Reply

Your email address will not be published. Required fields are marked *