Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Should I Disable Java, and If So, How?

Another vulnerability has been discovered in Java; if Java is installed on your machine, malware authors can exploit it to infect your computer with something as simple as your visiting a malicious or hacked website.

As I write this, there is no update to Java, which means that there is no fix. Technically that makes this a “zero-day exploit”.

The fix that most experts, including myself, are recommending is to remove Java from your machine. Chances are you don’t actually need it anyway.

But before we go further, we have to do the old “Java vs. JavaScript” dance.

Become a Patron of Ask Leo! and go ad-free!

Java and Javascript are two different and unrelated things

Because of another exceptionally poor choice of names, there’s always instant confusion when we talk about Java because people often confuse it with JavaScript.

That’s wrong. Java is not Javascript. They are completely unrelated to each other.

Javascript:

Javascript: (not to be confused with Java) is a computer programming language that is most commonly used to … continue reading.

From the Ask Leo! Glossary

  • Comes with your web browser; it’s part of Internet Explorer, Firefox, Chrome, and whatever other browser you might happen to have. There is no separate installation for JavaScript.
  • Is used by thousands and thousands of websites. Even Ask Leo! requires that JavaScript be enabled in order to post a comment (as part of a spam-prevention technique). Disabling JavaScript globally would render many if not most of the websites that you visit regularly partially to completely unusable.
  • Is considered a “scripting” language. While the term is somewhat vague, it generally means that JavaScript is a programming language used to augment some other environment, such as the display of HTML-based web pages in your web browser.

Java:

Java: (not to be confused with Javascript) is a general purpose programming language designed, as much as possible, to … continue reading.

From the Ask Leo! Glossary

  • Is a separate download. Typically, the first time that you run into a need for Java, it is downloaded and installed at that time.
  • Is a programming language used to write larger, full-featured applications.
  • Uses a “common runtime” which is installed on your computer to provide features and functionality to the programs written in Java.
  • May be installed either by installing a program that happens to use Java or by visiting a web page that itself contains a program written in Java.
  • Is used by a more limited selection of applications and websites.

While JavaScript may have its own set of issues from time to time, that’s not what this is about, at all. This is about Java.


However, you may have Java installed if you visited such a website, or installed such an application, even once …

You probably don’t need Java

While you almost certainly need JavaScript, it’s quite likely that you do not need Java.

Java is used only by certain applications and websites, and the majority of websites don’t use it.

However, you may have Java installed if you visited such a website, or installed such an application, even once. The installation was required to make that site or application work, but it’s not practical to somehow automatically uninstall it after your visit or after uninstalling the application because there’s simply no way to know if it’s also needed by some other application that remains or site that you visit.

It gets complex very quickly. As a result, once installed, Java remains installed until you explicitly uninstall it.

And that’s exactly what I recommend you do.

Uninstalling Java

In Control Panel, go to Add/Remove Programs (Windows XP) or Programs and Features (Windows 7).

Control Panel Programs list showing Java

Java Logo
Look for lines titled “Java”, “Java VM”, “Java Update” and the like, all with the Java logo as an icon.

Right-click on each, and select Uninstall.

Once you’re done, you’ve uninstalled Java.

Didn’t find any Java items in the Programs list? Then you’re done before you even started; you didn’t have Java on your machine to begin with.

Disabling Java

Disabling Java in your browser without removing it can be a complex task. I strongly recommend that you follow the process above to uninstall it from your computer completely.

However, as we’ll see in a moment, that might not be practical.

Rather than reinvent the wheel, here are instructions from Sophos’ Naked Security site on disabling Java in Internet Explorer. At the end of their instructions are links to similar instructions for Firefox, Chrome, Safari, and Opera.

What if it turns out I need Java?

After successfully uninstalling Java using the instructions above, you may encounter this when you visit a website that requires or uses Java:

Java Required Error

Depending on the browser, you may instead or also see a notification telling you that “Java(TM) is required to display some elements on this page.”

If you run a program on your PC that uses Java, you’ll see a similar error message (exact wording will depend on the program) indicating that Java is required, but not present.

You have a decision to make.

In my order of preference:

  • Live without that website or program. Perhaps find an alternative that does not use Java.
  • Reinstall Java on a separate “sacrificial machine” or virtual machine and use that to access these sites or run these programs, leaving it off the rest of the time.
  • Reinstall Java, but disable it in all browsers except for one, which you use only to access the sites that require it. Use a different browser with Java disabled for your day-to-day web surfing.
  • Reinstall Java and be super-extra-careful.

In any of the circumstances that involve re-installing Java, make certain to always keep Java up to date. Letting it update itself is the preferred approach, if offered.

Why is this such a mess?

The current situation isn’t an indictment of Java as a programming language – it actually is a pretty cool language, and ironically was itself designed with security in mind. One of its original selling points (‘write once, run everywhere’), while technically not 100% accurate, is a very popular reason for many to have adopted Java as a technology.

No, the devil here is certainly in the details.

All software has bugs, make no mistake. Even your favorite never-had-an-issue program that you use every day, whatever it is and whatever computer it’s running on, has bugs.

And so does the implementation of Java. It’s not the programs written in Java that are at issue (although they certainly have bugs of their own). The issue here is in that common runtime – often referred to as the “Java VM” or “Java Virtual Machine” – I mentioned earlier. It’s just software too, and like all software, it has bugs.

It might even have more than average, although I’m not going to say that for certain.

And it’s installed on a lot of machines.

As Java has become more popular over time, it’s become worth the time of hackers to see if there are bugs that haven’t been fixed that they can exploit. It’s popularity for hackers may not be based on millions of people actively using it, but rather millions of computers that happen to have Java installed because a website requiring it was visited once upon a time.

Update

In response to some of the comments:

  • Yes, a fix was released for the most recent problem. I still encourage people to uninstall Java, simply because most don’t need it, and this is not the first time we’ve been in this position, and it simply seems likely to happen again. If you do need to keep Java, then as I said above keep it (and all your software) up to date.
  • J2RE is a part of Java and can be removed.
  • Javascript (which is not Java) does not appear in the add/remove programs list, as it’s part of your browser and not a separate install.

(Update added January 12, 2013.)

Update to the Update

Several people have noted that:

  • A fix was released.
  • Java version 6 didn’t have the problem.

I have to stress that this is about much more than just a single vulnerability.

As it turns out, within days of the bug fix release hackers announced that they had found at least two more vulnerabilities in Java 7.

In my opinion the track record for Java vulnerabilities is poor enough that I continue to strongly recommend that you uninstall all versions unless you’re certain that you need it. (And uninstalling it to find out if you need it is also, in my opinion, a valid approach.)

(Update added January 22, 2013.)

Additional references

Javatester.org, includes a partial list of applications and sites that use or require Java.

How do I disable Java in my web browser?, instructions from Oracle.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

37 comments on “Should I Disable Java, and If So, How?”

  1. Java Update uninstalled. Now, what about J2SE Runtime Environment 5.0? Has a Java icon. Thx for the usable and clear advice.

    Reply
  2. I installed Java 7 Update 10 on 10th of January. Does this fix the vulnerability you mention? I can understand your reluctance to put a date in an article but in this case maybe it would be better than putting in “As I write…”?

    All my articles are dated at the bottom of the article.

    Leo
    13-Jan-2013
    Reply
  3. @Carol: This is probably Java version 5 which is really really old. I would uninstall it.

    @Gerard: No. All editions of Java 7 have the latest flaw. Java 6 does not have this flaw (which does NOT mean that its perfectly safe). The good new with Update 10 that you have is that Java use by web browsers can be totally disabled with a single checkbox. See the Java Control Panel in the Windows control panel, Security tab.

    Disabling Java in Internet Explorer, while leaving it enabled in other browsers is arguably impossible. This from Oracle themselves which says the only way to fully disable Java in IE is with the just mentioned checkbox introduced with Java 7 Update 10 that disables Java in ALL browsers, system wide.

    For much more on this topic see

    How to be as safe as possible with Java
    http://blogs.computerworld.com/cybercrime-and-hacking/21626/how-be-safe-possible-java

    Thanks Michael. I’ve added a link to your article in an additional resources section below mine.

    Leo
    13-Jan-2013
    Reply
  4. J2SE is not needed anymore as the new java 7 has it built in. i had a issue were i had to remove all java including j2se ad the firefox would not recognize the new java update was installed. so i went to website for java and it said to remove all java including this and re-install standalone java and it is all included. Now on to disabling java there is a new feature inside java console under security untick disable in browser and your done. all disabled in browser and only on the machine for programs that need it.

    Reply
  5. What about running Java on a Mac running OS X Mountain Lion. Does it still apply that it is best to uninstall it?

    What I’m hearing is yes.

    Leo
    15-Jan-2013
    Reply
  6. Thank you so much for this. I uninstalled Java and another problem I was having went away – see below.
    Should I also uninstal JRE and J2SE Runtime Environment?
    There’s a forum on which I’m following a thread. Whenever there’s a reply, it auto-emails me and also shows a link to the thread. However, clicking on the link takes me to a site URL4SHORT. Uninstalling Java has stopped those diverts but if you search the internet for URL4SHORT you will see that this is a big problem for many users. What could be behind the problem? I bet you’ll find out, Leo! Keep up the good work & thanks again.

    Reply
  7. Hi Leo. Thanks for that. Running Windows Vista Home Premium on an HP Notebook computer. Found three instances of Java in my “Add/Remove Programs” list. Two I was able to uninstall without any problem, but the third Java (TM) 6 Update 7 refuses to uninstall. I get the following error message “Error 1719 – Windows Installer cannot be accessed. This may be because it is not properly installed. Contact your support personnel”. Can you advise me please?

    Reply
  8. I was able easily to remove Java from the control
    panel, several Java listings. However, an icon
    remained on the control panel. I selected it and tried
    to bring it up, but without success. I did not select it
    and use the delete function. Should this icon be
    deleted also?

    If you’ve otherwise successfully uninstalled, and it sounds like you have, then I’d ignore it.

    Leo
    15-Jan-2013

    Reply
  9. Hi Leo and everybody, today I gota message to update this JAVA problem, it appears there is a fix by updating to JAVA to 11. You can do this in your control panel (XP on mine) right click the ICON and open to the tab, then check for the update tab, it only took a few minutes to complete, but watch for the freebee in the check box, uncheck if you don’t want it before you go to the “next” box. 1/15/13

    Yes, a fix was found for *the most recent* problem. I still encourage people to uninstall Java, simply because most don’t need it, and this scenario seems likely to happen again.

    Leo
    15-Jan-2013
    Reply
  10. I heard on the radio the other day about removing Java; so I immediately removed all Java files (it wasn’t listed as a program on the list of programs). However I did include all Javascript files when I deleted the files. So what do I do now?

    Depends on exactly what it is you deleted. Javascript is part of your browser, so if your browser starts acting up I’d probably reinstall it.

    Leo
    15-Jan-2013
    Reply
  11. Oracle says that the Java update issued on Sunday ( 7.11) solves the problem in version 7.10.

    Yes, a fix was found for *the most recent* problem. I still encourage people to uninstall Java, simply because most don’t need it, and this scenario seems likely to happen again.

    Leo
    15-Jan-2013
    Reply
  12. As a researcher in molecular biology/genetics, we are absolutely dependent upon programs that run in Java. Is there a way to restrict Java to certain trusted websites/programs?

    Don’t really have a good solution for you, other than, as I think someone else suggested, consider running those programs using Sandboxie.

    Leo
    15-Jan-2013
    Reply
  13. Leo’s contribution contribution to this subject is, of course, not the only one but in many the distinction between Java and JavaScript is just not made or even alluded to. If ever there was proof of the value of Leo’s service to us all – this is it. So very worthwhile to Bookmark – thankyou Leo.

    Reply
  14. Is earlier version of the Sun Java work or not?

    I recommend uninstalling all versions. The lastest bug may not be in older versions, but then older versions have other issues. Better to be safe.

    Leo
    16-Jan-2013

    Reply
  15. Thank You Leo for these wonderful articles. Thank You again for the simple & practical ways to AVOID problems…. Your articles are structured & systematic and is helpful for not so computer savvy people like us….. Software experts can differ & argue on several aspects……!!!! There is no Fix for that…

    Reply
  16. Hi,
    Just found the new update
    Java (Version 7 Update 11)
    said the bug fixed.

    Please read the update I added to the bottom of the article that addresses this.

    Leo
    16-Jan-2013

    Reply
  17. Hi Leo
    I think your recommendation to remove Sun java is too draconian. It is useful for many websites and videos. If the user has a good AV kit (ie Kaspersky IP 2013) any Java weakneses are immediatel detected and a fix offered.
    Happy new Year
    John

    Reply
  18. I found that earlier versions of Java, like Java 6, are NOT vulnerable. I am using Java 6, so this not a problem for me, at least for now. See below:

    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422

    Last revised:01/17/2013

    NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks.

    I’ve added an “Update to the Update” at the bottom of the article. Bottom line is that this is about much more than just a single, recent vulnerability whether it’s fixed or not. I still recommend uninstalling all versions of Java unless you know you need it.

    Leo
    22-Jan-2013
    Reply
  19. I removed JAVA that I found in the add/remove programs but the next time and every time now when I boot up the computer hangs and then there is a message saying it can’t find:
    C:program filescommon filesJAVAJAVA UPDATEJUSCHED.EXE
    I click OK and get on with life but I think I should do something about this shouldn’t I? I used CCleaner but this message still appears. Thanks for all you do.

    The uninstall was incomplete. I’d give Revo Uninstaller a try, and if that doesn’t work look for a reference to jusched in auto-start locations using a tool like autoruns.

    Leo
    22-Jan-2013
    Reply
  20. I followed the instructions and uninstalled java- now I have no available personal/private messaging in Facebook- not sure how, if at all, the two are related but it happened immediately! How might I fix what my FB needs! I can chat in the message box but not private messaging- get a blank screen or a message box with to way to input a name or message- or send! Thanks!!!

    The two are unrelated – Java has nothing to do with Facebook. (Javascript does, but as the article takes great pains to point out, Javascript is also completely unrelated to Java). Honestly, I can’t say what happened to your Facebook, and would probably just suggest you start by clearing your browser cache.

    Leo
    22-Jan-2013
    Reply
  21. thanks Leo! i read your article which i greatly appreciate. so i uninstalled java in win7 and thats fine. however now i am noticing a lot of videos require adobe flash player. when i download the new version it finishes and says its running but the video apps dont recognize it. then the flash site doesnt find an installed version. these are little facebook and youtube videos-nothing fancy and not all videos ask for the flash player. so i was told to reinstall java so i could get adobe flash to run. however i am concerned about the basic holiness of this java app as u have said–maybe THAT problem was fixed but the next one’s right around the corner..(yes i read that in your article :) so should i reinstall java to get flash to work or is there another way? does it have something to do w activex and is that safe?? my main goal is to have flash work, but if that is unsafe i will do my best to live without it–i’ve got norton AV and protect. java i usually dont need but now w flash i might??? thanks!

    You appear to be confusing JavaSCRIPT with Java. They are two completely unrelated things. JavaSCRIPT is typically required to run Flash (and many, many other things). It’s Java, not JavaSCRIPT, that needs to be dealt with.

    Leo
    29-Jan-2013
    Reply
  22. I have Windows 8 and when I try to remove Java I get a pop-up asking if I want to allow Java to make changes to my computer. When I click “no” the uninstall discontinues. I tried clicking “yes” and Oracle proceeded to load an updated Java version (I assume). I cancelled the upload and tried uninstalling and again received the request to allow Oracle to update. What gives?

    Reply
  23. @HW Pelt
    Click yes and allow the process to complete. That’s sound like it’s the Java uninstaller asking for permission. I’ve had similar experiences with other programs. If not, at least you’ll have a patched Java which is better than leaving it the way it is.

    Reply
  24. Hi Leo, or indeed anyone else reading this question …

    I am trying uninstall Java, after Windows Installer thinks about it for a while the following dialogue comes up “Do you want to allow the following programme (i.e. Java) to make changes to your computer?” It may seem obvious that I should click yes, however I’m concerned that if I do that it will do other things to my machine that I don’t want it to. Most programmes I’ve uninstalled have not asked that question before, and I want to check that clicking yes to this question won’t actually embed the programme even further into my machine. Your advice would be appreciated. Thanks, Liz

    Reply
  25. When I try to uninstall Java this message comes up: “An unidentified program wants to access your computer. Have you used this program before and do you trust it?” I then have to make a choice as to whether to allow access to this unidentified program. When I choose “No” Java still remains in my computer. Of course I am not told the name of the unidentified program.

    How can I proceed to uninstall Java?

    Reply
  26. The NSA just listed a number of memory-safe programs and Java is on the list. Of the programs I’m familiar with, the listed programs are higher-level languages that don’t have access to the more sensitive parts of the system. Has Java’s security improved since this article was written.
    The NSA list of memory-safe programming languages has been updated

    In no particular order, the NSA suggests these memory-safe programming languages
    Go
    Rust
    C#
    Swift
    Java
    Ruby
    Python
    Delphi/Object Pascal
    Ada

    Reply
    • Memory-safe isn’t quite the same as “secure”. Memory safe simply means it’s difficult to access memory you didn’t intend to (buffer overruns, for example). That’s almost trivial in C/C++.

      So memory-safe removes one common way that vulnerabilities happen. But not all. :-)

      To be fair, I suspect Java has been updated quite a bit in the years since this article was written.

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.