"Unless it is absolutely necessary to run Java in web browsers, disable it", DHS-sponsored CERT team says

Filed Under: Java, Vulnerability, Web Browsers

For anyone who is in any doubt, security experts are spelling it out in black and white.

The advice from the CERT (Computer Emergency Response Team) at the Carnegie Mellon University Software Engineering Institute (who are sponsored by the Department of Homeland Security) is loud and clear - you should only be running Java in your browser if it's absolutely necessary.

DHS CERT advises disabling Java

"Unless it is absolutely necessary to run Java in web browsers, disable it... even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future."

You will see similar advice in the advisory posted on the official DHS US-CERT website:

"To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available. As with any software, unnecessary features should be disabled or removed as appropriate for your environment."

You know what? The advice is absolutely right.

Even if you have been super-diligent and installed the Java security patch released earlier this week for the serious security hole that allowed Java applets in your browser to do naughty stuff, you should still seriously consider whether it's sensible to have Java enabled in your browser at all.

If you can't avoid using a handful of websites that demand your browser supports Java, then why not have a different browser specifically for visiting those sites?

Finger turning off. Image from ShutterstockThat way you can permanently rip Java out of the web browser you use to surf the rest of the web.. and you'll be a lot safer next time a serious vulnerability is found in Java.

Patching against this security hole isn't the end of the story. You need to seriously consider whether Java has any place in your browser at all.

Here's our guide for how to turn off Java on your browser:

Stay secure folks.

This article has been updated to clarify that the first advisory quoted comes from the vulnerability experts at the CMU SEI CERT Program, sponsored by the Department of Homeland Security, and is not directly from the DHS themselves.

, , , , , ,

You might like

21 Responses to "Unless it is absolutely necessary to run Java in web browsers, disable it", DHS-sponsored CERT team says

  1. Just ensure that you follow the "unless it is absolutely necessary" part. We don't need to go ripping out the "Availability" part of the C-I-A triad just because 0-days pop up. If we follow that train of thought to its illogical conclusion, we might as well go back to typewriters...

    But most people don't need it, and just like any other software, it should be uninstalled if you don't absolutely need it.

  2. Blair · 996 days ago

    There’s an easy way to disable Java immediately using Group Policy or your own management tool. We have a blog and video to show you exactly how to do it:

    • CasualNakedReader · 994 days ago

      Blair, who are you? Are you a writer or tech support for Naked Security?
      Why are you recommending people check out your blog?
      Would some people end up thinking they better buy something for security after reading? Do you get paid per click?
      I think it's rude to use the comment section of a very well written, important, security article to advertise. Whether good or not, I don't think your intentions are really to benefit readers.
      I'm honestly not trying to be harsh. However, I believe that unless you're an important, educated and well respected computer guru, you shouldn't try piggybacking in comments like people do on YouTube.
      Please pretend I've been living under a rock and tell me who you are.
      If you're just a nice person, forgive my response. I'm skeptical about everything these days.

  3. Mary Blumreich · 995 days ago

    Being a 74 year old game playing, surfing, shopping, casual user of the internet on a PC I am at a loss as to whether or not I need Java. I mostly use Firefox because Chrome has been invaded by another browser that pops up and despite my diligent efforts, cannot get rid of. So...can anyone help me out. Knowing the above, can you say whether or not I would be in a mess if I got rid of Java? Oh, I also pay bills through my bank on my PC also.
    Thanks a bunch to anyone who replies.

    • Connie Taunton · 995 days ago

      I do all of the above in Firefox and I have Java disabled. Its not irreversible, so the thing to do is disable, and go on about what you normally do. If something doesn't work and says "you need java to see this content" (or something similar) then consider whether you want to enable it just so you can access that content. Make a note of it, and go on about your business a little longer before re-enabling and see if anything else complains. It probably won't.

  4. Josh · 995 days ago

    Its a shame so many educational things have to use Java.....

    Its just gonna have to be a case by case thing....

  5. MikeS · 995 days ago

    Oracle must have wronged DHS over something to get them to say this. Adobe Flash, Shockwave and Reader are no better.

  6. Steve · 995 days ago

    Disabling java from the get go just means you don't know how to properly secure your network and properly train your employees. Keep you applications up-to-date, follow CERT's advice on restricting access to JAVA applets and provide Security Awareness training to end users is the better way to go. Sure it won't get everything, but at the same time you can't prevent a business from running because of flaws in a applications, especially if it's a business critical application such as PeopleSoft or Oracle Financials

  7. Flo · 995 days ago

    As a low-tech user, I am confused. You say to disable Java, but for the Safari example, you leave "Javascript" and only uncheck "Java." Is "Javascript" safe, then? Also, I have found that I cannot post on Facebook or use the NPR media player with Java + Javascript disabled. What can I do about that?

  8. Jason · 995 days ago

    Yes Javascript is completely UNRELATED to Java.

  9. Jason · 995 days ago

    PS: Don't disable Javascript, otherwise 99% of your websites won't work :)

  10. E.E. · 995 days ago

    What about Macs? How do you disable Java on a Mac?

  11. DaveK · 995 days ago

    Dear Mary,

    A few of the more unimportant sites that you surf might not work properly if you disable Java, but otherwise you won't notice much difference, and if you're doing online banking on your PC, it's pretty much suicide to allow Java to run. There's no two ways about it: get rid of it now and run an anti-virus scan after you've done so.

  12. Adam · 995 days ago

    Is disabling Java via the Control Panel checkbox a per-user setting or global?

  13. Dana Query · 995 days ago

    Every recommendation I've seen is to disable Java in browsers. Why not just uninstall Java entirely? Then you have one less thing that needs constant updating, and all your users won't accidentally install the stupid ask.com toolbar when doing updates. Thank you.

  14. snert · 995 days ago

    Can you really trust the Department of Homeland Security?

    Ask me why I hide from the people I pay to protect me.

  15. CasuallyNakedReader · 994 days ago

    I yearn for the day when a kid would ask "What is Java?"
    Really! Just think about how great that'd be. People would finally get to the point where they'd have their damnedest time remembering. After a few moments of silence, an adult would respond with something like "Ya know, I don't really remember. It may have been a drink or the name of a popular singer. I'm sorry, little Johnny Nguyen Mohamed. I just can't remember. Why don't you try checking Wiki."

  16. Adam · 994 days ago

    Some organizations have internal applications developed in Java, so removing Java isn't an option for them.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at https://grahamcluley.com, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley