Sophos Cloud Optix
As you are probably aware, lots of people, including the writers at Naked Security, are advising you to turn off Java in your browser for security reasons.
Some people are worried that turning off Java also turns off JavaScript.
Most modern websites make heavy use of JavaScript, so these people are worried that sites such as Facebook, Twitter, and even Naked Security, will be pretty much useless if they follow our “turn Java off” advice.
So, let me clarify.
• Java and JavaScript are completely different.
• Turning off Java will not turn off JavaScript.
They’re configured separately.
The converse is true, too. If your aim was to improve security by turning off Java, turning off JavaScript instead will not have the desired effect.
Apologies if you already know this. But the names are a bit confusing.
I’ll keep this article short and simple by not going into too much detail about the differences here.
JavaScript
Suffice it to say that JavaScript is generally built in to your browser, and is used to control the look, feel and function of web pages displayed inside your browser. So you can think of it as part of your browser.
That doesn’t mean there aren’t security risks from JavaScript. There are, but they’re different to the ones posed by Java, and they’re generally fixed or patched directly by your browser vendor.
JavaScript is very commonly used in modern websites. In fact, you won’t get very far without it on many of the popular sites out there.
So we are not recommending that you turn JavaScript off in your browser.
Java
On the other hand, Java, made by Oracle, is a software package installed separately from your browser.
It can be used for creating and running all sorts of regular-style software: web servers, code editors, word processors and much more. These are called applications, just like any other application such as Microsoft Word or Apple iMovie.
Java also provides a plugin system that allows stripped-down Java programs called applets to run inside your browser. They aren’t integrated with your browser like JavaScript programs, and their security generally depends on the Java system itself, not on your browser.
Java applets used to be fairly common, but (mainly through the rise of JavaScript) they are now are used rarely, or not at all, on most of the popular websites out there.
In fact, you probably won’t miss much without applet support. Lots of Facebook users, for example, report being able to use their favourite addons such as games without Java.
Nevertheless, there have been several recent and widely-abused bugs in the applet part of Java that make your browser insecure.
So we are recommending that you turn off Java in your browser.
And that’s it.
A warning
By all means, turn off JavaScript if it suits you.
But let me reiterate: we aren’t recommending that. And if you do, you won’t get rid of Java, which is probably what you want.
In case you’re wondering, Java was originally called Oak, after a tree outside the inventor’s office. It was renamed Java after the island, because lots of coffee comes from there, and programmers run on coffee.
JavaScript was originally called Mocha after the coffee drink, because programmers run on coffee, but turned into LiveScript, and finally into JavaScript, probably for marketing reasons to compete with Java. The only real similarity with Java is in the first four characters of the name.
Technically, JavaScript is now officially known as ECMAScript, and if you start calling it by that name, you’ll never confuse it with Java again!
I do recommend to turn JavaScript off as well, or rather, use NoScript to control which sites are allowed to use it.
Agreed. There are many cases where JavaScript is equally dangerous, especially if you have an out-of-date browser that doesn't implement basic security measures.
how exactly do i turn off java then? sorry but i am a novice when it comes to this sort of stuff
To turn Java off, have a look here:
http://nakedsecurity.sophos.com/how-turn-off-java
I play games on facebook and if I turn Java off will I still be able to play games? How do I go about turning it off?
Facebook games don't use Java…at least, I haven't heard anyone complaining of an FB game that stopped working without Java. (I've added a mention of this to the article to clarify.)
As for how to turn it Java:
http://nakedsecurity.sophos.com/how-turn-off-java
Yahoo Games needs Java enabled in the browser.
Most FB games use Flash, not Java.
I come from Java, and that’s right!
This is the island of coffee.. Sometime I recommended you to try “Luwak Coffee”, which is the 1st class coffee in the world.
That's the stuff that gets eaten by a civet first, right? And then, ahhhh, excreted and, well, collected for sale?
I think I read somewhere that there's a competitive coffee brand now that uses elephants as the enzyme-activated pre-processing service.
I imagine the elephant coffee would have to cost more…you'd have to pay the blokes who collected the, ahem, excreta a fair bit more danger money, I expect. Though I suppose you'd get more pre-digested beans per…per…what *is* a unit of dung in polite parlance?
In a formal context, it's a "Morgan". In an informal context, a "Piers". :o)
WIthout turning it off and figuring out if something still works or not, is there a way to know if Java is a requirement for functionality? My bank switched our bill-pay program a couple of years ago to something that I believe is Java-based, but in light of this story, it's possible I misinterpreted that and it's Javascript I guess.
Turn off Java and see if it still works. If it doesn't, turn Java back on if you really need it.
If you're using Chrome, and you have the Java plugin enabled, it should give you a notification saying "Java(TM) needs your permission to run", which you can either approve (be it just once or for the whole site) or reject (by ignoring and/or closing the notification).
If you're not using Chrome, then you might have to go with David's suggestion of turning Java on and off until you've figured out which sites need it and which ones don't. But – as I've mentioned elsewhere among these comments – if your browser doesn't prompt you first before loading an applet, then you should be considering a better browser.
hmm.. thanks – Id say thats about as much as I [i]need[/i] to know about the computer kind and maybe a little more than I need to know about the liquid kind.
😉
As far as I understand, installing Java on your computer and running applications using Java is not particularly dangerous. The increased risk comes from using the Java plug-in in a browser. Am I correct in this?
Yes you are. The problem is that many browsers don't prompt first before loading Java applets. This is silly, since Java applets aren't just Flash animations: they're full-fledged programs, just like one you'd download and install on your machine, and *by design* are able to do things like create files on your computer. Java is a powerful programming language, which is why it's pretty much ubiquitous in educational websites (especially those with science simulators; NASA is especially fond of using Java for its educational simulators) and commonplace for banking.
So by this virtue, it's a bit unfair to pin all the blame on Java as a whole – or even Oracle's problematic implementation of it – when the browser can and should be preventing Java applets from automatically running.
There is one browser, however, that *does* prompt you before loading an applet: Chrome. Unlike Internet Explorer and Firefox, Chrome will not run an applet by default, but instead will display a notification bar with options to allow once, allow always for that particular site, or not allow (by ignoring the bar or closing it with the X at the far right).
For example's sake, let's go back to that NASA simulator I referenced. It's called RocketModeler III, and is a Java applet. You can find it at http://www.grc.nasa.gov/WWW/k-12/rocket/rktsim. Open that URL with Internet Explorer. Then try Firefox. Then try Chrome. Chances are, if Java is enabled as a browser plugin, IE and Firefox will load it without your approval, while Chrome will wait for you to click on either "Run this time" or "Always run on this site" before it even thinks of launching the applet.
In conclusion, though Oracle should certainly fix its code, it's not *completely* Oracle's fault that browsers are allowing applets to load without user confirmation – which, mind you all, is exactly why the exploit that everyone's up in arms about is even slightly significant. If you're a routine Java user (like me) and find that disabling Java entirely would be inconvenient, try Chrome.
Isn't it about time to rename Java script to something completely unrelated to Java? This never ending confusion is both understandable and potential harmful to people which do not know the difference.
Or another much better suggestion could be to just rename Java instead…I suggest the perfect new name: "GARBAGE". So if you make a Ja…Garbage program you need Oracles Garbage compiler 😀
As I mentioned at the end of the article, what used to be JavaScript is officially called "ECMAScript" these days.
However, if Wikipedia is to be believed: The name 'ECMAScript' was a compromise between the organizations involved in standardizing the language, especially Netscape and Microsoft, whose disputes dominated the early standards sessions. Brendan Eich, the creator of JavaScript, commented that 'ECMAScript was always an unwanted trade name that sounds like a skin disease.'
Which may be why it's never caught on.
As for renaming Java to something pejorative…as previous commenters have pointed out, Java still plays an important role in letting you create and deliver applications. And standalone Java applications seem to create no more or less risk than OS-native applications (.EXEs on Windows).
The troubles are almost entirely in the browser integration. And IIRC Oracle's latest Java releases include a control panel that let you lock Java out of any and all browsers you have on your system. That means you can run Java applications to your heart's content, but can't run applets at all.
(For example, I have Java installed because I need it for Android research and development. But I don't use any websites that require it, so I have it locked out from my browsers. Best of both worlds.)
Better to just get rid of Java.
Should "Java Deployment Toolkit" be disabled as well?
This probably answers your question:
http://java.com/en/download/faq/deployment_toolki…
If you don't have Java in your browser, then the JDT is pointless so you can remove it. It you do have Java in your browser, the JDT's function is to go and get the "right" Java version for the applet you're trying to run, in case the applet wants a different version than the one you have installed.
Assuming you keep your Java up-to-date, it sounds to me as though the best thing the JDT can do for you is nothing, and the worst is to offer to drag down an outdated Java to run some old-school applet.
Sounds like you might as well remove, rather than merely disable the JDT. But as the above link explains, even if you do neither it won't affect your "Java in the browser" setting…
Java was developed by Sun Microsystems, and was later acquired by Oracle.
Oracle didn't create Java.
Turning off JavaScript in the browser these days will probably limit the stuff you can do on websites … it's a bit like turning off the gps in your car. I wouldn't advice you to do it unless you're using netscape 4 or ie6
what about Rhino scripting engine ?? is not it javascript engine which is written in java ??
hi i was helping a friend with a virus problem, and he only had java update 6, 16, i helped him update it to 6.38 but why cant I put him on 7 11, hes running windows vista. thanks for the help
If you’re having a problem with Java, your first port of call should probably be Oracle’s support team. Sorry not to be more help.
Is there a way to allow Java to run only on selected ("white-listed") web-sites, and disable it for all others?
It would be nice to be able to use Java only for an internal corporate server or a banking site, for example.
You can do this with NoScript (http://noscript.net).
What about Club Pogo? I play there almost everyday. They requires Java to be on. :/
Oracle bought Sun in 2010. Since then, the java infections have dramatically increased. Perhaps Oracle should stay with databases and sell Java to someone who cares.
Garbage err Java is the language you use to write apps and those popular/addictive cute casual games for smartphones and mobile devices, particularly for Android OS. Yep, it may have become an irritant for webpages but for the mobile industry, it's gold!
Title should read (“Javascript is not Java”) JS came out after Java not before. JS is a stripped down version of Java for the web, it was redesigned by Mozilla which actually lead to several law suits by Oracle claiming patent protection on its Java se and ee platform.
What’s the difference?
Java is a full blown object oriented programming language for both web and desktop apps. Its latest iteration rivals Microsoft’s C#.
Javascript is a scripting language for the web nothing more, its the equivalent of php or asp.
A long time ago Java was the preferred language of the web, ever since their debacle with Mozilla they expanded their multi platform universe to include mobile devices like Android. Java flourishes on phones and tablets. Whereas JS is stuck with the web browsers of choice.
Since I hate web programming I can’t really comment on anything positive or constructive for that matter.