For anyone who is in any doubt, security experts are spelling it out in black and white.
The advice from the CERT (Computer Emergency Response Team) at the Carnegie Mellon University Software Engineering Institute (who are sponsored by the Department of Homeland Security) is loud and clear – you should only be running Java in your browser if it’s absolutely necessary.
"Unless it is absolutely necessary to run Java in web browsers, disable it... even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future."
You will see similar advice in the advisory posted on the official DHS US-CERT website:
"To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available. As with any software, unnecessary features should be disabled or removed as appropriate for your environment."
You know what? The advice is absolutely right.
Even if you have been super-diligent and installed the Java security patch released earlier this week for the serious security hole that allowed Java applets in your browser to do naughty stuff, you should still seriously consider whether it’s sensible to have Java enabled in your browser at all.
If you can’t avoid using a handful of websites that demand your browser supports Java, then why not have a different browser specifically for visiting those sites?
That way you can permanently rip Java out of the web browser you use to surf the rest of the web.. and you’ll be a lot safer next time a serious vulnerability is found in Java.
Patching against this security hole isn’t the end of the story. You need to seriously consider whether Java has any place in your browser at all.
Here’s our guide for how to turn off Java on your browser:
- How to disable Java in Internet Explorer
- How to disable Java in Firefox
- How to disable Java in Chrome
- How to disable Java in Safari
- How to disable Java in Opera
Stay secure folks.
This article has been updated to clarify that the first advisory quoted comes from the vulnerability experts at the CMU SEI CERT Program, sponsored by the Department of Homeland Security, and is not directly from the DHS themselves.