For anyone who is in any doubt, security experts are spelling it out in black and white.
The advice from the CERT (Computer Emergency Response Team) at the Carnegie Mellon University Software Engineering Institute (who are sponsored by the Department of Homeland Security) is loud and clear – you should only be running Java in your browser if it’s absolutely necessary.
"Unless it is absolutely necessary to run Java in web browsers, disable it... even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future."
You will see similar advice in the advisory posted on the official DHS US-CERT website:
"To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available. As with any software, unnecessary features should be disabled or removed as appropriate for your environment."
You know what? The advice is absolutely right.
Even if you have been super-diligent and installed the Java security patch released earlier this week for the serious security hole that allowed Java applets in your browser to do naughty stuff, you should still seriously consider whether it’s sensible to have Java enabled in your browser at all.
If you can’t avoid using a handful of websites that demand your browser supports Java, then why not have a different browser specifically for visiting those sites?
That way you can permanently rip Java out of the web browser you use to surf the rest of the web.. and you’ll be a lot safer next time a serious vulnerability is found in Java.
Patching against this security hole isn’t the end of the story. You need to seriously consider whether Java has any place in your browser at all.
Here’s our guide for how to turn off Java on your browser:
- How to disable Java in Internet Explorer
- How to disable Java in Firefox
- How to disable Java in Chrome
- How to disable Java in Safari
- How to disable Java in Opera
Stay secure folks.
This article has been updated to clarify that the first advisory quoted comes from the vulnerability experts at the CMU SEI CERT Program, sponsored by the Department of Homeland Security, and is not directly from the DHS themselves.
21 comments on ““Unless it is absolutely necessary to run Java in web browsers, disable it”, DHS-sponsored CERT team says”
Just ensure that you follow the “unless it is absolutely necessary” part. We don’t need to go ripping out the “Availability” part of the C-I-A triad just because 0-days pop up. If we follow that train of thought to its illogical conclusion, we might as well go back to typewriters…
But most people don’t need it, and just like any other software, it should be uninstalled if you don’t absolutely need it.
There’s an easy way to disable Java immediately using Group Policy or your own management tool. We have a blog and video to show you exactly how to do it:
Blair, who are you? Are you a writer or tech support for Naked Security?
Why are you recommending people check out your blog?
Would some people end up thinking they better buy something for security after reading? Do you get paid per click?
I think it’s rude to use the comment section of a very well written, important, security article to advertise. Whether good or not, I don’t think your intentions are really to benefit readers.
I’m honestly not trying to be harsh. However, I believe that unless you’re an important, educated and well respected computer guru, you shouldn’t try piggybacking in comments like people do on YouTube.
Please pretend I’ve been living under a rock and tell me who you are.
If you’re just a nice person, forgive my response. I’m skeptical about everything these days.
Being a 74 year old game playing, surfing, shopping, casual user of the internet on a PC I am at a loss as to whether or not I need Java. I mostly use Firefox because Chrome has been invaded by another browser that pops up and despite my diligent efforts, cannot get rid of. So…can anyone help me out. Knowing the above, can you say whether or not I would be in a mess if I got rid of Java? Oh, I also pay bills through my bank on my PC also.
Thanks a bunch to anyone who replies.
I do all of the above in Firefox and I have Java disabled. Its not irreversible, so the thing to do is disable, and go on about what you normally do. If something doesn't work and says "you need java to see this content" (or something similar) then consider whether you want to enable it just so you can access that content. Make a note of it, and go on about your business a little longer before re-enabling and see if anything else complains. It probably won't.
Its a shame so many educational things have to use Java…..
Its just gonna have to be a case by case thing….
Oracle must have wronged DHS over something to get them to say this. Adobe Flash, Shockwave and Reader are no better.
Disabling java from the get go just means you don't know how to properly secure your network and properly train your employees. Keep you applications up-to-date, follow CERT's advice on restricting access to JAVA applets and provide Security Awareness training to end users is the better way to go. Sure it won't get everything, but at the same time you can't prevent a business from running because of flaws in a applications, especially if it's a business critical application such as PeopleSoft or Oracle Financials
What about Macs? How do you disable Java on a Mac?
A few of the more unimportant sites that you surf might not work properly if you disable Java, but otherwise you won’t notice much difference, and if you’re doing online banking on your PC, it’s pretty much suicide to allow Java to run. There’s no two ways about it: get rid of it now and run an anti-virus scan after you’ve done so.
Is disabling Java via the Control Panel checkbox a per-user setting or global?
Every recommendation I've seen is to disable Java in browsers. Why not just uninstall Java entirely? Then you have one less thing that needs constant updating, and all your users won't accidentally install the stupid ask.com toolbar when doing updates. Thank you.
you let your users do updates? big mistake.
Can you really trust the Department of Homeland Security?
Ask me why I hide from the people I pay to protect me.
I yearn for the day when a kid would ask “What is Java?”
Really! Just think about how great that’d be. People would finally get to the point where they’d have their damnedest time remembering. After a few moments of silence, an adult would respond with something like “Ya know, I don’t really remember. It may have been a drink or the name of a popular singer. I’m sorry, little Johnny Nguyen Mohamed. I just can’t remember. Why don’t you try checking Wiki.”
Some organizations have internal applications developed in Java, so removing Java isn’t an option for them.