How to turn off Java in your browser - and why you should do it now

Filed Under: Featured, Java, Malware, Vulnerability

IMPORTANT: The article below was written in August 2012, in response to a security scare involving Java.

Although that particular scare has now passed for users who have kept their Java installation updated (or disabled Java in their browser), the article below is still relevant as vulnerabilities continue to be found in Java, and exploited by malicious hackers.

Below, we explain how to disable Java in your browser - if you decide that is the best course of action for you.

For Windows users looking for an easier method please read about the new control panel option in Java 7 Update 10.

How to turn off Java. Image from ShutterstockDo you still have Java turned on in your web browser?

If your answer is "Yes" or "I'm not sure" then it's time to take action.

Right now, cybercriminals are aware and exploiting serious security flaws in Java that could lead to your computer becoming infected by malware.

And the worst news is that Oracle (who has known about the zero-day vulnerabilities since April) doesn't plan to issue a patch for the problem until October. (Update: Oracle has now issued a patch - but you should still consider whether you really want to run Java or not in your browser).

There will be many pointing fingers at Oracle and arguing that it has not taken the security flaws seriously, but the accusations that are bound to fly aren't actually going to help the millions and millions of vulnerable devices out there.

Those devices need a patch from Oracle - but as it may not be available for some time, the best advice I can give you is to disable Java.

Naked Security's Chet Wisniewski has put together simple instructions for users of the most popular browsers, explaining how Java can be disabled:

So, what are you waiting for?

Isn't this just a storm in a teacoffee cup?

No, it isn't.

Time and time again we're seeing examples of cybercriminals exploiting flaws in Java to infect innocent users' computers.

For instance, earlier this year we saw more than 600,000 Macs infected by the Flashback malware because of a Java security flaw.

In fact, it has become increasingly common to see malware authors exploiting vulnerabilities in Java - as it is so commonly installed, and has been frequently found to be lacking when it comes to security.

Cybercriminals also love Java because it is multi-platform - capable of running on computers regardless of whether they are running Windows, Mac OS X or Linux. As a result it's not unusual for us to see malicious hackers use Java as an integral part of their attack before serving up an OS-specific payload.

As the following video demonstrates, the bad guys have even created multi-platform Java malware which can hit your computer whether you are running Windows, Mac OS X or Linux.

Seriously though, stop reading this article now and check if you have disabled Java or not. Chances are that if you don't think that you need Java, you don't need it.

Even if you absolutely must use websites that require you to have Java installed, why not disable it in your main browser and have an alternative browser just for visiting that website?

What you need to do now is reduce the opportunities for attack. For most people that means disabling Java - and doing it now.

No coffee image from Shutterstock.

, , ,

You might like

179 Responses to How to turn off Java in your browser - and why you should do it now

  1. Mike B · 733 days ago

    Or use Chrome which specifically asks you if you want to allow Java to run on any given website. All browsers should do this. And only allow it when you know you need it.

    • HP · 600 days ago

      Opera/FF have click-to-play feature. Opera specifically can disable/enable all plugins for any particular site. Firefox can achieve this by using NoScript.

      • Mick · 597 days ago

        Yup. Java was automatically disabled in my Firefox with a security warning attached.
        Opera however was still allowing Java to run.

    • I just wouldn't willingly allow Google to access my computer, so, no Chrome for me.

  2. John Harris · 733 days ago

    Okay, so Java is not the same as 'javascript.' Can you explain, in terms a non savvy computer person can understand what the difference is? I really have no idea what java does or how it will affect my computer when I disable it. After seeing your initial warning I came across an article in my local paper that carried a link to check if my system was in danger. The result was negative, perhaps because I'm using an older version (XP) on an older computer. But I am still concerned...which is why I follow naked security and share the articles.

    • Andrew Ludgate · 733 days ago

      Java is a cross-platform system for writing software that will run in the same way on everyone's computers.

      One variant of Java is the "applet" which is a lightweight application written in Java which runs inside your web browser -- essentially extending your web browser to become like any other piece of software you run on your computer. There are games written as Java applets, photo editing software, scientific analysis software, plant management software, and pretty much anything else that requires user interaction and can be written as a stand-alone piece of software written as Java applets.

      Software written for Java runs in a "virtual machine" that is a virtual computer inside your computer. However, it has methods of interacting with the rest of your computer, some of those methods intentional, some of them accidental. This allows software autnors to escape the security restrictions of the web browser to do more application-like things on your computer.

      Other software is also written for Java that runs directly off your computer and doesn't use the web browser applet plugin. This software tends to behave just like any other software on your computer -- chances are, you've got something running on your computer using Java rather than another system to function under the hood. However, this runs outside your web browser, and has to follow the same rules as all other software.

      JavaScript is something completely different. It does not use the Java Virtual Machine, and so everything it does it does directly inside your web browser. It has to follow all the security restrictions set up for your browser.
      JavaScript is generally used for creating "application-like" interfaces in a web browser. It can draw elements to the screen, manage other elements of your browser (run print jobs, change window sizes, etc.) and even monitor your mouse and keyboard. It does not have direct access to the rest of your computer though, and is limited in functionality to what your web browser can already do.

      Disabling Java in your web browser just keeps your browser from running Java software embedded in a web page. After disabling Java, if you come across a page that has it embedded, you will instead see a message saying that the embedded item can't be run without installing Java, containing a link to download and install the plugin.

  3. Big Al · 733 days ago

    I agree with Denise. Many modern businesses operate business and database front-ends that operate entirely on Java-based virtual environments. I do NOT recommend disabling your java without considering effects to your existing systems. There was little reassurance in the article that the world would be a better place when you disable java.

    Shouting from the rooftops to turn off your java right now or the sky *might* fall -- not a good idea.

    Given the volume of exploits within Windows, you may as well write another article, "How to turn off your Windows computer - and why you should never turn it on again."

    • Andrew Ludgate · 733 days ago

      I disagree. Any general-purpose web browser used for unrestricted access to the Internet should not have the Java plugin enabled.

      If your business operates a DB front end that requires Java, for the security of your DB as well as the security of your computer, use a dedicated browser to access the front end. Otherwise, you not only run the risk of drive-by Java infections, you also run the risk of data corruption/exfiltration using Java exploits targeting your own back end system.

      The issue here is that there is a known, documented exploit that lets anyone hosting a web page (or sneaking code onto someone else's trusted web page) obtain full remote control of your computer. This exploit has been known since April, is actively being used by one of the most prevalent malware attack frameworks in use (Blackhole - http://en.wikipedia.org/wiki/Blackhole_exploit_ki... and is not slated to be fixed by Oracle until October.

      That essentially means that over the next month, if you spend any amount of time browsing the internet, there is a very likely chance that you will be exposed to this attack vector.

      The extended issue, as noted in the article, is that this isn't the first time this has happened via Java, and it's simple to mitigate: don't allow the Java plugin to load when you don't need it (most of the time). When using Java applets, do it intentionally, in a web browser configured to run the applets you're planning to run.

      The sky won't fall if you disable Java in your main browser; the biggest fallout may be that you need employee "retraining" to teach them to launch a separate program (alternate web browser instance) to run the Java software than they do to browse the Internet.

      • Fernando Hidalgo · 732 days ago

        I totally agree with the original comment. Don't use Windows! It has security "issues" and they did not fix it for ages and they do not plan to fix it.... ever!

        It simply looks like someone here does not like Java or maybe Oracle.

        The solution to choose when to run Java or not (Chrome) or to run a Java program from local is totally secure... Why you did not comment it in the post?

        You should have issued a warning, not a propaganda against Java.

      • Tim · 595 days ago

        Just wanted to point out that if you ever spend as much as a second on the internet you are vulnerable to attack. That's it! it doesn't matter what you do there is always something that can be exploited to get into your computer. Just because you chose disable java doesn't make you safe from the attacks. If you want to be certain that you are safe then you should never connect to the internet or any network that is connected to the internet. The most important thing people can do for safety's sake is to have 2 separate computers one for all those important files that you want protected and one for the use of the internet. This is truly the only way to be 100% safe, because i don't care how good the hacker is he can't get into a computer that is not connected to anything without physically holding your computer in his hands.

  4. Denise · 733 days ago

    You might like to tell those of us not particularly computer savy what Java actually does so we can understand what we are disabling or, rather, what we will not be able to do if Java is disabled.

    • svcghost · 733 days ago

      Java is a programming language. On many websites there are "Java applets" integrated into web pages. These allow extended access to your computer's resources and allow more capabilities. Some popular uses of Java on the web are:
      1. To allow client programs to run without the need to install them on your computer.
      2. To display computation-intensive objects on a web page (e.g. a game, 3D image, etc.)
      3. To create and display cross-platform objects in an easy manner (Java is supported on a plethora of operating system)

    • Graham Cluley · 733 days ago

      Java is both a programming language and a multi-platform development platform (in other words, running on Windows/Mac/Linux etc)

      You're most likely to need Java if you visit a website that has a Java applet embedded on it. So, if you disable Java there might be *some* websites that you can no longer use. If that's the case - follow the advice I give about disabling Java in your usual browser and keeping a different browser *just* for visiting any websites which require Java.

      The worst that will happen if you visit a website that contains a Java app and don't have Java enabled is you'll be presented with an error message. You can then decide for yourself if you wish to revisit the site with a Java-enabled browser.

      BTW, Java is a different thing from JavaScript. Unfortunately the names confuse a lot of folks.

  5. DallasCowboys FanforLife · 733 days ago

    Is this for all versions of Java or just 7?

    • Nigel · 732 days ago

      Actually, Oracle has just released a patch that includes a fix for a vulnerability in Java 6, so the previous warnings that stated Java 6 is OK weren't correct. Java 6 has vulnerabilities of its own. Even though Oracle has issued a patch, Java will continue to present a risk through new exploits, so it's best to disable it if you don't need it.

  6. Dave · 733 days ago

    Java (2 files) - Version: 10.6.2.24
    Next Generation Java Plug-in 10.6.2 for Mozilla browsers
    Name:Java(TM) Platform SE 7 U6
    Description:Next Generation Java Plug-in 10.6.2 for Mozilla browsers
    Version:10.6.2.24
    Location:C:Program FilesJavajre7binplugin2npjp2.dll
    Type:NPAPI
    Disable
    MIME types:
    MIME typeDescriptionFile extensions
    application/x-java-appletJava Applet
    application/x-java-beanJavaBeans
    application/x-java-vm
    application/x-java-applet;version=1.1.1
    application/x-java-bean;version=1.1.1
    application/x-java-applet;version=1.1
    application/x-java-bean;version=1.1
    application/x-java-applet;version=1.2
    application/x-java-bean;version=1.2
    application/x-java-applet;version=1.1.3
    application/x-java-bean;version=1.1.3
    application/x-java-applet;version=1.1.2
    application/x-java-bean;version=1.1.2
    application/x-java-applet;version=1.3
    application/x-java-bean;version=1.3
    application/x-java-applet;version=1.2.2
    application/x-java-bean;version=1.2.2
    application/x-java-applet;version=1.2.1
    application/x-java-bean;version=1.2.1
    application/x-java-applet;version=1.3.1
    application/x-java-bean;version=1.3.1
    application/x-java-applet;version=1.4
    application/x-java-bean;version=1.4
    application/x-java-applet;version=1.4.1
    application/x-java-bean;version=1.4.1
    application/x-java-applet;version=1.4.2
    application/x-java-bean;version=1.4.2
    application/x-java-applet;version=1.5
    application/x-java-bean;version=1.5
    application/x-java-applet;version=1.6
    application/x-java-bean;version=1.6
    application/x-java-applet;version=1.7
    application/x-java-bean;version=1.7
    application/x-java-applet;jpi-version=1.7.0_06
    application/x-java-bean;jpi-version=1.7.0_06
    application/x-java-vm-npruntime
    application/x-java-applet;deploy=10.6.2
    application/x-java-applet;javafx=2.2.0
    the above is what i found in my chrome browser.. the above seems to be for mozzila browsers.....? why is it in the plugins on my chrome browser..???

    • Andrew Ludgate · 733 days ago

      Mozilla was the original creator of the browser plugin API (actually, it was Netscape, but it was taken over by the Mozilla foundation). As such, for most web browsers, plugins are written to the Mozilla Plugin standard.

      If you're running Chrome, it has fairly decent plugin management by default, as does Safari -- they keep the Java plugin disabled by default and only load it if you need it. On Firefox, running NoScript with the setting to require a click on Java applets to load them does pretty much the same thing.

      If you don't actually visit websites that require the use of Java applets though, it's more secure to just remove the plugin -- Java itself is still on your computer, and any computer-based Java software will still run fine; it just can't be launched via a web browser.

      The same advice goes for Adobe Flash, of course (which is another plugin-based cross-platform way of delivering applets that is also heavily abused by malware authors).

      On my main browser, I find it best to run with NO plugins (of the Mozilla Plugin sort). I have a secondary browser I use when this is needed.

  7. Dave · 733 days ago

    Name:Java Deployment Toolkit 7.0.60.24
    Description:NPRuntime Script Plug-in Library for Java(TM) Deploy
    Version:10.6.2.24
    Location:C:WINDOWSsystem32npDeployJava1.dll
    Type:NPAPI
    Disable
    MIME types:
    MIME typeDescriptionFile extensions
    application/java-deployment-toolkit

    i also have this as well.. which if any will affect Chrome.. which should i disable...???

  8. Kathie · 733 days ago

    If this is so bad, why do I not see these warnings listed anywhere other than with Sophos? (And Ditto to Denise's comment!)

  9. Champ · 733 days ago

    I disabled it in Firefox and Chrome, didn't completely remove in case I ever need it. Thanks.

    • glenda jaye · 560 days ago

      I use both Firefox and Chrome (is that the same as Google?) Anyway...how do I disable it? Will I still be able to play my favorite game (Playdom - Garden of Time) if I disable it. We have 4 users on this compter - I didn't realize how vulnerable our computer was!

  10. robert burnell · 733 days ago

    i go to pogo.com daily n 3/4ers of the games still use java

    been using java since 1999

    i'm using XP Pro have 3 versions on computer

    java (TM) 6 update 26

    java (TM) 7 update 5

    javaFX 2.1.1

    i use chrome n mozilla firefox

    what should i do ???? just wondering

    • Throkk · 724 days ago

      Use the Noscript Firefox plugin and set it to block Java by default. Then only allow applets you trust- a whitelist.

    • Anonymous · 579 days ago

      Ignore the original post. There are far more problematic security issues built into all of Microsofts products (especially Windows whatever version). Additionally approximately 65% of all web apps run on JAVA, because it is more stable, secure, functional, and reliable than any other language, not to mention You do not have to waste any money on Windows to use it!

  11. 13bc · 733 days ago

    What if you use the Java SDK for development? Really?

    • John · 733 days ago

      This is just to disable the browser plugin. Unless you're developing applets, you can still develop and run desktop applications without issues.

  12. Guru · 733 days ago

    Therefore I love the tor browser. No need to worry about any kind of plugins....:)

    • Throkk · 724 days ago

      Routing anonymously through TOR won't stop a malicious Java applet on a webpage you visit from delivering a payload of misery to your machine.

  13. John · 733 days ago

    Sun Microsystems was bought out by Oracle. All samey-same.

    While we're at it, why stop with Java... or with computer code? Let's all swear off of dihydrogen oxide lest we perish: it's explosively flammable when reduced to its constituent parts, causes untold physical damage worldwide when transformed from the liquid form into the solid and is guaranteed to cause death when consumed in quantities to great or too small. Clearly a manifest danger not unlike the one outlined here.

    • Rightowork · 598 days ago

      Yes, John, great idea (swear off H2O*), since every great idea needs a brave "early adopter", and you would seem to want to "practice what you preach", we will all cheer (and watch) as you "boldly go forth" and live by your suggestion. Well check back in a few months as see "hows that working for you". Meanwhile, the rest of us (most) will just turn off Java and live happily ever after.
      (* bet you though you'd out smart us using those fancy words like 'dihydrogen oxide' and we'd not know you were talking about water, ohhh-we, dat boy be smart).

    • SuperTech · 597 days ago

      And you can drown in it ! I totally agree, water is EVIL!

  14. bob · 733 days ago

    just use mozilla and get no script addon. It blocks all java on the webpage and you select which to allow.

    • Graham Cluley · 733 days ago

      Yes, although NoScript is principally known for controlling which websites you want to run JavaScript on - it can also be used to block Java (NoScript can whitelist websites which require access to the Java plugin)

      Of course, that puts the onus on the users to make an intelligent decision as to when to allow Java to run or not.. a decision process that might be compromised by social engineering and trickery.

  15. Lou · 733 days ago

    I have a Java plug-in but it's from Sun Microsystems, Inc not from Oracle. Should I also turn this off?

    • Diana · 733 days ago

      ditto mine from sun also????

    • Andrew Ludgate · 733 days ago

      You probably should, as it is significantly out of date and has many other since-patched security vulnerabilities. It will not, however, be susceptible to the current 0-day exploit; just a bunch of older exploits.

      For some background, Oracle bought Sun Microsystems in 2009 and re-branded all updates of Java since then with the Oracle name. That means your version of Java hasn't had a security patch applied in at least three years -- during which we've seen a large number of exploits discovered that are still tested against in exploit attacks (as there are a lot of people who still use Java 3 through 6).

  16. Pardon me if this comment comes across as harsh. I don't intend it to be. What I'm trying to do is offer a practical perspective that perhaps isn't being considered.

    As someone who works in IT supporting three dozen or so small businesses, and having been in the industry for 2 decades, I find giving out blanket advice to "turn off Java" is just plain absurd, and is a symptom of the myopia of the computer-security field.

    I acknowledge Java is open to exploitation. I acknowledge there are risks in having it available. I acknowledge Oracle has done an abysmal job of maintaining it. I acknowledge all of that. I secondarily acknowledge that Sophos and other security pundits are correct to bring the issue to people's attention. Technically speaking, they are not wrong to tell people to "turn off Java."

    But in the real world, where real live computer users are trying to get their work done, this advice is impractical, if not impracticeable. I can think of at least 4 clients that are required to use Java-powered apps at least once daily, and I can think of a few more that much use it periodically, as in, more than once a week. The advice to use an alternate browser just for those sites may sound good on paper, and it may even work for some of them, but it won't work for all of them.

    For example, one client gets documents electronically sent to them via a a Java applet on a Web page. They know they're getting one when they're sent an email with a (very, very long) URL in it. Normally they click on it to open the site and get their file. Sure, they could copy the URL, open a second browser, and paste it in ... but when they have a million things to do and need the file quickly, are they going to remember all that?

    Too often the answer is no. One can argue this shouldn't be the case ... but people are what they are and they aren't going to magically change just because Sophos wants them to.

    The average computer user is not a computer expert. Most of them don't know what Java is. All they know is that turning it off, or using workarounds, makes their lives more difficult, if not impossible. They use their computers to get work done. Advice like this makes it harder for them to do so.

    Instead of laying this problem at the feet of computer users ... many of whom are not competent enough in computers to understand the issue ... let's instead lay it at the feet of those who are truly responsible: Oracle, which controls Java and is to blame for security weaknesses, and Web developers who choose to use Java in their products. There are a lot of Java-powered apps that probably could have been done using some other platform ... and they ought to use it instead. They should be encouraged to do so.

    Perhaps Sophos and other computer-security pundits could come up with some alternative to Java ... one that does the kinds of things Java does, but which is more secure and more frequently maintained. The problem of people running Java on their computers -- which, I repeat, IS a problem -- could be solved simply by making Java itself obsolete.

    Maybe Sophos could work on that, instead of giving out advice that cannot really be followed in every instance? Just a thought.

    P.S. I know some folks will read this and think, "Users too stupid or lazy to employ workarounds, deserve what they get if they're victimized by a Java exploit." If so, there's nothing more to be said, and Sophos shouldn't even have issued this advice; I mean, if people don't ALREADY know that Java is a security risk, then they ALREADY deserve what they get. The point of Sophos' anti-Java injunction is to help those people. What I am suggesting is that this injunction itself is not effective. A workable alternative to Java -- one that current Java developers could slide right into -- would be.

    • David H · 732 days ago

      This is much the same reaction I had to the article. Sophos is a business oriented security company, I would expect this type of nonsense from consumer oriented companies but Sophos should know better.

      Just to add on to reasons the multiple browse idea is impractical, 90 percent of the users I support would not understand when to switch back and forth and simply use the browser that always worked (the one with Java enabled).

    • RGServices · 594 days ago

      For someone who works in IT supporting... for 2 decades' you clearly show a lack of support for your customers. In this and every industry, Support is called on to provide technical/product knowledge AND workarounds!

    • Guest · 583 days ago

      Bravo! Well thought out, well expressed.

      We don't tell people who drive car X that has bad brakes to use the emergency brake when going down hill. Or to pump the brakes when encountering situation Y, do we? No. That would require the car's USER to have to know how the braking system worked. Then, once knowing that, how the drive train worked. Then the engine. Then the cooling system ....

      No. The manufacturer FIXES the problem!

      My argument is not as erudite, but I think the average user will get the points. 1. We should not expect users to understand the workings of the equipment. (Of course, they should take reasonable precautions, perhaps talk to their mechanic, not race downhill at 90 MPH.) :-)
      2. We should expect the manufacturers' to fix their products.

      Having said that, I think most, even including the dread M$ are all doing the best they can. Of course, that may not be saying much ....

    • anonymous · 579 days ago

      Java will never be obsolete because it is supoerior to the other options and gives you function that is unavailable with other options. Besides, real IT people now better than this drivel.
      Under your "they do not maitain and fix their product" diatribe all Microsoft products should have been obsoleted before they were even released.
      I would agree that Oracle has done an abysmal job of maitaining Java when compared to Sun, but when compared to the other development packages... not so much. There security issues with them all, but far fewer exploits in Java than there are in say .netor Windblows in general. The real answer is to use a quality antivirus package (not MS Essentials) with heuristics that will offer you great protection from most of these exploits (even zero-day). Keep in mind there are no perfect solutions, but there way better ones than just turning off Java!

  17. Celia · 733 days ago

    Thanks for this -

    From 9:47 this morning, Microsoft Essentials quarantined 5 incidents of Backdoor Trojans. After reading article, I removed Java plug-ins from Mozilla browser and Java from Windows (couldn't access Chrome - it had stopped working). After a scan, MS Essentials found 4 Java (exploits?). Portable Spybot scan revealed no malicious software,

    I got drunk.

    Thanks again . . .

  18. Marc Mengel · 733 days ago

    Folks should see: http://gnu.wildebeest.org/blog/mjw/2012/08/30/jav...
    if they've been running IcedTea instead of the Oracle Java plugins; they
    have an update to deal with this, today.

  19. Microman · 732 days ago

    The only time you will be vulnerable to an attack is by visiting websites that contain malicious code. Better options are to only visit know websites or install and addon that allows you block/allow certain websites. Firefox has a great addon called noscript for this purpose. Your article despite being accurate is scaremongering.

  20. MikeP · 732 days ago

    Not that 'simple'! Many on-line banking services require Java Runtime at least, so if you remove/disable that you can't use your banking services!
    Best advice is to have it available for when you need the banking system but not running when not needed otherwise. Fiddly to control and remember to turn JRE off again afterwards, but that's the price for convenience extracted by the nefarious who would snoop and/or invade our personal equipment and services.
    A cheque Book account is so much safer!

  21. See Green · 732 days ago

    I'm running under Linux (ubuntu 12.04) and need java for various programs including remote monitoring software which uses a browser-based control panel. I disabled the java plug-in (in firefox 15.0) until there was either a fix or work-around available. However, upon setting the plug-in disabled, immediately a flurry of activity launched on my computer (I did a panic power-off so no time for forensics). This indicates that either I was already infected (possible but not likely due to the constant security on this computer), or that the plug-in disable (event) was itself "hooked" by malware. Post trauma analysis spotted a number of infected files. Thought I would mention this in case the act of disabling the plug-in causes any of you to become infected.

    Mozilla has posted an article regarding the java plug-in security issue: https://blog.mozilla.org/security/2012/08/28/prot...

  22. christinest64 · 732 days ago

    Do I need to do this on my android tablet that has trend micro on it

  23. Ralph Michael Wigzell · 732 days ago

    OK I removed all java off of my computer. I am going to mention that on their Facebook page (if they have one). How can they be so apathetic if this is such a big problem?

  24. Marcus · 731 days ago

    Will the browsers still work without Java? What should replace Java to keep things running smoothly.

  25. Yosemite Sam · 731 days ago

    Java is not required in your browser if you don't intend to run web applications that needs it (some outdated bank services). Plugins are yesterday, not safe most of the time, and there are more native ways that won't ask for any plugins. My bank don't require Java, or any plugin, and it just works. So ask yourself if you're going to trust a so called "safe" service that will involve a plugin. Nevertheless, if you can't do without Java and don't want to upgrade for a safer online service, it's your call.

  26. trekeyus · 729 days ago

    better yet just use no script and set it to block java and flash on sites by default and only enable the applets you must. when in doubt leave it blocked.

  27. koshvorlon · 725 days ago

    As far as I know, if you have an OS that supports Group Policy, you can use group policy to disable Java or prompt for Java (which may make things far simpler for switching back and forth - off unless needed or deny unless certain - if you MUST have Java in certain situations - and I'm not only talking about online banks, but those working from home who must login remotely to a work enterprise domain system or using BluRay HD video where Java is often mandatory). Start here http://support.microsoft.com/kb/2751647 and then proceed to the Group policy link for further details.

    And, if you have no choice but to use Java sometimes, I recommend the free Secunia PSI to help you keep Java updated.

  28. Christopher Lawless · 714 days ago

    Isn't this really only a problem for people that click the link to win an iPad?

  29. Derek Forbes Sooman · 714 days ago

    I am a Java developer. Java is mainly a server side technology, not a client side one like Javascript mainly is. If I can make your browser run Java stuff I can make it do all sorts of naughty things, believe me.

  30. Mike Baptiste · 714 days ago

    Or use Chrome which specifically asks you if you want to allow Java to run on any given website. All browsers should do this. And only allow it when you know you need it.

  31. Jeremy Matchet · 714 days ago

    @Christopher No, it could be that a normal site has some sort of iframe inserted into it which could initiate a Java based virus. If you do need Java then use it on your secondary browser(s) and only for sites that it is required for.

  32. Maggie Lukes · 714 days ago

    What if I use a site which does use Java?

  33. Patty Bartlett · 714 days ago

    Ha! I use Firefox and went to check to make sure it was disabled. Firefox had already flagged is as "known to cause security risks" and disabled it. Awesome. Love Firefox!

  34. Kir Kah · 714 days ago

    how do I even find out IF I have it?????

  35. Patty Bartlett · 714 days ago

    Well Maggie, if you read previous comments, or even the ARTICLE...it will tell you.

  36. Barry Chick · 714 days ago

    Assume AppleMacs are immune from these flaws?

  37. Keith L. Merritt · 714 days ago

    This is of concern to me but I have a dilemma. My company runs Oracle and to run Oracle, Java is an important plug-in, otherwise I can't access my companies website to be able to do work from home. So how do I get around it?

  38. Trish Ladd · 714 days ago

    I still need Java on my computer to run a specific program so I'm not removing it from windows altogether -- however I discovered that firefox had already disabled the main java platform plugin for me. Nice. :)

  39. Fran MakuchWilliams · 714 days ago

    Is this from Snopes too? Is it true?

  40. Linda C. Makela · 714 days ago

    Thanx! disabled in Safari

  41. Sherri Dollaway Schroeder · 714 days ago

    take it off, fire fox had me disable both yesterday and told me to update to the newer version which I just disabled.

  42. Anastasia Zakar · 714 days ago

    @ Jeff Sparkes Yeah but Chrome crashes if you look at it wrong!

  43. Suzy Hoople · 714 days ago

    I tried to uninstall 2 Java updates in Windows 7 and get a message saying something like 'verify the log program exists and is writable'. Please advise :)

  44. Dirk Sohler · 714 days ago

    I don’t even have the Java plugin installed. I use not one single web pages that needs it. And I hope, Flash will die, soon!

  45. Jeff Sparkes · 714 days ago

    Hmm..I took Java off and it seems fingers crossed...a few websites that got stuck and I had to wait a while for them to work again..are working properly now

  46. Richard Anderson · 714 days ago

    Do this ASAP!

  47. Eye Tea · 714 days ago

    apple macs NOT immune to java-isms. it's a cross-platform language and i stopped letting apple put it on my mac from cd/update a long time ago because in the entire history of the web, i've only 'needed' java a half-dozen times. uninstall or delete it from your version of osx and refuse software updates for it as well as disabling it on browsers. if anybody knows of a java applet worth running, i'd be interested in their argument but i dont expect to agree. java? strictly '96.

  48. Jade Stone · 714 days ago

    Java is used to present games on your screen, mostly. Like Pogo.com uses it. Some Fb & Twitter games.

  49. Lori DeGrado-Elgin Carlson · 714 days ago

    DO IT!

  50. Paul Ogburn · 714 days ago

    <~~~ uses chromium...doesnt need to

  51. April Stephens · 714 days ago

    Really? You're asking if this is from SNOPES? Naked Security's word for it isn't enough when their sole purpose is, oh, I don't know, SECURITY? Oh boy.

  52. Elizabeth Platt Hamblin · 714 days ago

    Done. I wasn't even aware it was enabled—apparently, "enable Java" is a default in OSX Snow Leopard.

  53. DallasCowboys FanforLife · 714 days ago

    Sophos is a reputable Security Vendor - I'd listen to them especially if you have no AV, Firewall or other security measures in place!

  54. Eye Tea · 714 days ago

    Hasten to add that java was a great development by Oracle but its time never quite happened, at least for end-users of proprietary operating systems. it did of course rather kick off the 'open source' idea and was a generous gift by Oracle but it's all risk and no benefits in 2012

  55. Jake Wilson · 714 days ago

    My old PC started uploading viruses via Java 'updates' without me clicking anything. I haven't trusted Java since and will happily remove it.

  56. Edie Hippern · 714 days ago

    Done. thanks for the info and the insight from the commenters.

  57. Eye Tea · 714 days ago

    as someone said above, it's a server-side technology which means, in effect, that when you enable it, you say 'yes' to external control and that's why hackers love it. it's a 'blank cheque'

  58. Marcia McCleskey · 714 days ago

    My Java is v6 update 31. Should I still uninstall? I don't normally trust the updates and I particularly hate that Java (and adobe) ALWAYS has some sort of updates.

  59. Beti Spencer · 714 days ago

    But I need Java to play games on facebook and yahoo

  60. Heidi Bjørgum · 714 days ago

    Is's the 7 version that's the big issue now,I think....

  61. Linda Stone · 714 days ago

    I am trying to uninstall and I keep getting a warning 'Unidentified Program wants access to your computer' CANCEL or ALLOW. By cancelling I am unable to install. Any help>

  62. Andrea Jaffrey · 714 days ago

    do I really have to edit the registry? that seems extreme. and will you let us know when we can reinstall?

  63. Linda Stone · 714 days ago

    *uninstall

  64. Heidi Bjørgum · 714 days ago

    You need to allow for install

  65. David H. Ampton · 714 days ago

    The Internet Storm Center's comments on this matter suggest that using 1.6 is advisable if you MUST use Java for some reasons. But opinion there was divided on this step as an actual security measure. What say you, Sophos?

  66. Heidi Bjørgum · 714 days ago

    Or uninstall

  67. Denise Peoples · 714 days ago

    I too am having trouble uninstalling Java. I keep getting a warning 'Unidentified Program wants access to your computer' CANCEL or ALLOW. By cancelling I am unable to uninstall. Any help would be appreciated. If I click on allow the box goes away and uninstall stops. Either way I can't get rid of it.

  68. Carmen Dalziel · 714 days ago

    PLEASE ADVISE US on what to do when we receive these type of messages when trying to uninstall.

  69. Rubicante Van Dyne · 714 days ago

    Give revo uninstaller a try.

  70. Linda Goulding · 714 days ago

    Beti Spencer I play games too I thought I would not be able to play if I uninstalled it but I have taken the advice and done so. I am still able to play the games :)

  71. Mike Wiley · 714 days ago

    Been disabled for a long time now....

  72. Bob Morton · 714 days ago

    I have two sites, one essential (a medical site that REQUIRES IE and JAVA), another (NOAA weather radar) that is very handy and uses Java. How do I handle this?

  73. Bob Morton · 714 days ago

    Re prev comment that Chrome always asks to use java. Just tested. It did not.

  74. Cabers Cabers Cabers · 714 days ago

    Most people dont use it but do use adobe flash player and in use agrrement it allows people to acess there device legaly

  75. Marianne Brak · 714 days ago

    What about Java FX 2.1.1???? I uninstalled several updates like 5, 6, and 7

  76. Patti Corbitt · 714 days ago

    Done!!

  77. Bob Morton · 714 days ago

    Found Java 6 at the following link, but it does not have the MANY security patches in it. How can I get those?
    http://www.oracle.com/technetwork/java/archive-139210.html

  78. Kansas Field Allen · 714 days ago

    I use NoScript and can selectively disable/enable java on individual webpages. http://noscript.net/

  79. Jacki Tigg Mathis · 714 days ago

    Done, and thank you very much.

  80. Debbie Kearns · 714 days ago

    I already disabled Java add-ons in Internet Explorer 8. :)

  81. Peta Al Rais · 714 days ago

    Thank you for the info-done.

  82. Linda Smith · 714 days ago

    TY...done...

  83. Glenn Primm · 714 days ago

    There's a new version out already (v.6) . I think this website's post is slightly behind the curve.

  84. Sheila Foster · 714 days ago

    that "new" version 6 is old. I had version 7

  85. Tammy Price · 714 days ago

    mmmm do i wanna unistall or just disable???

  86. Donna Jorgensen Slutiak · 714 days ago

    Does this apply only if you are using an Oracle app?

  87. Amy Dunn · 714 days ago

    Thanks I didn't know.

  88. Han Rui · 714 days ago

    I am very happy with this vulnerability.

  89. Jesper Poulsen · 714 days ago

    Bob Morton - Use Java in a Virtual Machine.

  90. Jesper Poulsen · 714 days ago

    Sharon Pilkington - That's not true. Java can be fully removed on any OS.

    Most people will never use Java.

  91. Lovelylady Peavey · 714 days ago

    Well I uninstalled all mine & my browser seems to be faster if FB games need java then I don't need fb games ijs

  92. Chris Oike · 714 days ago

    Thanks Kansas!

  93. Laurinda Beal · 714 days ago

    thanks Kans!

  94. Ivan Marinovski · 714 days ago

    Oracle are you sleep i hear zzzzzzz

  95. Annie-claude Tammam · 714 days ago

    Done.

  96. Jesus Manuel Castillo · 714 days ago

    people, this affect only version 7 not version 6

  97. Søren Kring · 714 days ago

    Så er det farvel til NemUDU og webbank :(

  98. Laary Cemel · 714 days ago

    Thank you, Sophos!

  99. Kim Maree · 714 days ago

    ..thx for the heads up! :)

  100. Alan Harrison · 714 days ago

    @Jesus: that's true but version 6 has flaws in it too! There is currently NO SAFE VERSION!

  101. Simon Warren · 714 days ago

    Bloody Java, and like Flash, it's used everywhere.

  102. Scott Kuli · 714 days ago

    Just disabled it. Thanks Sophos.

  103. Teresa Sims · 714 days ago

    My computer will not delete it now what?

  104. Jesus Manuel Castillo · 714 days ago
  105. Bob Davidson · 714 days ago

    Thanks Sophos.

  106. Russell Brodie Croucher · 714 days ago

    So... if I'm running Mac OS 10.8.1 and Chrome 21.0.1180.82 should I still disable Java or not bother?

  107. Kathy Sholar Tucker · 714 days ago

    Thanks

  108. Alan Harrison · 714 days ago

    Guys, there's now an emergency patch from Oracle. Go to java.com and get it.

  109. Alan Harrison · 714 days ago

    @Suzette Comodo is a firewall, you don't do anything with that. Disable java in your browser or uninstall in Control Panel. Or get the new patch.

  110. Kimberley Brown · 714 days ago

    Naked Security from Sophos Computer novice. I uninstalled Java, but do I want to uninstall the JavaFX 2.1.1 as well? (Not sure what that is...)

  111. gouchout · 600 days ago

    I've got the IcedTea plugin - is it only Oracle Java that's got the vuln?

    • Chester Wisniewski · 598 days ago

      It isn't listed in the CVE, so I think you are safe.

      • sillyme · 597 days ago

        I use Ubuntu Linux OS with IcedTea plug-in too. I'm computer illiterate. It says it executes JAVA appletts. Since it has the word java in the description that makes me nervous. Should I be?

  112. Paul · 598 days ago

    It's important for people to realize this is a Java-in-the-browser issue. It's still safe to program with Java on the server. In the browser, you're allowing someone to run arbitrary code in a security sandbox that has been *broken* at times. On the server, you're not allowing your site's visitors to run arbitrary code. Java is also fine for desktop programs.... If you install a program, they already have access to your computer anyways..... Just keep it disabled in the browser. Java is still a good programming language.

    Oracle needs to quit pushing people to install the browser plug-in since 99% of people don't need it and that's where the main security issues have been.

  113. rob · 598 days ago

    I went to control/programs, etc....click on Java and tried uninstall. It won't uninstall. any ideas

  114. Julie · 598 days ago

    This really concerns me as I work from home and Java v6 is required for one of our applications. Any recommendations as to what I could/should do?

    • Chester Wisniewski · 598 days ago

      If it is a browser application you can disable Java in your primary browser and leave it enabled in a different one (Firefox, Chrome, IE) just to use your work application.

      If it is a Java program then you can just disable Java Web Start in your browsers, as the vulnerability only affects Java browser applets.

      This comment is in reference to CVE-2013-0422

  115. Jim · 598 days ago

    The Java JRE is bloated and open to exploitation. It, along with MS .Net, allows modern programmers to be lazy. On a Windows XP machine, these installations are often larger than the OS itself!

  116. Robert Smith · 598 days ago

    when i go to delete Java from my programs and features the only prompt that comes up is'will you allow this program to update and make changes on your hard drive'. Well I don't so how do I delete it?

    • Chester Wisniewski · 598 days ago

      You have to approve the unistaller to have administrative privileges to do the removal. I believe you are describing a Windows 7/Vista UAC prompt. You need to say yes.

  117. rubble · 598 days ago

    All of this input and not a single one tells how to disable Java. Much less how to do it and still be able
    to turn it back on. Jeez

    • cow-bouy · 598 days ago

      There are numerous references that describe various ways, this is not exactly one size fits all, since: you can disable Java for all browsers at once, OR you can disable Java at the browser level, preferable (probably) if you only use one browser, likely IE.
      But have found the PC magazine site informative to answer your question:
      http://www.pcmag.com/article2/0,2817,2414191,00.a...
      Hope this is helpful.

  118. PaKue · 598 days ago

    Following the instructions RE the Chrome browser on my Nexus 7 gets me an "error 300" message that the web page is not available. This happens using both the //plugins and the //settings/content options.

    How can I find out if Java is running through Chrome on my tablet? And how to I get to a functioning option to disable?

    • Chester Wisniewski · 598 days ago

      Android does not have a JRE connected into any of its browsers. Android devices are not vulnerable.

  119. Waseem Akram · 597 days ago

    Can you pplz tell me what should i do now , i am using a website for online learning and now i cant open my excersises as java plugin is blocked. i am using firefox18 and internet explorer. i am really very worry.

  120. judiantonelli · 597 days ago

    I use Java for my game sites, IE Pogo, American Cribbage, etc. and now in Chrome even tho I have current Java, Chrome keeps saying I don't have and need Plug in, I am so frustrated with this, I have uninstalled Chrome and uninstalled Java, I have used so many suggestions on blogs and I am still unable to get into these sites...Any other suggestions or is there something other than Java I can use.

  121. Dan Cervo, Sr · 597 days ago

    If anyone is interested, I just posted instructions on how to set up Java Security on your computers.
    http://www.fcsnj.com/java_security.htm

  122. xorinzor · 597 days ago

    Not sure about this, but Chrome uses a build-in VM from where Java is executed, doesn't this protect you from these malware infections?

  123. Dana Ruff · 597 days ago

    I myself only use my PS3 to go on the internet i don't think that this will affect my OS even tho it dose run Java 9

  124. Mick · 597 days ago

    Huh?????

    Completely doesn't make sense:

    "Even if you absolutely must use websites that require you to have Java installed, why not disable it in your main browser and have an alternative browser just for visiting that website?"

    Surely, if you disable Java in one browser, but enable it in another on the self same machine you're still at risk from the threat.

    It's like saying "Keep your front door locked to stop burglars getting in, but it's safe to leave your back door open".

    • Liz · 596 days ago

      Maybe this will help you understand:

      They're saying you should disable it in your main browser, so that Java-based stuff doesn't come up on all websites that have it. This keeps you safer while browsing.

      But, if there are sites you need to visit that use Java, visit these and only these in a second browser. This way, those are the only sites where Java will work and they should be trusted sites.

      My two cents:

      You could just not worry about it and not visit untrustworthy sites, like smart people.

      • ngyikp · 594 days ago

        Legit websites get hacked too.
        THAT'S the real scary part of this vulnerability. You can get infected by just visiting a hacked legitimate blog.

  125. ElleZ · 596 days ago

    I have two Java programs in my computer when I checked:
    Java 7 Update 9
    JavaFX 2.1.1

    Also I have Java 32-bit in my computer.

    Should I remove all these 3?

    Thanks! I appreciate the answer.

    • Bob · 595 days ago

      i suggest you do because when i uninstalled java from one application it reinstalled it with an update that was for another application however i am not a professional so don't take this advice too seriously

  126. Mel · 596 days ago

    So is this is dangerous with Java Runtime Environment, or Java code, or Java Applets, or Java Plugins, or Java SE or JDK ? And is it really safe to take advice from random posts saying 'oh, do this, it's safe'. Java is a mess. Truth is the safest bet is to unstall all Java and if there is something you need that then does not work, demand the provider provide a non-Java way of providing their product or service, and if they don't then ditch them.

  127. none · 595 days ago

    absolutly do not remove javascript/java.
    use noscript with firefox/iceweasel/chrome/mozilla based browsers.
    you allow pages that need java or flash which also has webpage setup and lots of updates do to vulnerabilities, like youtube and banking etc. if you do not need java or flash on a page leave it blocked. I leave noscript to always deny and right click the crossed out red circle at bottom of browser to allw disallow a page...whitelist blacklist. You can save settings and white/blacklists and import export as well. drive by attacks are 100% null now...no need to uninstall. You can cruise porn sites hack sites warez sites and youtube with cockyness now.

    You only need one java version, updates do not remove old ones
    Use JavaRA to clean old installs,updates and check for updates etc.

    Set java options via the webpage....many folks do not know about the java options, set it up to not access camera and microphone, and leaving sun/or oracle to check for updates daily or weekly so vulnerabilities can be patched quickly.
    There are tons of sites on how to secure java via its webpage options. same with flash options, no need to disble flash too for folks who read that scare tactic article by an unknown pc security expert telling you flash should be disabled because of all the vulnerabilities....flash updates just as frequently as java....what, like every hour! Kidding, but it updates often as vulnerabilities and exploits are found.

    google, how to secure your browsing and how to secure your pc in google, dslreports forums /security is a great place to start...read the faqs at top of each forum.

  128. cbj · 594 days ago

    I just got an update for Java. Could it be a repair for this problem. I haven't downloaded it yet.

  129. bdt · 592 days ago

    I just updated with 7.11. Is that safe?

  130. Judy · 591 days ago

    I just received an icon to update my Java. Should I do this?

  131. mylogon · 584 days ago

    Strange that not one person has said that a good antivirus ALSO catches these exploits BEFORE they are downloaded onto your machine. Why would a security company that sells such a product not even say that?

    There are far more exploits out there to simply worry about one portion of good security - Java management. Some of these people that have not updated there Java in years have probably not updated the rest of their system either! No one has mentioned all the Flash exploits, the Adobe Air exploits, etc., etc.

    Good protection starts with the OS, and continues through every program. How many old dll's have exploits - plenty. Even drivers can have them.

  132. I think you meant to write that your anti-virus *might* stop it.

    It's always possible that you could be one of the unlucky sods who gets hit by an attack *before* the anti-virus software vendors have been able to add detection of it - and as it could be based upon a zero-day vulnerability their proactive protection may not pick it up either.

  133. Anonymous · 579 days ago

    There are far greater risks with ".net" code. This is just anti Java (opensource) drivel!

  134. Confuzed · 571 days ago

    is the iplayer now off limits as it needs java ? or is this seen as a safe site?

    • Chester Wisniewski · 571 days ago

      iPlayer uses JavaScript, not Java. See Duck's article explaining the difference here: http://nakedsecurity.sophos.com/2013/01/16/java-i...

      • Confuzed · 570 days ago

        Thanks Chester,

        I'm not so Confuzed now ,

        i have disabled Java from the browser plug ins area & Enabled java script through he contents settings page of the browser.
        Hope I've got it right now, at least the iplayer is running again..

        Thanks again for your help.

  135. Anuj Patel · 556 days ago

    You make such an ignoarant fuss about this.

    If you are REALLY interested in security, then turn OFF Microsoft Windows.

    Bah!

  136. Carl Quartermain · 531 days ago

    Doesn't buffer need JavaScript to function. I found this thread because I keep getting this message on Chrome

    "Oh Pants!
    It looks like you have JavaScript disabled. You'll need to turn that on to use the Buffer web app - trust us, it's totally worth it!"

    Yet when I check it is enabled. Anyway this is a different problem.

    I have had "websearch" on all my profiles that took ages to get rid of. Now I know where it comes through. Thanks

  137. I received messages that my browser was outdated and had to update my java so of course I did... totally crapped up my pc with malware fortunately I as able to do a system restore to get it working again

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.