Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How do Java and Javascript relate to each other?

Question:

As you know, there is much talk on the web about the latest Java
vulnerability, presumably coming from China. As I use Java a lot (being a non-geek !!) and that this is rumored to be quite serious, I would like your opinion
on the matter. The usual remedy on the web is either to uninstall/disable Java
altogether!

When I did this, however, I found that a lot lot of my favorite websites just
did not function (at least not fully!). In particular, my online crosswords
which I really like. So then as I use Firefox exclusively, I downloaded
no-script (can remember that you use it yourself from previous article) and
have used it sparingly (no whitelist’s as yet).

That’s actually just one example of several questions that I received this week
relating to a recently discovered zero-day exploit of an unpatched vulnerability in
Java. My understanding is that a fix is now available, but the scenario has
brought to light something very important:

Many people confuse Java and Javascript.

Java is not Javascript. In fact, other than the first four characters of
their names, Javascript and Java are not related to each other at
all
.

Let’s look at each and why in situations like this it’s so
critical to understand that there is a difference.

Become a Patron of Ask Leo! and go ad-free!

Disclaimer: I’ll definitely be over-simplifying here. The pesky details and
the nuances aren’t really that critical and I don’t want them to distract from
the main issue.

Javascript

Javasscript is a programming language that is supported natively by
most modern web browsers. That means that the browsers come with the means to
understand and execute Javascript using what’s called an “interpreter.”

Programs or “scripts” written in Javascript are often contained directly in
the HTML pages in which they are used. View the source of even this article on
the Ask Leo! website and you’ll see a few snippets of Javascript used for
various purposes.

Javascript enables richly interactive web pages, turning them from static
displays of text and pictures into small applications capable of often
impressive functionality. Sites like Gmail, Facebook, and others use Javascript
to display, animate, and change content without requiring you to
visit a new “page” for each change. Scroll down your Facebook wall and it’s
Javascript that keeps downloading and adding more content to the page the
further you scroll.

“Javascript and Java are not related to each other at
all.”

Javascript has become so popular and so prevalent in web design that it’s
difficult to use many sites without it.

Java

Java is a programming language that’s not natively supported by
browsers, but when used on websites, requires the download and installation of a
“Java Virtual Machine” or JVM, now more commonly referred to as the Java
Runtime Environment (JRE).

Programs written in Java are typically compiled into an intermediate form
that is more efficiently executed by the JRE than the original source would be.
As such, Java programs are typically separate downloads referenced by, but not
actually included within, web pages that happen to make use of Java
applications.

Java programs are not limited to being embedded in web pages or other
containers. There are many standalone applications written directly in Java
that run and execute like any other program and may not be related to the web
or internet at all. Fundamentally, Java is just another programming language
that can be used for almost any purpose, only one of those purposes being
embedded into web pages.

Regardless of where or how it’s used – embedded in a web page or as a
standalone program – it’s the same Java Runtime that’s used in each case.

Visibility

Whereas Javascript tends to be part of and interact with the web
page on which it is hosted, Java applications on web pages tend to be more
self-contained and restricted to a rectangle on the page (which, sometimes, can
be the entire page).

Unless you’re using advanced configurations or extensions such as NoScript,
Javascript is typically either on or off – usually on. This means that its
presence on or use by a web page may not be obvious.

Java must first be downloaded and installed before it’s available for use in
either web pages or standalone applications. Once downloaded, there’s often no
real indication that a standalone application is using Java.

Browsers will often often ask for permission before running Java on a web
page.

Chrome asking permission to execute Java used on a web page

Internet Explorer asking permission to execute Java used on a web page

Javascript is typically updated with your browser. Keep your browser
up-to-date and you’ll be keeping Javascript up-to-date.

In Windows, Java is a separate application on your computer. It includes its
own update functionality and automatic check.

Java Update Notification

If Java is installed, you may also find a Java control icon in Control Panel
that will allow you to check for updates immediately.

Enabling and disabling

Javascript

Javascript is enabled and disabled via a setting in your browser’s
options.

In internet Explorer, it’s buried in Tools, Internet
Options
, Security, Custom level…,
in the Scripting section:

Scripting setting in Internet Explorer

In Chrome, it’s in Settings, Advanced,
Javascript:

Enable Javascript in Chrome

While a similar setting exists in Firefox, the best approach is to use the
NoScript
plugin to control scripting on a site-by-site basis.

Java

The easiest and safest way to disable Java is to simply not have it
installed and uninstalling it if it is:

Java in Control Panel Programs

Simply locate Java in the list of installed programs, right-click on it, and
select Uninstall.

This is safe to do, even if you regularly visit a website that required
Java, as the next time you visit, it will automatically prompt you to
re-download and install Java. If you prefer not to have Java installed, you can
decline and that website’s Java-based functionality will not be available.

Web browsers can also disable Java without needing to uninstall it,
typically using settings in the browser’s advanced options, but in general,
uninstalling is by far the easiest approach.

As you can see, disabling Javascript has nothing directly1 to do with disabling Java and vice
versa. Thus disabling one when you think you are disabling the other (or
because you don’t understand that they are unrelated) can lead to a false sense
of security.

Java & JavaScript: Should you or shouldn’t you?

Given the current application and security landscape, I’ll make the following
recommendations:

  • Javascript: In general, leave Javascript enabled and stay
    away from questionable sites. The practical fact is that many, many websites
    simply will not work if Javascript is disabled. If you are concerned, then the
    only true solution is to use Firefox with the NoScript add-on to allow selective
    choice of which websites are allowed to use Javascript. Similar-sounding
    add-ons for Chrome apparently don’t work reliably and give a false sense of
    security. Managing this through IE’s security zones is a confusing
    nightmare.

  • Java: Uninstall Java unless you’re certain you need it.
    It’s not at all uncommon to end up with Java installed because of a website you
    visited only once. Uninstall it, and if something you care about breaks,
    re-install it. In this case, some security-minded folks recommend having it
    enabled in only one browser that you don’t use regularly and explicitly
    disabling it in the browser you use day-to-day.

As for me, I just uninstalled Java. I know of only one program that I use that
may eventually require it2.
Until then, I’ll run without.

References

JavaScript – Wikipedia includes all of the details, shy of a full language definition, as well as a
summary of the history of JavaScript.

Java
(programming language)
– Wikipedia – more details including a history of
Java’s origins.

JavaTester.org includes
additional background on Java, as well as a Java version tester if you have
Java installed.

1: In some browsers, disabling Javascript has the side effect of
also rendering Java inoperable. When folks realize how many websites are
affected by disabling Javascript and re-enable it, they’re still left vulnerable
to Java issues, when they needn’t be.

2: GoToMeeting / GoToWebinar

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

14 comments on “How do Java and Javascript relate to each other?”

  1. Noscript seems to be blocking me posting a comment on your article

    It would. In order to keep spammers from flooding this site with automated spam I require the use of Javascript to make comments. You need to add an exception for ask-leo.com. As to the cross-site scripting issue that also encounter when previewing – I understand it, but don’t know a way of preventing it other than not previewing. The scripts do cross to another domain of mine when previewing, and unfortunately it would take a fairly large architectural change to the site to fix that.

    Leo
    05-Sep-2012
    Reply
  2. When I heard about the vulnerability, I decided to uninstall Java 7 and go back to 6 (I have a proprietary program at work I must use that is written in Java). Both versions 6 update 22 and version 7 update 5 were in the ‘Programs and Features’ part of control panel to uninstall. I unintstalled version 7. When I open the Java control panel, it say Java 7, but the version is 1.6.0_22-b04. I find that to be very weird. I’m considering uninstalling it also then reinstalling version 6 from scratch. There is also a JavaFX 2.1.1. Should that be uninstalled?

    I uninstalled all of the above with no ill effect.

    Leo
    05-Sep-2012
    Reply
  3. Many thanks for this explanation as it has confused me for a long time. Unfortunately, I am an old widowed senior living alone, and worry about mental deterioration. [we seniors worry about such things] So i play a lot of Sudoku and crossword puzzles every day to exercise the mind. All of them seem to require java and flash. So, I’m stuck with them, but use the FF update links to maintain the most current versions.

    Reply
  4. I use gotomeeting on a regular basis on my home compter, since I work at home but need to attend online meetings. I also need to regularily access government websites that require Java, but have not been updated to Java 7. They ask for IE 7 and Java 6. I guess they don’t worry about me being an open target….

    Reply
  5. Hi, Leo. thanks for the article! I never realized this. lately, profiles on Facebook in both IE and Firefox have been crashing and on both my computers with both browsers installed. I do regular updates with them and plugins and am wondering if javascript is part of my problem for my frequent crashes that just started a month ago? I updated flash but it didn’t make a difference. Other people are having similar experiences but nobody can determine what is causing it and somebody said it hmay have to do with flash or javascript. What do you think? I don’t know much about it. thanks.

    It’s rare that Javascript would be responsible for browser crashes – it’s one of the last things’s I’d consider. At the top of the list, however, would be browser addons and toolbars.

    Leo
    05-Sep-2012
    Reply
  6. Leo, thanks a million for the quick and very easy lesson on Java vs. Javascript. I’ve been confused about them since the last millennium and in a few short paragraphs you have illuminated my understanding. That’s why I keep coming back to Ask Leo.

    Reply
  7. Leo
    Your explanation of the difference between Java and Javascript really helped. I’ve decided to disable the former in my usual browser, Firefox. I’ll leave it enabled in IE.

    Reply
  8. Dear Leo, I cannot find JavaScript in ” Settings, Advanced, JavaScript” as you say in Chrome. I go to Wrench, Settings, Advanced – but no mention of JavaScript.

    Reply
  9. Today I just got a notice to download a java critical update. However, they thought it is not ready to be released until October. In any event I have removed the Java 6 that I had on my system. Should I download this new update?

    Oracle performed an emergency update due to this problem. Unfortunately the update has other problems and most security minded folks will recommend uninstalling Java unless you actually need it.

    Leo
    05-Sep-2012
    Reply
  10. Based on 2011 data, applying JavaScript in exploits became exceedingly fashionable. It seems using NoScript in Firefox provides the best protection, and is worth the little hassle. Also, for practical purposes not all the scripts on a site need to be allowed as long as the resulting level of functionality satisfies the user.

    Java is the second worst culprit as far as vulnerabilities are concerned, so its absence may indeed be desirable. Next, documents are increasingly being used for nefarious purposes, while in comparison, Flash might be considered relatively safe nowadays.

    Reply
  11. I subscribe to Fine Art Webinars from USA. These will not run on my Comp. without Java. However last week advised Java’s” Plugin” out of date & I cannot find where I can access Java “Plugin”, Have updated Java but warning plugins out of date still appears – & I miss my Webinar! I really would appreciate your advice Leo as these Art Tutorials come in each Sat @ 3am AEST. Thankyou artysmithy

    Updating Java should have updated the plugins, but you should be able to get all at java.com.

    Leo
    06-Sep-2012

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.