As you know, there is much talk on the web about the latest Java
vulnerability, presumably coming from China. As I use Java a lot (being a non-geek !!) and that this is rumored to be quite serious, I would like your opinion
on the matter. The usual remedy on the web is either to uninstall/disable Java
altogether!
When I did this, however, I found that a lot lot of my favorite websites just
did not function (at least not fully!). In particular, my online crosswords
which I really like. So then as I use Firefox exclusively, I downloaded
no-script (can remember that you use it yourself from previous article) and
have used it sparingly (no whitelist’s as yet).
That’s actually just one example of several questions that I received this week
relating to a recently discovered zero-day exploit of an unpatched vulnerability in
Java. My understanding is that a fix is now available, but the scenario has
brought to light something very important:
Many people confuse Java and Javascript.
Java is not Javascript. In fact, other than the first four characters of
their names, Javascript and Java are not related to each other at
all.
Let’s look at each and why in situations like this it’s so
critical to understand that there is a difference.
Become a Patron of Ask Leo! and go ad-free!
Disclaimer: I’ll definitely be over-simplifying here. The pesky details and
the nuances aren’t really that critical and I don’t want them to distract from
the main issue.
Javascript
Javasscript is a programming language that is supported natively by
most modern web browsers. That means that the browsers come with the means to
understand and execute Javascript using what’s called an “interpreter.”
Programs or “scripts” written in Javascript are often contained directly in
the HTML pages in which they are used. View the source of even this article on
the Ask Leo! website and you’ll see a few snippets of Javascript used for
various purposes.
Javascript enables richly interactive web pages, turning them from static
displays of text and pictures into small applications capable of often
impressive functionality. Sites like Gmail, Facebook, and others use Javascript
to display, animate, and change content without requiring you to
visit a new “page” for each change. Scroll down your Facebook wall and it’s
Javascript that keeps downloading and adding more content to the page the
further you scroll.
all.”
Javascript has become so popular and so prevalent in web design that it’s
difficult to use many sites without it.
Java
Java is a programming language that’s not natively supported by
browsers, but when used on websites, requires the download and installation of a
“Java Virtual Machine” or JVM, now more commonly referred to as the Java
Runtime Environment (JRE).
Programs written in Java are typically compiled into an intermediate form
that is more efficiently executed by the JRE than the original source would be.
As such, Java programs are typically separate downloads referenced by, but not
actually included within, web pages that happen to make use of Java
applications.
Java programs are not limited to being embedded in web pages or other
containers. There are many standalone applications written directly in Java
that run and execute like any other program and may not be related to the web
or internet at all. Fundamentally, Java is just another programming language
that can be used for almost any purpose, only one of those purposes being
embedded into web pages.
Regardless of where or how it’s used – embedded in a web page or as a
standalone program – it’s the same Java Runtime that’s used in each case.
Visibility
Whereas Javascript tends to be part of and interact with the web
page on which it is hosted, Java applications on web pages tend to be more
self-contained and restricted to a rectangle on the page (which, sometimes, can
be the entire page).
Unless you’re using advanced configurations or extensions such as NoScript,
Javascript is typically either on or off – usually on. This means that its
presence on or use by a web page may not be obvious.
Java must first be downloaded and installed before it’s available for use in
either web pages or standalone applications. Once downloaded, there’s often no
real indication that a standalone application is using Java.
Browsers will often often ask for permission before running Java on a web
page.
Javascript is typically updated with your browser. Keep your browser
up-to-date and you’ll be keeping Javascript up-to-date.
In Windows, Java is a separate application on your computer. It includes its
own update functionality and automatic check.
If Java is installed, you may also find a Java control icon in Control Panel
that will allow you to check for updates immediately.
Enabling and disabling
Javascript
Javascript is enabled and disabled via a setting in your browser’s
options.
In internet Explorer, it’s buried in Tools, Internet
Options, Security, Custom level…,
in the Scripting section:
In Chrome, it’s in Settings, Advanced,
Javascript:
While a similar setting exists in Firefox, the best approach is to use the
NoScript
plugin to control scripting on a site-by-site basis.
Java
The easiest and safest way to disable Java is to simply not have it
installed and uninstalling it if it is:
Simply locate Java in the list of installed programs, right-click on it, and
select Uninstall.
This is safe to do, even if you regularly visit a website that required
Java, as the next time you visit, it will automatically prompt you to
re-download and install Java. If you prefer not to have Java installed, you can
decline and that website’s Java-based functionality will not be available.
Web browsers can also disable Java without needing to uninstall it,
typically using settings in the browser’s advanced options, but in general,
uninstalling is by far the easiest approach.
As you can see, disabling Javascript has nothing directly1 to do with disabling Java and vice
versa. Thus disabling one when you think you are disabling the other (or
because you don’t understand that they are unrelated) can lead to a false sense
of security.
Java & JavaScript: Should you or shouldn’t you?
Given the current application and security landscape, I’ll make the following
recommendations:
-
Javascript: In general, leave Javascript enabled and stay
away from questionable sites. The practical fact is that many, many websites
simply will not work if Javascript is disabled. If you are concerned, then the
only true solution is to use Firefox with the NoScript add-on to allow selective
choice of which websites are allowed to use Javascript. Similar-sounding
add-ons for Chrome apparently don’t work reliably and give a false sense of
security. Managing this through IE’s security zones is a confusing
nightmare. -
Java: Uninstall Java unless you’re certain you need it.
It’s not at all uncommon to end up with Java installed because of a website you
visited only once. Uninstall it, and if something you care about breaks,
re-install it. In this case, some security-minded folks recommend having it
enabled in only one browser that you don’t use regularly and explicitly
disabling it in the browser you use day-to-day.
As for me, I just uninstalled Java. I know of only one program that I use that
may eventually require it2.
Until then, I’ll run without.
References
JavaScript – Wikipedia includes all of the details, shy of a full language definition, as well as a
summary of the history of JavaScript.
Java
(programming language) – Wikipedia – more details including a history of
Java’s origins.
JavaTester.org includes
additional background on Java, as well as a Java version tester if you have
Java installed.
Noscript seems to be blocking me posting a comment on your article
05-Sep-2012
When I heard about the vulnerability, I decided to uninstall Java 7 and go back to 6 (I have a proprietary program at work I must use that is written in Java). Both versions 6 update 22 and version 7 update 5 were in the ‘Programs and Features’ part of control panel to uninstall. I unintstalled version 7. When I open the Java control panel, it say Java 7, but the version is 1.6.0_22-b04. I find that to be very weird. I’m considering uninstalling it also then reinstalling version 6 from scratch. There is also a JavaFX 2.1.1. Should that be uninstalled?
05-Sep-2012
@Kevin,
All of your posts have posted. Try refreshing your browser and see if clearing the cache that way works.
Many thanks for this explanation as it has confused me for a long time. Unfortunately, I am an old widowed senior living alone, and worry about mental deterioration. [we seniors worry about such things] So i play a lot of Sudoku and crossword puzzles every day to exercise the mind. All of them seem to require java and flash. So, I’m stuck with them, but use the FF update links to maintain the most current versions.
I use gotomeeting on a regular basis on my home compter, since I work at home but need to attend online meetings. I also need to regularily access government websites that require Java, but have not been updated to Java 7. They ask for IE 7 and Java 6. I guess they don’t worry about me being an open target….
Hi, Leo. thanks for the article! I never realized this. lately, profiles on Facebook in both IE and Firefox have been crashing and on both my computers with both browsers installed. I do regular updates with them and plugins and am wondering if javascript is part of my problem for my frequent crashes that just started a month ago? I updated flash but it didn’t make a difference. Other people are having similar experiences but nobody can determine what is causing it and somebody said it hmay have to do with flash or javascript. What do you think? I don’t know much about it. thanks.
05-Sep-2012
Leo, thanks a million for the quick and very easy lesson on Java vs. Javascript. I’ve been confused about them since the last millennium and in a few short paragraphs you have illuminated my understanding. That’s why I keep coming back to Ask Leo.
Leo
Your explanation of the difference between Java and Javascript really helped. I’ve decided to disable the former in my usual browser, Firefox. I’ll leave it enabled in IE.
Dear Leo, I cannot find JavaScript in ” Settings, Advanced, JavaScript” as you say in Chrome. I go to Wrench, Settings, Advanced – but no mention of JavaScript.
Today I just got a notice to download a java critical update. However, they thought it is not ready to be released until October. In any event I have removed the Java 6 that I had on my system. Should I download this new update?
05-Sep-2012
@BaliRob
It appears Leo may have inadvertently left out a step. After advanced settings, scroll down to Privacy and click on the “Content settings” button and then select “Do not allow any sites to run JavaScript”
Based on 2011 data, applying JavaScript in exploits became exceedingly fashionable. It seems using NoScript in Firefox provides the best protection, and is worth the little hassle. Also, for practical purposes not all the scripts on a site need to be allowed as long as the resulting level of functionality satisfies the user.
Java is the second worst culprit as far as vulnerabilities are concerned, so its absence may indeed be desirable. Next, documents are increasingly being used for nefarious purposes, while in comparison, Flash might be considered relatively safe nowadays.
I subscribe to Fine Art Webinars from USA. These will not run on my Comp. without Java. However last week advised Java’s” Plugin” out of date & I cannot find where I can access Java “Plugin”, Have updated Java but warning plugins out of date still appears – & I miss my Webinar! I really would appreciate your advice Leo as these Art Tutorials come in each Sat @ 3am AEST. Thankyou artysmithy
06-Sep-2012
The option in Chrome is under settings , advanced , privacy , contents settings , javascript ….