As you know, there is much talk on the web about the latest Java
vulnerability, presumably coming from China. As I use Java a lot (being a non-geek !!) and that this is rumored to be quite serious, I would like your opinion
on the matter. The usual remedy on the web is either to uninstall/disable Java
When I did this, however, I found that a lot lot of my favorite websites just
did not function (at least not fully!). In particular, my online crosswords
which I really like. So then as I use Firefox exclusively, I downloaded
no-script (can remember that you use it yourself from previous article) and
have used it sparingly (no whitelist’s as yet).
That’s actually just one example of several questions that I received this week
relating to a recently discovered zero-day exploit of an unpatched vulnerability in
Java. My understanding is that a fix is now available, but the scenario has
brought to light something very important:
Let’s look at each and why in situations like this it’s so
critical to understand that there is a difference.
Become a Patron of Ask Leo! and go ad-free!
Disclaimer: I’ll definitely be over-simplifying here. The pesky details and
the nuances aren’t really that critical and I don’t want them to distract from
the main issue.
Javasscript is a programming language that is supported natively by
most modern web browsers. That means that the browsers come with the means to
the HTML pages in which they are used. View the source of even this article on
displays of text and pictures into small applications capable of often
to display, animate, and change content without requiring you to
visit a new “page” for each change. Scroll down your Facebook wall and it’s
further you scroll.
difficult to use many sites without it.
Java is a programming language that’s not natively supported by
browsers, but when used on websites, requires the download and installation of a
“Java Virtual Machine” or JVM, now more commonly referred to as the Java
Runtime Environment (JRE).
Programs written in Java are typically compiled into an intermediate form
that is more efficiently executed by the JRE than the original source would be.
As such, Java programs are typically separate downloads referenced by, but not
actually included within, web pages that happen to make use of Java
Java programs are not limited to being embedded in web pages or other
containers. There are many standalone applications written directly in Java
that run and execute like any other program and may not be related to the web
or internet at all. Fundamentally, Java is just another programming language
that can be used for almost any purpose, only one of those purposes being
embedded into web pages.
Regardless of where or how it’s used – embedded in a web page or as a
standalone program – it’s the same Java Runtime that’s used in each case.
page on which it is hosted, Java applications on web pages tend to be more
self-contained and restricted to a rectangle on the page (which, sometimes, can
be the entire page).
Unless you’re using advanced configurations or extensions such as NoScript,
presence on or use by a web page may not be obvious.
Java must first be downloaded and installed before it’s available for use in
either web pages or standalone applications. Once downloaded, there’s often no
real indication that a standalone application is using Java.
Browsers will often often ask for permission before running Java on a web
In Windows, Java is a separate application on your computer. It includes its
own update functionality and automatic check.
If Java is installed, you may also find a Java control icon in Control Panel
that will allow you to check for updates immediately.
Enabling and disabling
In internet Explorer, it’s buried in Tools, Internet
Options, Security, Custom level…,
in the Scripting section:
In Chrome, it’s in Settings, Advanced,
While a similar setting exists in Firefox, the best approach is to use the
plugin to control scripting on a site-by-site basis.
The easiest and safest way to disable Java is to simply not have it
installed and uninstalling it if it is:
Simply locate Java in the list of installed programs, right-click on it, and
This is safe to do, even if you regularly visit a website that required
Java, as the next time you visit, it will automatically prompt you to
re-download and install Java. If you prefer not to have Java installed, you can
decline and that website’s Java-based functionality will not be available.
Web browsers can also disable Java without needing to uninstall it,
typically using settings in the browser’s advanced options, but in general,
uninstalling is by far the easiest approach.
versa. Thus disabling one when you think you are disabling the other (or
because you don’t understand that they are unrelated) can lead to a false sense
Given the current application and security landscape, I’ll make the following
away from questionable sites. The practical fact is that many, many websites
only true solution is to use Firefox with the NoScript add-on to allow selective
add-ons for Chrome apparently don’t work reliably and give a false sense of
security. Managing this through IE’s security zones is a confusing
Java: Uninstall Java unless you’re certain you need it.
It’s not at all uncommon to end up with Java installed because of a website you
visited only once. Uninstall it, and if something you care about breaks,
re-install it. In this case, some security-minded folks recommend having it
enabled in only one browser that you don’t use regularly and explicitly
disabling it in the browser you use day-to-day.
As for me, I just uninstalled Java. I know of only one program that I use that
may eventually require it2.
Until then, I’ll run without.
(programming language) – Wikipedia – more details including a history of
additional background on Java, as well as a Java version tester if you have
Noscript seems to be blocking me posting a comment on your article
When I heard about the vulnerability, I decided to uninstall Java 7 and go back to 6 (I have a proprietary program at work I must use that is written in Java). Both versions 6 update 22 and version 7 update 5 were in the ‘Programs and Features’ part of control panel to uninstall. I unintstalled version 7. When I open the Java control panel, it say Java 7, but the version is 1.6.0_22-b04. I find that to be very weird. I’m considering uninstalling it also then reinstalling version 6 from scratch. There is also a JavaFX 2.1.1. Should that be uninstalled?
All of your posts have posted. Try refreshing your browser and see if clearing the cache that way works.
Many thanks for this explanation as it has confused me for a long time. Unfortunately, I am an old widowed senior living alone, and worry about mental deterioration. [we seniors worry about such things] So i play a lot of Sudoku and crossword puzzles every day to exercise the mind. All of them seem to require java and flash. So, I’m stuck with them, but use the FF update links to maintain the most current versions.
I use gotomeeting on a regular basis on my home compter, since I work at home but need to attend online meetings. I also need to regularily access government websites that require Java, but have not been updated to Java 7. They ask for IE 7 and Java 6. I guess they don’t worry about me being an open target….
Today I just got a notice to download a java critical update. However, they thought it is not ready to be released until October. In any event I have removed the Java 6 that I had on my system. Should I download this new update?
Java is the second worst culprit as far as vulnerabilities are concerned, so its absence may indeed be desirable. Next, documents are increasingly being used for nefarious purposes, while in comparison, Flash might be considered relatively safe nowadays.
I subscribe to Fine Art Webinars from USA. These will not run on my Comp. without Java. However last week advised Java’s” Plugin” out of date & I cannot find where I can access Java “Plugin”, Have updated Java but warning plugins out of date still appears – & I miss my Webinar! I really would appreciate your advice Leo as these Art Tutorials come in each Sat @ 3am AEST. Thankyou artysmithy