Sophos Cloud Optix
IMPORTANT: The article below was written in August 2012, in response to a security scare involving Java.
Although that particular scare has now passed for users who have kept their Java installation updated (or disabled Java in their browser), the article below is still relevant as vulnerabilities continue to be found in Java, and exploited by malicious hackers.
Below, we explain how to disable Java in your browser – if you decide that is the best course of action for you.
For Windows users looking for an easier method please read about the new control panel option in Java 7 Update 10.
Do you still have Java turned on in your web browser?
If your answer is “Yes” or “I’m not sure” then it’s time to take action.
Right now, cybercriminals are aware and exploiting serious security flaws in Java that could lead to your computer becoming infected by malware.
And the worst news is that Oracle (who has known about the zero-day vulnerabilities since April) doesn’t plan to issue a patch for the problem until October. (Update: Oracle has now issued a patch – but you should still consider whether you really want to run Java or not in your browser).
There will be many pointing fingers at Oracle and arguing that it has not taken the security flaws seriously, but the accusations that are bound to fly aren’t actually going to help the millions and millions of vulnerable devices out there.
Those devices need a patch from Oracle – but as it may not be available for some time, the best advice I can give you is to disable Java.
Naked Security’s Chet Wisniewski has put together simple instructions for users of the most popular browsers, explaining how Java can be disabled:
- How to disable Java in Internet Explorer
- How to disable Java in Firefox
- How to disable Java in Chrome
- How to disable Java in Safari
- How to disable Java in Opera
So, what are you waiting for?
Isn’t this just a storm in a teacoffee cup?
No, it isn’t.
Time and time again we’re seeing examples of cybercriminals exploiting flaws in Java to infect innocent users’ computers.
For instance, earlier this year we saw more than 600,000 Macs infected by the Flashback malware because of a Java security flaw.
In fact, it has become increasingly common to see malware authors exploiting vulnerabilities in Java – as it is so commonly installed, and has been frequently found to be lacking when it comes to security.
Cybercriminals also love Java because it is multi-platform – capable of running on computers regardless of whether they are running Windows, Mac OS X or Linux. As a result it’s not unusual for us to see malicious hackers use Java as an integral part of their attack before serving up an OS-specific payload.
As the following video demonstrates, the bad guys have even created multi-platform Java malware which can hit your computer whether you are running Windows, Mac OS X or Linux.
Seriously though, stop reading this article now and check if you have disabled Java or not. Chances are that if you don’t think that you need Java, you don’t need it.
Even if you absolutely must use websites that require you to have Java installed, why not disable it in your main browser and have an alternative browser just for visiting that website?
What you need to do now is reduce the opportunities for attack. For most people that means disabling Java – and doing it now.
No coffee image from Shutterstock.
Or use Chrome which specifically asks you if you want to allow Java to run on any given website. All browsers should do this. And only allow it when you know you need it.
Opera/FF have click-to-play feature. Opera specifically can disable/enable all plugins for any particular site. Firefox can achieve this by using NoScript.
Yup. Java was automatically disabled in my Firefox with a security warning attached.
Opera however was still allowing Java to run.
I just wouldn't willingly allow Google to access my computer, so, no Chrome for me.
IT DOES NOT ! I paid for a year of pogo, and for 6 months I have not been able to use the JAVA games I paid for ! I am not a happy camper.
I had the same problem with Pogo, so whenever I want to play, I use Internet Explorer. It’s easy to just click from Mozilla to Explorer. I have to say that I am also considering uninstalling FF. If it doesn’t support Java, which is used in everything that has any sort of computer in it, why would I use FF?
Firefox asks if we want to allow java, too, even when it is already enabled, quite an irritation!!!!! I am not afraid of java, i have never been infected for use of java. Once I learned how to use the internet and my pc, infections stopped happening. It is the foolish manner in which people visit websites, not java. Java is definitely NOT the reason people incessantly become infected with malware. I have been online for several years now, using java in my browser for games and other functions and have had no problem whatsoever. I don’t visit suspicious websites nor do I EVER download anything I am not fully educated about.
Okay, so Java is not the same as 'javascript.' Can you explain, in terms a non savvy computer person can understand what the difference is? I really have no idea what java does or how it will affect my computer when I disable it. After seeing your initial warning I came across an article in my local paper that carried a link to check if my system was in danger. The result was negative, perhaps because I'm using an older version (XP) on an older computer. But I am still concerned…which is why I follow naked security and share the articles.
Java is a cross-platform system for writing software that will run in the same way on everyone's computers.
One variant of Java is the "applet" which is a lightweight application written in Java which runs inside your web browser — essentially extending your web browser to become like any other piece of software you run on your computer. There are games written as Java applets, photo editing software, scientific analysis software, plant management software, and pretty much anything else that requires user interaction and can be written as a stand-alone piece of software written as Java applets.
Software written for Java runs in a "virtual machine" that is a virtual computer inside your computer. However, it has methods of interacting with the rest of your computer, some of those methods intentional, some of them accidental. This allows software autnors to escape the security restrictions of the web browser to do more application-like things on your computer.
Other software is also written for Java that runs directly off your computer and doesn't use the web browser applet plugin. This software tends to behave just like any other software on your computer — chances are, you've got something running on your computer using Java rather than another system to function under the hood. However, this runs outside your web browser, and has to follow the same rules as all other software.
JavaScript is something completely different. It does not use the Java Virtual Machine, and so everything it does it does directly inside your web browser. It has to follow all the security restrictions set up for your browser.
JavaScript is generally used for creating "application-like" interfaces in a web browser. It can draw elements to the screen, manage other elements of your browser (run print jobs, change window sizes, etc.) and even monitor your mouse and keyboard. It does not have direct access to the rest of your computer though, and is limited in functionality to what your web browser can already do.
Disabling Java in your web browser just keeps your browser from running Java software embedded in a web page. After disabling Java, if you come across a page that has it embedded, you will instead see a message saying that the embedded item can't be run without installing Java, containing a link to download and install the plugin.
Funny that no one seems to want to answer a simple question by those who are not computer savvy, which most people are not. How will not haveing Java affect us?? What types of things can we no longer do? Sounds like someone is after Java and want to maybe put them out of business so you’re making it sound far worse than what it is. After all, what would they benefit by not correcting the problem if there actually was one?
If you’re not computer savvy then the chances are that removing Java will have no effect on you.
However, it is ultimately a question that only you can answer for yourself. You may use computer programs that require Java to run or you may use websites that require Java to run (although there aren’t many of these left).
We don’t know what computer programs you have installed or what websites you visit so we can’t answer your question accurately.
The trouble with Java is not that there’s one problem but many—so many that it calls in to question Java’s underlying design and implementation. The problems are not exaggerated.
If you enjoy certain games and game sites such as Pogo, it will affect you immensely. There is no real harm with Java, it is like EVERYTHING ELSE on the internet — it will hurt you ONLY if you do stupid things with it such as visiting suspicious websites and joining chat rooms with strangers.
I agree with Denise. Many modern businesses operate business and database front-ends that operate entirely on Java-based virtual environments. I do NOT recommend disabling your java without considering effects to your existing systems. There was little reassurance in the article that the world would be a better place when you disable java.
Shouting from the rooftops to turn off your java right now or the sky *might* fall — not a good idea.
Given the volume of exploits within Windows, you may as well write another article, "How to turn off your Windows computer – and why you should never turn it on again."
I disagree. Any general-purpose web browser used for unrestricted access to the Internet should not have the Java plugin enabled.
If your business operates a DB front end that requires Java, for the security of your DB as well as the security of your computer, use a dedicated browser to access the front end. Otherwise, you not only run the risk of drive-by Java infections, you also run the risk of data corruption/exfiltration using Java exploits targeting your own back end system.
The issue here is that there is a known, documented exploit that lets anyone hosting a web page (or sneaking code onto someone else's trusted web page) obtain full remote control of your computer. This exploit has been known since April, is actively being used by one of the most prevalent malware attack frameworks in use (Blackhole – http://en.wikipedia.org/wiki/Blackhole_exploit_ki… and is not slated to be fixed by Oracle until October.
That essentially means that over the next month, if you spend any amount of time browsing the internet, there is a very likely chance that you will be exposed to this attack vector.
The extended issue, as noted in the article, is that this isn't the first time this has happened via Java, and it's simple to mitigate: don't allow the Java plugin to load when you don't need it (most of the time). When using Java applets, do it intentionally, in a web browser configured to run the applets you're planning to run.
The sky won't fall if you disable Java in your main browser; the biggest fallout may be that you need employee "retraining" to teach them to launch a separate program (alternate web browser instance) to run the Java software than they do to browse the Internet.
I totally agree with the original comment. Don’t use Windows! It has security “issues” and they did not fix it for ages and they do not plan to fix it…. ever!
It simply looks like someone here does not like Java or maybe Oracle.
The solution to choose when to run Java or not (Chrome) or to run a Java program from local is totally secure… Why you did not comment it in the post?
You should have issued a warning, not a propaganda against Java.
Just wanted to point out that if you ever spend as much as a second on the internet you are vulnerable to attack. That's it! it doesn't matter what you do there is always something that can be exploited to get into your computer. Just because you chose disable java doesn't make you safe from the attacks. If you want to be certain that you are safe then you should never connect to the internet or any network that is connected to the internet. The most important thing people can do for safety's sake is to have 2 separate computers one for all those important files that you want protected and one for the use of the internet. This is truly the only way to be 100% safe, because i don't care how good the hacker is he can't get into a computer that is not connected to anything without physically holding your computer in his hands.
You CLEARLY don’t work in education where I have yet to find useful applets etc that do NOT use Java! Turning off Java has SERIOUSLY impeded the ability of many teachers to use VERY useful tools on the web because some IT hack panicked and locked every computer down!
I’ve had more problems with email viruses and NONE with Java…. yet no one is shutting down email! And I’d probably welcome that for a few hours.
I applaud the ‘IT hack’ who disabled Java on your computers. They’re doing a great job of keeping students and teachers safe. Safety has to come first, utility second.
You wouldn’t use text books that exposed children to harm just because they were useful.
There are known documented exploits with an overwhelming number of “research” reports coming straight from anti-virus vendors, and fed to the public as part of wave of fear tactic campaigns. Then the same anti-virus vendors buy advertising space on the same fear spreading blogs and online publications to sell anti-virus to consumers scared out of their mind.
Now, can someone provide data from known research group showing number of consumers actually infected? Because based on my own research, there are more people posting nonsense articles with sensational headlines to scare the masses than there are consumers who actually got affected.
By affected, I mean you lose control of your computer, someone gained control of part of your system, or access to data you actually had non public, you have to bring your computer to repair… you know, the real thing, not the circus. There are traces of consumers having to fix their computers, so there must be data.
Where is the data?
You’re posting this more than 3 years after this article was posted, during which time Oracle adjusted Java so that the browser plugin is off by default. So, the crooks are neither trying nor succeeding so much with Java exploits any more.
As for your “known documented exploits” that are deliberated distributed by anti-virus vendors for unlawful marketing purposes…I think with a claim of that sort, you need to provide some evidence.
You might like to tell those of us not particularly computer savy what Java actually does so we can understand what we are disabling or, rather, what we will not be able to do if Java is disabled.
Java is a programming language. On many websites there are "Java applets" integrated into web pages. These allow extended access to your computer's resources and allow more capabilities. Some popular uses of Java on the web are:
1. To allow client programs to run without the need to install them on your computer.
2. To display computation-intensive objects on a web page (e.g. a game, 3D image, etc.)
3. To create and display cross-platform objects in an easy manner (Java is supported on a plethora of operating system)
Java is both a programming language and a multi-platform development platform (in other words, running on Windows/Mac/Linux etc)
You're most likely to need Java if you visit a website that has a Java applet embedded on it. So, if you disable Java there might be *some* websites that you can no longer use. If that's the case – follow the advice I give about disabling Java in your usual browser and keeping a different browser *just* for visiting any websites which require Java.
The worst that will happen if you visit a website that contains a Java app and don't have Java enabled is you'll be presented with an error message. You can then decide for yourself if you wish to revisit the site with a Java-enabled browser.
BTW, Java is a different thing from JavaScript. Unfortunately the names confuse a lot of folks.
Is this for all versions of Java or just 7?
Actually, Oracle has just released a patch that includes a fix for a vulnerability in Java 6, so the previous warnings that stated Java 6 is OK weren't correct. Java 6 has vulnerabilities of its own. Even though Oracle has issued a patch, Java will continue to present a risk through new exploits, so it's best to disable it if you don't need it.
Java (2 files) – Version: 10.6.2.24
Next Generation Java Plug-in 10.6.2 for Mozilla browsers
Name:Java(TM) Platform SE 7 U6
Description:Next Generation Java Plug-in 10.6.2 for Mozilla browsers
Version:10.6.2.24
Location:C:Program FilesJavajre7binplugin2npjp2.dll
Type:NPAPI
Disable
MIME types:
MIME typeDescriptionFile extensions
application/x-java-appletJava Applet
application/x-java-beanJavaBeans
application/x-java-vm
application/x-java-applet;version=1.1.1
application/x-java-bean;version=1.1.1
application/x-java-applet;version=1.1
application/x-java-bean;version=1.1
application/x-java-applet;version=1.2
application/x-java-bean;version=1.2
application/x-java-applet;version=1.1.3
application/x-java-bean;version=1.1.3
application/x-java-applet;version=1.1.2
application/x-java-bean;version=1.1.2
application/x-java-applet;version=1.3
application/x-java-bean;version=1.3
application/x-java-applet;version=1.2.2
application/x-java-bean;version=1.2.2
application/x-java-applet;version=1.2.1
application/x-java-bean;version=1.2.1
application/x-java-applet;version=1.3.1
application/x-java-bean;version=1.3.1
application/x-java-applet;version=1.4
application/x-java-bean;version=1.4
application/x-java-applet;version=1.4.1
application/x-java-bean;version=1.4.1
application/x-java-applet;version=1.4.2
application/x-java-bean;version=1.4.2
application/x-java-applet;version=1.5
application/x-java-bean;version=1.5
application/x-java-applet;version=1.6
application/x-java-bean;version=1.6
application/x-java-applet;version=1.7
application/x-java-bean;version=1.7
application/x-java-applet;jpi-version=1.7.0_06
application/x-java-bean;jpi-version=1.7.0_06
application/x-java-vm-npruntime
application/x-java-applet;deploy=10.6.2
application/x-java-applet;javafx=2.2.0
the above is what i found in my chrome browser.. the above seems to be for mozzila browsers…..? why is it in the plugins on my chrome browser..???
Mozilla was the original creator of the browser plugin API (actually, it was Netscape, but it was taken over by the Mozilla foundation). As such, for most web browsers, plugins are written to the Mozilla Plugin standard.
If you're running Chrome, it has fairly decent plugin management by default, as does Safari — they keep the Java plugin disabled by default and only load it if you need it. On Firefox, running NoScript with the setting to require a click on Java applets to load them does pretty much the same thing.
If you don't actually visit websites that require the use of Java applets though, it's more secure to just remove the plugin — Java itself is still on your computer, and any computer-based Java software will still run fine; it just can't be launched via a web browser.
The same advice goes for Adobe Flash, of course (which is another plugin-based cross-platform way of delivering applets that is also heavily abused by malware authors).
On my main browser, I find it best to run with NO plugins (of the Mozilla Plugin sort). I have a secondary browser I use when this is needed.
Name:Java Deployment Toolkit 7.0.60.24
Description:NPRuntime Script Plug-in Library for Java(TM) Deploy
Version:10.6.2.24
Location:C:WINDOWSsystem32npDeployJava1.dll
Type:NPAPI
Disable
MIME types:
MIME typeDescriptionFile extensions
application/java-deployment-toolkit
i also have this as well.. which if any will affect Chrome.. which should i disable…???
If this is so bad, why do I not see these warnings listed anywhere other than with Sophos? (And Ditto to Denise's comment!)
You don't see warnings elsewhere about Java? Let me help… 🙂
http://securitywatch.pcmag.com/none/302019-securi…
http://threatpost.com/en_us/blogs/chorus-grows-lo…
http://www.theregister.co.uk/2012/08/27/disable_j…
http://www.h-online.com/open/news/item/Java-0Day-…
http://www.theverge.com/2012/8/30/3278873/mozilla…
There are many many more..
Regarding Denise's comment – you'll see I've replied to her above.
Hullo Graham, I note all these are 2012 so hope u are still there and can help, please.ive had my iPad a year,no probs.Two weeks ago I started getting a notification,top of page saying Java script appears to be disabled with a triangle and exclamation inside,then I find many many sites are blocked completely or halfway thro.What on earth is going on. Please advise me. Thank You
I disabled it in Firefox and Chrome, didn't completely remove in case I ever need it. Thanks.
I use both Firefox and Chrome (is that the same as Google?) Anyway…how do I disable it? Will I still be able to play my favorite game (Playdom – Garden of Time) if I disable it. We have 4 users on this compter – I didn't realize how vulnerable our computer was!
i go to pogo.com daily n 3/4ers of the games still use java
been using java since 1999
i'm using XP Pro have 3 versions on computer
java (TM) 6 update 26
java (TM) 7 update 5
javaFX 2.1.1
i use chrome n mozilla firefox
what should i do ???? just wondering
Use the Noscript Firefox plugin and set it to block Java by default. Then only allow applets you trust- a whitelist.
Ignore the original post. There are far more problematic security issues built into all of Microsofts products (especially Windows whatever version). Additionally approximately 65% of all web apps run on JAVA, because it is more stable, secure, functional, and reliable than any other language, not to mention You do not have to waste any money on Windows to use it!
What if you use the Java SDK for development? Really?
This is just to disable the browser plugin. Unless you're developing applets, you can still develop and run desktop applications without issues.
Therefore I love the tor browser. No need to worry about any kind of plugins….:)
Routing anonymously through TOR won't stop a malicious Java applet on a webpage you visit from delivering a payload of misery to your machine.
Sun Microsystems was bought out by Oracle. All samey-same.
While we're at it, why stop with Java… or with computer code? Let's all swear off of dihydrogen oxide lest we perish: it's explosively flammable when reduced to its constituent parts, causes untold physical damage worldwide when transformed from the liquid form into the solid and is guaranteed to cause death when consumed in quantities to great or too small. Clearly a manifest danger not unlike the one outlined here.
Yes, John, great idea (swear off H2O*), since every great idea needs a brave "early adopter", and you would seem to want to "practice what you preach", we will all cheer (and watch) as you "boldly go forth" and live by your suggestion. Well check back in a few months as see "hows that working for you". Meanwhile, the rest of us (most) will just turn off Java and live happily ever after.
(* bet you though you'd out smart us using those fancy words like 'dihydrogen oxide' and we'd not know you were talking about water, ohhh-we, dat boy be smart).
Ever heard of sarcasm?
And you can drown in it ! I totally agree, water is EVIL!
just use mozilla and get no script addon. It blocks all java on the webpage and you select which to allow.
Yes, although NoScript is principally known for controlling which websites you want to run JavaScript on – it can also be used to block Java (NoScript can whitelist websites which require access to the Java plugin)
Of course, that puts the onus on the users to make an intelligent decision as to when to allow Java to run or not.. a decision process that might be compromised by social engineering and trickery.
I have a Java plug-in but it's from Sun Microsystems, Inc not from Oracle. Should I also turn this off?
ditto mine from sun also????
You probably should, as it is significantly out of date and has many other since-patched security vulnerabilities. It will not, however, be susceptible to the current 0-day exploit; just a bunch of older exploits.
For some background, Oracle bought Sun Microsystems in 2009 and re-branded all updates of Java since then with the Oracle name. That means your version of Java hasn't had a security patch applied in at least three years — during which we've seen a large number of exploits discovered that are still tested against in exploit attacks (as there are a lot of people who still use Java 3 through 6).
Pardon me if this comment comes across as harsh. I don't intend it to be. What I'm trying to do is offer a practical perspective that perhaps isn't being considered.
As someone who works in IT supporting three dozen or so small businesses, and having been in the industry for 2 decades, I find giving out blanket advice to "turn off Java" is just plain absurd, and is a symptom of the myopia of the computer-security field.
I acknowledge Java is open to exploitation. I acknowledge there are risks in having it available. I acknowledge Oracle has done an abysmal job of maintaining it. I acknowledge all of that. I secondarily acknowledge that Sophos and other security pundits are correct to bring the issue to people's attention. Technically speaking, they are not wrong to tell people to "turn off Java."
But in the real world, where real live computer users are trying to get their work done, this advice is impractical, if not impracticeable. I can think of at least 4 clients that are required to use Java-powered apps at least once daily, and I can think of a few more that much use it periodically, as in, more than once a week. The advice to use an alternate browser just for those sites may sound good on paper, and it may even work for some of them, but it won't work for all of them.
For example, one client gets documents electronically sent to them via a a Java applet on a Web page. They know they're getting one when they're sent an email with a (very, very long) URL in it. Normally they click on it to open the site and get their file. Sure, they could copy the URL, open a second browser, and paste it in … but when they have a million things to do and need the file quickly, are they going to remember all that?
Too often the answer is no. One can argue this shouldn't be the case … but people are what they are and they aren't going to magically change just because Sophos wants them to.
The average computer user is not a computer expert. Most of them don't know what Java is. All they know is that turning it off, or using workarounds, makes their lives more difficult, if not impossible. They use their computers to get work done. Advice like this makes it harder for them to do so.
Instead of laying this problem at the feet of computer users … many of whom are not competent enough in computers to understand the issue … let's instead lay it at the feet of those who are truly responsible: Oracle, which controls Java and is to blame for security weaknesses, and Web developers who choose to use Java in their products. There are a lot of Java-powered apps that probably could have been done using some other platform … and they ought to use it instead. They should be encouraged to do so.
Perhaps Sophos and other computer-security pundits could come up with some alternative to Java … one that does the kinds of things Java does, but which is more secure and more frequently maintained. The problem of people running Java on their computers — which, I repeat, IS a problem — could be solved simply by making Java itself obsolete.
Maybe Sophos could work on that, instead of giving out advice that cannot really be followed in every instance? Just a thought.
P.S. I know some folks will read this and think, "Users too stupid or lazy to employ workarounds, deserve what they get if they're victimized by a Java exploit." If so, there's nothing more to be said, and Sophos shouldn't even have issued this advice; I mean, if people don't ALREADY know that Java is a security risk, then they ALREADY deserve what they get. The point of Sophos' anti-Java injunction is to help those people. What I am suggesting is that this injunction itself is not effective. A workable alternative to Java — one that current Java developers could slide right into — would be.
This is much the same reaction I had to the article. Sophos is a business oriented security company, I would expect this type of nonsense from consumer oriented companies but Sophos should know better.
Just to add on to reasons the multiple browse idea is impractical, 90 percent of the users I support would not understand when to switch back and forth and simply use the browser that always worked (the one with Java enabled).
For someone who works in IT supporting… for 2 decades' you clearly show a lack of support for your customers. In this and every industry, Support is called on to provide technical/product knowledge AND workarounds!
Bravo! Well thought out, well expressed.
We don't tell people who drive car X that has bad brakes to use the emergency brake when going down hill. Or to pump the brakes when encountering situation Y, do we? No. That would require the car's USER to have to know how the braking system worked. Then, once knowing that, how the drive train worked. Then the engine. Then the cooling system ….
No. The manufacturer FIXES the problem!
My argument is not as erudite, but I think the average user will get the points. 1. We should not expect users to understand the workings of the equipment. (Of course, they should take reasonable precautions, perhaps talk to their mechanic, not race downhill at 90 MPH.) 🙂
2. We should expect the manufacturers' to fix their products.
Having said that, I think most, even including the dread M$ are all doing the best they can. Of course, that may not be saying much ….
Java will never be obsolete because it is supoerior to the other options and gives you function that is unavailable with other options. Besides, real IT people now better than this drivel.
Under your "they do not maitain and fix their product" diatribe all Microsoft products should have been obsoleted before they were even released.
I would agree that Oracle has done an abysmal job of maitaining Java when compared to Sun, but when compared to the other development packages… not so much. There security issues with them all, but far fewer exploits in Java than there are in say .netor Windblows in general. The real answer is to use a quality antivirus package (not MS Essentials) with heuristics that will offer you great protection from most of these exploits (even zero-day). Keep in mind there are no perfect solutions, but there way better ones than just turning off Java!
Thanks for this –
From 9:47 this morning, Microsoft Essentials quarantined 5 incidents of Backdoor Trojans. After reading article, I removed Java plug-ins from Mozilla browser and Java from Windows (couldn't access Chrome – it had stopped working). After a scan, MS Essentials found 4 Java (exploits?). Portable Spybot scan revealed no malicious software,
I got drunk.
Thanks again . . .
Folks should see: http://gnu.wildebeest.org/blog/mjw/2012/08/30/jav…
if they've been running IcedTea instead of the Oracle Java plugins; they
have an update to deal with this, today.
The only time you will be vulnerable to an attack is by visiting websites that contain malicious code. Better options are to only visit know websites or install and addon that allows you block/allow certain websites. Firefox has a great addon called noscript for this purpose. Your article despite being accurate is scaremongering.
Not that 'simple'! Many on-line banking services require Java Runtime at least, so if you remove/disable that you can't use your banking services!
Best advice is to have it available for when you need the banking system but not running when not needed otherwise. Fiddly to control and remember to turn JRE off again afterwards, but that's the price for convenience extracted by the nefarious who would snoop and/or invade our personal equipment and services.
A cheque Book account is so much safer!
I'm running under Linux (ubuntu 12.04) and need java for various programs including remote monitoring software which uses a browser-based control panel. I disabled the java plug-in (in firefox 15.0) until there was either a fix or work-around available. However, upon setting the plug-in disabled, immediately a flurry of activity launched on my computer (I did a panic power-off so no time for forensics). This indicates that either I was already infected (possible but not likely due to the constant security on this computer), or that the plug-in disable (event) was itself "hooked" by malware. Post trauma analysis spotted a number of infected files. Thought I would mention this in case the act of disabling the plug-in causes any of you to become infected.
Mozilla has posted an article regarding the java plug-in security issue: https://blog.mozilla.org/security/2012/08/28/prot…
Do I need to do this on my android tablet that has trend micro on it
OK I removed all java off of my computer. I am going to mention that on their Facebook page (if they have one). How can they be so apathetic if this is such a big problem?
Will the browsers still work without Java? What should replace Java to keep things running smoothly.
Java is not required in your browser if you don't intend to run web applications that needs it (some outdated bank services). Plugins are yesterday, not safe most of the time, and there are more native ways that won't ask for any plugins. My bank don't require Java, or any plugin, and it just works. So ask yourself if you're going to trust a so called "safe" service that will involve a plugin. Nevertheless, if you can't do without Java and don't want to upgrade for a safer online service, it's your call.
better yet just use no script and set it to block java and flash on sites by default and only enable the applets you must. when in doubt leave it blocked.
As far as I know, if you have an OS that supports Group Policy, you can use group policy to disable Java or prompt for Java (which may make things far simpler for switching back and forth – off unless needed or deny unless certain – if you MUST have Java in certain situations – and I'm not only talking about online banks, but those working from home who must login remotely to a work enterprise domain system or using BluRay HD video where Java is often mandatory). Start here http://support.microsoft.com/kb/2751647 and then proceed to the Group policy link for further details.
And, if you have no choice but to use Java sometimes, I recommend the free Secunia PSI to help you keep Java updated.
Isn’t this really only a problem for people that click the link to win an iPad?
I am a Java developer. Java is mainly a server side technology, not a client side one like Javascript mainly is. If I can make your browser run Java stuff I can make it do all sorts of naughty things, believe me.
Or use Chrome which specifically asks you if you want to allow Java to run on any given website. All browsers should do this. And only allow it when you know you need it.
@Christopher No, it could be that a normal site has some sort of iframe inserted into it which could initiate a Java based virus. If you do need Java then use it on your secondary browser(s) and only for sites that it is required for.
What if I use a site which does use Java?
Ha! I use Firefox and went to check to make sure it was disabled. Firefox had already flagged is as “known to cause security risks” and disabled it. Awesome. Love Firefox!
how do I even find out IF I have it?????
Well Maggie, if you read previous comments, or even the ARTICLE…it will tell you.
Assume AppleMacs are immune from these flaws?
This is of concern to me but I have a dilemma. My company runs Oracle and to run Oracle, Java is an important plug-in, otherwise I can’t access my companies website to be able to do work from home. So how do I get around it?
I still need Java on my computer to run a specific program so I’m not removing it from windows altogether — however I discovered that firefox had already disabled the main java platform plugin for me. Nice. 🙂
Is this from Snopes too? Is it true?
Thanx! disabled in Safari
take it off, fire fox had me disable both yesterday and told me to update to the newer version which I just disabled.
@ Jeff Sparkes Yeah but Chrome crashes if you look at it wrong!
I tried to uninstall 2 Java updates in Windows 7 and get a message saying something like ‘verify the log program exists and is writable’. Please advise 🙂
I don’t even have the Java plugin installed. I use not one single web pages that needs it. And I hope, Flash will die, soon!
Hmm..I took Java off and it seems fingers crossed…a few websites that got stuck and I had to wait a while for them to work again..are working properly now
Do this ASAP!
apple macs NOT immune to java-isms. it’s a cross-platform language and i stopped letting apple put it on my mac from cd/update a long time ago because in the entire history of the web, i’ve only ‘needed’ java a half-dozen times. uninstall or delete it from your version of osx and refuse software updates for it as well as disabling it on browsers. if anybody knows of a java applet worth running, i’d be interested in their argument but i dont expect to agree. java? strictly ’96.
Java is used to present games on your screen, mostly. Like Pogo.com uses it. Some Fb & Twitter games.
DO IT!
<~~~ uses chromium…doesnt need to
Really? You’re asking if this is from SNOPES? Naked Security’s word for it isn’t enough when their sole purpose is, oh, I don’t know, SECURITY? Oh boy.
Done. I wasn’t even aware it was enabled—apparently, “enable Java” is a default in OSX Snow Leopard.
Sophos is a reputable Security Vendor – I’d listen to them especially if you have no AV, Firewall or other security measures in place!
Hasten to add that java was a great development by Oracle but its time never quite happened, at least for end-users of proprietary operating systems. it did of course rather kick off the ‘open source’ idea and was a generous gift by Oracle but it’s all risk and no benefits in 2012
My old PC started uploading viruses via Java ‘updates’ without me clicking anything. I haven’t trusted Java since and will happily remove it.
Done. thanks for the info and the insight from the commenters.
as someone said above, it’s a server-side technology which means, in effect, that when you enable it, you say ‘yes’ to external control and that’s why hackers love it. it’s a ‘blank cheque’
My Java is v6 update 31. Should I still uninstall? I don’t normally trust the updates and I particularly hate that Java (and adobe) ALWAYS has some sort of updates.
But I need Java to play games on facebook and yahoo
Is’s the 7 version that’s the big issue now,I think….
I am trying to uninstall and I keep getting a warning ‘Unidentified Program wants access to your computer’ CANCEL or ALLOW. By cancelling I am unable to install. Any help>
do I really have to edit the registry? that seems extreme. and will you let us know when we can reinstall?
*uninstall
You need to allow for install
The Internet Storm Center’s comments on this matter suggest that using 1.6 is advisable if you MUST use Java for some reasons. But opinion there was divided on this step as an actual security measure. What say you, Sophos?
Or uninstall
I too am having trouble uninstalling Java. I keep getting a warning ‘Unidentified Program wants access to your computer’ CANCEL or ALLOW. By cancelling I am unable to uninstall. Any help would be appreciated. If I click on allow the box goes away and uninstall stops. Either way I can’t get rid of it.
PLEASE ADVISE US on what to do when we receive these type of messages when trying to uninstall.
Give revo uninstaller a try.
Beti Spencer I play games too I thought I would not be able to play if I uninstalled it but I have taken the advice and done so. I am still able to play the games 🙂
Been disabled for a long time now….
Rid me of java
I have two sites, one essential (a medical site that REQUIRES IE and JAVA), another (NOAA weather radar) that is very handy and uses Java. How do I handle this?
Re prev comment that Chrome always asks to use java. Just tested. It did not.
Most people dont use it but do use adobe flash player and in use agrrement it allows people to acess there device legaly
What about Java FX 2.1.1???? I uninstalled several updates like 5, 6, and 7
Done!!
Found Java 6 at the following link, but it does not have the MANY security patches in it. How can I get those?
http://www.oracle.com/technetwork/java/archive-139210.html
I use NoScript and can selectively disable/enable java on individual webpages. http://noscript.net/
Done, and thank you very much.
I already disabled Java add-ons in Internet Explorer 8. 🙂
Thank you for the info-done.
TY…done…
There’s a new version out already (v.6) . I think this website’s post is slightly behind the curve.
that “new” version 6 is old. I had version 7
mmmm do i wanna unistall or just disable???
Does this apply only if you are using an Oracle app?
Thanks I didn’t know.
I am very happy with this vulnerability.
Bob Morton – Use Java in a Virtual Machine.
Sharon Pilkington – That’s not true. Java can be fully removed on any OS.
Most people will never use Java.
Well I uninstalled all mine & my browser seems to be faster if FB games need java then I don’t need fb games ijs
Thanks Kansas!
thanks Kans!
Oracle are you sleep i hear zzzzzzz
Done.
people, this affect only version 7 not version 6
Så er det farvel til NemUDU og webbank 🙁
Thank you, Sophos!
..thx for the heads up! 🙂
@Jesus: that’s true but version 6 has flaws in it too! There is currently NO SAFE VERSION!
Bloody Java, and like Flash, it’s used everywhere.
Just disabled it. Thanks Sophos.
My computer will not delete it now what?
new patch already launched, http://www.oracle.com/technetwork/java/javase/downloads/index.html
Thanks Sophos.
So… if I’m running Mac OS 10.8.1 and Chrome 21.0.1180.82 should I still disable Java or not bother?
Thanks
Guys, there’s now an emergency patch from Oracle. Go to java.com and get it.
@Suzette Comodo is a firewall, you don’t do anything with that. Disable java in your browser or uninstall in Control Panel. Or get the new patch.
Naked Security from Sophos Computer novice. I uninstalled Java, but do I want to uninstall the JavaFX 2.1.1 as well? (Not sure what that is…)
I’ve got the IcedTea plugin – is it only Oracle Java that’s got the vuln?
It isn't listed in the CVE, so I think you are safe.
I use Ubuntu Linux OS with IcedTea plug-in too. I'm computer illiterate. It says it executes JAVA appletts. Since it has the word java in the description that makes me nervous. Should I be?
It's important for people to realize this is a Java-in-the-browser issue. It's still safe to program with Java on the server. In the browser, you're allowing someone to run arbitrary code in a security sandbox that has been *broken* at times. On the server, you're not allowing your site's visitors to run arbitrary code. Java is also fine for desktop programs…. If you install a program, they already have access to your computer anyways….. Just keep it disabled in the browser. Java is still a good programming language.
Oracle needs to quit pushing people to install the browser plug-in since 99% of people don't need it and that's where the main security issues have been.
I went to control/programs, etc….click on Java and tried uninstall. It won't uninstall. any ideas
This really concerns me as I work from home and Java v6 is required for one of our applications. Any recommendations as to what I could/should do?
If it is a browser application you can disable Java in your primary browser and leave it enabled in a different one (Firefox, Chrome, IE) just to use your work application.
If it is a Java program then you can just disable Java Web Start in your browsers, as the vulnerability only affects Java browser applets.
This comment is in reference to CVE-2013-0422
The Java JRE is bloated and open to exploitation. It, along with MS .Net, allows modern programmers to be lazy. On a Windows XP machine, these installations are often larger than the OS itself!
when i go to delete Java from my programs and features the only prompt that comes up is'will you allow this program to update and make changes on your hard drive'. Well I don't so how do I delete it?
You have to approve the unistaller to have administrative privileges to do the removal. I believe you are describing a Windows 7/Vista UAC prompt. You need to say yes.
All of this input and not a single one tells how to disable Java. Much less how to do it and still be able
to turn it back on. Jeez
There are numerous references that describe various ways, this is not exactly one size fits all, since: you can disable Java for all browsers at once, OR you can disable Java at the browser level, preferable (probably) if you only use one browser, likely IE.
But have found the PC magazine site informative to answer your question:
http://www.pcmag.com/article2/0,2817,2414191,00.a…
Hope this is helpful.
Following the instructions RE the Chrome browser on my Nexus 7 gets me an "error 300" message that the web page is not available. This happens using both the //plugins and the //settings/content options.
How can I find out if Java is running through Chrome on my tablet? And how to I get to a functioning option to disable?
Android does not have a JRE connected into any of its browsers. Android devices are not vulnerable.
Can you pplz tell me what should i do now , i am using a website for online learning and now i cant open my excersises as java plugin is blocked. i am using firefox18 and internet explorer. i am really very worry.
I use Java for my game sites, IE Pogo, American Cribbage, etc. and now in Chrome even tho I have current Java, Chrome keeps saying I don't have and need Plug in, I am so frustrated with this, I have uninstalled Chrome and uninstalled Java, I have used so many suggestions on blogs and I am still unable to get into these sites…Any other suggestions or is there something other than Java I can use.
If anyone is interested, I just posted instructions on how to set up Java Security on your computers.
http://www.fcsnj.com/java_security.htm
Link doesn't work
Copy and paste the URL into a browser.
Not sure about this, but Chrome uses a build-in VM from where Java is executed, doesn't this protect you from these malware infections?
I myself only use my PS3 to go on the internet i don’t think that this will affect my OS even tho it dose run Java 9
Huh?????
Completely doesn't make sense:
"Even if you absolutely must use websites that require you to have Java installed, why not disable it in your main browser and have an alternative browser just for visiting that website?"
Surely, if you disable Java in one browser, but enable it in another on the self same machine you're still at risk from the threat.
It's like saying "Keep your front door locked to stop burglars getting in, but it's safe to leave your back door open".
Maybe this will help you understand:
They're saying you should disable it in your main browser, so that Java-based stuff doesn't come up on all websites that have it. This keeps you safer while browsing.
But, if there are sites you need to visit that use Java, visit these and only these in a second browser. This way, those are the only sites where Java will work and they should be trusted sites.
My two cents:
You could just not worry about it and not visit untrustworthy sites, like smart people.
Legit websites get hacked too.
THAT'S the real scary part of this vulnerability. You can get infected by just visiting a hacked legitimate blog.
I have two Java programs in my computer when I checked:
Java 7 Update 9
JavaFX 2.1.1
Also I have Java 32-bit in my computer.
Should I remove all these 3?
Thanks! I appreciate the answer.
i suggest you do because when i uninstalled java from one application it reinstalled it with an update that was for another application however i am not a professional so don't take this advice too seriously
So is this is dangerous with Java Runtime Environment, or Java code, or Java Applets, or Java Plugins, or Java SE or JDK ? And is it really safe to take advice from random posts saying 'oh, do this, it's safe'. Java is a mess. Truth is the safest bet is to unstall all Java and if there is something you need that then does not work, demand the provider provide a non-Java way of providing their product or service, and if they don't then ditch them.
absolutly do not remove javascript/java.
use noscript with firefox/iceweasel/chrome/mozilla based browsers.
you allow pages that need java or flash which also has webpage setup and lots of updates do to vulnerabilities, like youtube and banking etc. if you do not need java or flash on a page leave it blocked. I leave noscript to always deny and right click the crossed out red circle at bottom of browser to allw disallow a page…whitelist blacklist. You can save settings and white/blacklists and import export as well. drive by attacks are 100% null now…no need to uninstall. You can cruise porn sites hack sites warez sites and youtube with cockyness now.
You only need one java version, updates do not remove old ones
Use JavaRA to clean old installs,updates and check for updates etc.
Set java options via the webpage….many folks do not know about the java options, set it up to not access camera and microphone, and leaving sun/or oracle to check for updates daily or weekly so vulnerabilities can be patched quickly.
There are tons of sites on how to secure java via its webpage options. same with flash options, no need to disble flash too for folks who read that scare tactic article by an unknown pc security expert telling you flash should be disabled because of all the vulnerabilities….flash updates just as frequently as java….what, like every hour! Kidding, but it updates often as vulnerabilities and exploits are found.
google, how to secure your browsing and how to secure your pc in google, dslreports forums /security is a great place to start…read the faqs at top of each forum.
I just got an update for Java. Could it be a repair for this problem. I haven't downloaded it yet.
I just updated with 7.11. Is that safe?
I just received an icon to update my Java. Should I do this?
Strange that not one person has said that a good antivirus ALSO catches these exploits BEFORE they are downloaded onto your machine. Why would a security company that sells such a product not even say that?
There are far more exploits out there to simply worry about one portion of good security – Java management. Some of these people that have not updated there Java in years have probably not updated the rest of their system either! No one has mentioned all the Flash exploits, the Adobe Air exploits, etc., etc.
Good protection starts with the OS, and continues through every program. How many old dll’s have exploits – plenty. Even drivers can have them.
I think you meant to write that your anti-virus *might* stop it.
It’s always possible that you could be one of the unlucky sods who gets hit by an attack *before* the anti-virus software vendors have been able to add detection of it – and as it could be based upon a zero-day vulnerability their proactive protection may not pick it up either.
There are far greater risks with ".net" code. This is just anti Java (opensource) drivel!
is the iplayer now off limits as it needs java ? or is this seen as a safe site?
iPlayer uses JavaScript, not Java. See Duck’s article explaining the difference here: http://nakedsecurity.sophos.com/2013/01/16/java-i…
Thanks Chester,
I'm not so Confuzed now ,
i have disabled Java from the browser plug ins area & Enabled java script through he contents settings page of the browser.
Hope I've got it right now, at least the iplayer is running again..
Thanks again for your help.
You make such an ignoarant fuss about this.
If you are REALLY interested in security, then turn OFF Microsoft Windows.
Bah!
Doesn't buffer need JavaScript to function. I found this thread because I keep getting this message on Chrome
"Oh Pants!
It looks like you have JavaScript disabled. You'll need to turn that on to use the Buffer web app – trust us, it's totally worth it!"
Yet when I check it is enabled. Anyway this is a different problem.
I have had "websearch" on all my profiles that took ages to get rid of. Now I know where it comes through. Thanks
JavaScript is not the same as Java.
http://nakedsecurity.sophos.com/2013/01/16/java-i…
I received messages that my browser was outdated and had to update my java so of course I did… totally crapped up my pc with malware fortunately I as able to do a system restore to get it working again
Loading YouTube videos should be a very quick and easy process which even the slowest of computers should be able to deal with. Unfortunately, this is hardly ever the case and many people report seeing YouTube videos taking a long time to load,