Sophos Cloud Optix
Over the past week or so, our series of articles on How to turn off Java in your browser has been very popular.
That’s because of a widely publicised vulnerability, thankfully now patched by Oracle (nice work, guys), that was being actively exploited by cybercriminals to infect PCs.
Our article directs you to five sub-articles giving specific instructions for five well-known browsers:
- How to disable Java in Internet Explorer
- How to disable Java in Firefox
- How to disable Java in Chrome
- How to disable Java in Safari
- How to disable Java in Opera
Let me apologise in advance that we couldn’t include everyone. If you’re a fan of alternative browsers such as Konqueror, Midori, Lynx, Seamonkey, Iceweasel and Links, “We’re sorry.” And if you’re a fan of browsers that didn’t even make that alternative list, “We’re doubly sorry.” There’s a biggish list of browsers on Wikipedia, if that makes you feel better, but even that article starts with the dreaded words, “A list of notable web browsers.”
Today, as I was looking through our recent Naked Security readership statistics, it occurred to me to do a percentage breakdown of the the people who had read each of the browser specific articles day-by-day for the past five days.
“Those stats are bound to tell an interesting story,” I thought to myself. (I didn’t really think that. I thought that they might make a pretty graph, which is nearly, but not quite, the same thing.)
For example, a browser might be over-represented, compared to its market share, thus indicating that users of that browser are more informed about security issues, and thus more likely to seek expert advice to make sure they are on top of the problem
Or it might be over-represented because its users are less informed about security, and thus more likely to seek expert advice to make sure they are on top of the problem.
Or users of a particular browser might dislike Java more than users of another browser, and thus be keener to read how to turn it off.
Unless, of course, their dislike prompted them to turn it off long ago, causing them to be under-represented.
Or they might be under-represented because they uninstalled the whole shebang, and no longer need to know about how Java and their browser interact on account of having no Java at all.
If you must read something into this graph, it should probably be no more than that it provides a possibly staggeringly inaccurate measure of each browser’s market share.
OK, a possibly staggeringly inaccurate measure of each browser’s market share amongst Naked Security readers.
But I was right. It does make a pretty graph, doesn’t it? And that’s interesting in its own right.
(I mean to say that it is interesting inasmuch as it makes a pretty graph, not interesting that I was right, but that is interesting too, now I think about it.)
On a serious note: you have patched or updgraded your Java installation, haven’t you? That is, if you have Java installed, whether turned off in your browser or not?
And if you are in the 42% using Internet Explorer: you’ve applied the brand new IE patch too, haven’t you? Or migrated upwards to IE 9 or IE 10?
I'm one of the ones who disabled it a few weeks ago (in Safari) following an article of yours. The only difference I've noticed is that I haven't been able to do a few obscure maths games.
I removed Java from my Mac and I have no intention of ever installing it again, not after the vulnerability and the exploit. Oracle's handling of Java has been terrible, to say the least. Although I give them credit for patching Java in a timely matter instead of waiting, that won't convince me enough to trust Java ever again. I also didn't install Java to my Windows partition on my Mac, and I have no intention to ever install it unless I really need it. It's not worth taking risks with computer security. Everyone needs to take the security of their computers seriously, then infections won't happen.
Of course, it could indicate just how hard it is to disable Java in IE, and even those with reasonable security awareness have trouble with the process.
It needs regedit? Seriously?
I am a Java developer working on OSX. I disabled Java in the browsers long time ago, but I did not remove Java from my machine. An installed Java environment by itself is not less secure than the runtime of the operating system that executes binary code. And still people are advised to remove Java alltogether.
Even though this is a good strategy if you do not need Java to ensure that Java is not activated by some accident, browser update or such the communication itself has side effect. What I continually see is that people deduct from those articles that Java is bad, should be removed from the machine. They simply do not know Java, do not know security and everything that is obscure for you is dreadful.
This has a controversial effect on the overall judgment of Java as a technology even when we talk about Java applications on the server side that are usually more secure than for example PHP written applications. And this is sad.
This is sad, because business decisions are made on impressions rather than pure fact (this is fact of live, we have to live with it) and the impressions are getting worse and worse on Java because of these articles.
Before you mistakenly think I am talking about NakedSecurity articles: I am not. These articles are correct, and technical and are targeting the tech people. I am talking about mainstream media.
If you do not linking here my personal blog about this topic, here it goes:
http://wp.me/p2zrqL-ig
Java is a bloated code. In many of my experiences, the code never reliably runs from platform to platform. You may be correct in that a Java application can be written securely, but in most cases the majority of programmers do not take security into account and spit code out as fast as possible. Java is targeted as it is installed on so many machines. Time and again I have ran into applications that have been poorly written in Java, and do nothing but consume resources. These security incidents add fuel to the fire. IMO based on many factors, their are better platforms. Oracle is has failed miserably in changing my mind at all. Sorry, but Java is bad in most cases.
I first disabled then applied the Java JRE 1.7 Update 11 to the Java on my old XP Pro machine running IE8. I found that Secunia PSI 3.0 requires Java so I had to re-enable Java.
__Btw I also updated my IE8 browser with the Micro$oft patch when it finally became available Monday afternoon (1/14/13).__
Secunia PSI, standalone software, does not require Java, Secunia CSI, web-based, does require it.
Is Java 6.0.380.5 vulnerable? Our company uses a legacy application that doesn't work with Java 7.
I found it easier just to uninstall it permanently. I don't use anything that uses Java, and it seems like every other month there is another "Zero day exploit" revealed. I may re-install it someday if I find a reason to need it, but overall I think it's probably safer not to have it at all.
I mean, after all, this isn't the first time Sophos has posted this PSA, is it?
I love how all these articles make it seem like Java is the only software with these problems. Every month I load 10-20 security patches on my Windows computers. Where are all the calls from Homeland Security to abandon Windows?! I wish all of these software vendors would focus more on security, but to focus so much pressure on one application and vendor is misleading and harmful. Who in our government did Oracle tick off? And what didn't the media cover on Thursday and Friday last week?
I use the Firefox addin QuickJava. It allows me to quickly enable/disable Java, Javascript, Flash, Silverlight, etc.
With all that is going on with Java I think the safe thing to do is just uninstall it, I uninstalled mine about a month ago and haven't needed it once in that time, so for me I had rather be safe than sorry. JMHO
I have a MacBook running OSX 10.4.11. I disabled Java on Sunday. Yesterday, after finding out about the Oracle patch, I tried to download it. It says, "* Users with Mac OS X versions 10.6 and below should go to Software Update under the Apple menu to look for updates." On that Apple menu no updates are available. What do I do? If needed, should I use Java or not?
If no updates are listed in Software Update, then you already have the most recent version of Java for OS X 10.4.11 (Tiger). But Apple no longer supports any version of Tiger, so it's not surprising that you don't find any updates listed. In other words, you’ve gone as far as you can go, Java-wise, with Tiger.
It's also possible that you're not affected by the most recent vulnerabilities. There are varying reports about which versions of Java are affected, depending on the specific vulnerability. I don't recall which version of Java was the most recent one that ran in Tiger.
The rest of your question is unclear. If you need Java, you should use it. If you don't know whether you need it, then you probably don't need it, but in either case, it's best to disable it until you actually need it. In general, any website that uses Java should prompt you to install or enable the Java applet if it's not available in your browser. At that point, you’ll have to decide whether you trust the website before you enable Java.
Another strategy is to keep a separate browser that has Java enabled, and use that browser only in those cases wherein you need Java.
Anyhow, without knowing more about your actual needs, your best bet is to run with Java disabled, and use it only when you encounter a condition wherein you need it.
I read about the Java vulnerability in the news and disabled it in Firefox before reading your article. However, since I maintain a friends computer, which uses IE by default, I had to read your instructions on how to disable Java in IE. So yes, your statistics may misrepresent browser usage of your readers, but I doubt it's by very much. I wouldn't doubt that some readers help less savvy friends and family with computer security and maintenance, or that some readers use more than one browser.
Java in itself is not vulnerable people. You can keep the JRE installed on your machines (I personally couldn't work without the JRE and JDK). It's the interaction with Java and the browsers that's broken, or, more specifically, the unintended execution of Java applets is compromised. Java Applets only run in browsers and are a small subset of the Java ecosystem. Java is not a bad thing in and of itself, but using Java in a browser is. I write Java applications (not web apps) and I disabled Java from my browser long ago (and is one of the first things I do when faced with a new machine).
I don't hate Java itself. Vulnerabilities are a fact of life with any system.
As far as I can tell, it's the specific implementations of the JRE (Java Runtime Environment) that have the troublesome vulnerabilities. The problem is in the failure of their suppliers (e.g., Oracle, Apple, etc.) to provide timely patches.
The only downside to leaving it installed and disabled is that your browser might not honor the "disabled" preference across a browser update, in which case you have to remember to re-disable it after an update. If that's too big a pain in the neck—and If you're absolutely certain that you will never have any need for Java—then fine…uninstall it completely.
I don't give a schlitz, everything I run off the web is sandboxed.