Another vulnerability has been discovered in Java; if Java is installed on your machine, malware authors can exploit it to infect your computer with something as simple as your visiting a malicious or hacked website.
As I write this, there is no update to Java, which means that there is no fix. Technically that makes this a “zero-day exploit”.
The fix that most experts, including myself, are recommending is to remove Java from your machine. Chances are you don’t actually need it anyway.
But before we go further, we have to do the old “Java vs. JavaScript” dance.
Become a Patron of Ask Leo! and go ad-free!
Java and Javascript are two different and unrelated things
Because of another exceptionally poor choice of names, there’s always instant confusion when we talk about Java because people often confuse it with JavaScript.
That’s wrong. Java is not Javascript. They are completely unrelated to each other.
Javascript:
Javascript: (not to be confused with Java) is a computer programming language that is most commonly used to … continue reading.
From the Ask Leo! Glossary
- Comes with your web browser; it’s part of Internet Explorer, Firefox, Chrome, and whatever other browser you might happen to have. There is no separate installation for JavaScript.
- Is used by thousands and thousands of websites. Even Ask Leo! requires that JavaScript be enabled in order to post a comment (as part of a spam-prevention technique). Disabling JavaScript globally would render many if not most of the websites that you visit regularly partially to completely unusable.
- Is considered a “scripting” language. While the term is somewhat vague, it generally means that JavaScript is a programming language used to augment some other environment, such as the display of HTML-based web pages in your web browser.
Java:
Java: (not to be confused with Javascript) is a general purpose programming language designed, as much as possible, to … continue reading.
From the Ask Leo! Glossary
- Is a separate download. Typically, the first time that you run into a need for Java, it is downloaded and installed at that time.
- Is a programming language used to write larger, full-featured applications.
- Uses a “common runtime” which is installed on your computer to provide features and functionality to the programs written in Java.
- May be installed either by installing a program that happens to use Java or by visiting a web page that itself contains a program written in Java.
- Is used by a more limited selection of applications and websites.
While JavaScript may have its own set of issues from time to time, that’s not what this is about, at all. This is about Java.
However, you may have Java installed if you visited such a website, or installed such an application, even once …
You probably don’t need Java
While you almost certainly need JavaScript, it’s quite likely that you do not need Java.
Java is used only by certain applications and websites, and the majority of websites don’t use it.
However, you may have Java installed if you visited such a website, or installed such an application, even once. The installation was required to make that site or application work, but it’s not practical to somehow automatically uninstall it after your visit or after uninstalling the application because there’s simply no way to know if it’s also needed by some other application that remains or site that you visit.
It gets complex very quickly. As a result, once installed, Java remains installed until you explicitly uninstall it.
And that’s exactly what I recommend you do.
Uninstalling Java
In Control Panel, go to Add/Remove Programs (Windows XP) or Programs and Features (Windows 7).
Look for lines titled “Java”, “Java VM”, “Java Update” and the like, all with the Java logo as an icon.
Right-click on each, and select Uninstall.
Once you’re done, you’ve uninstalled Java.
Didn’t find any Java items in the Programs list? Then you’re done before you even started; you didn’t have Java on your machine to begin with.
Disabling Java
Disabling Java in your browser without removing it can be a complex task. I strongly recommend that you follow the process above to uninstall it from your computer completely.
However, as we’ll see in a moment, that might not be practical.
Rather than reinvent the wheel, here are instructions from Sophos’ Naked Security site on disabling Java in Internet Explorer. At the end of their instructions are links to similar instructions for Firefox, Chrome, Safari, and Opera.
What if it turns out I need Java?
After successfully uninstalling Java using the instructions above, you may encounter this when you visit a website that requires or uses Java:
Depending on the browser, you may instead or also see a notification telling you that “Java(TM) is required to display some elements on this page.”
If you run a program on your PC that uses Java, you’ll see a similar error message (exact wording will depend on the program) indicating that Java is required, but not present.
You have a decision to make.
In my order of preference:
- Live without that website or program. Perhaps find an alternative that does not use Java.
- Reinstall Java on a separate “sacrificial machine” or virtual machine and use that to access these sites or run these programs, leaving it off the rest of the time.
- Reinstall Java, but disable it in all browsers except for one, which you use only to access the sites that require it. Use a different browser with Java disabled for your day-to-day web surfing.
- Reinstall Java and be super-extra-careful.
In any of the circumstances that involve re-installing Java, make certain to always keep Java up to date. Letting it update itself is the preferred approach, if offered.
Why is this such a mess?
The current situation isn’t an indictment of Java as a programming language – it actually is a pretty cool language, and ironically was itself designed with security in mind. One of its original selling points (‘write once, run everywhere’), while technically not 100% accurate, is a very popular reason for many to have adopted Java as a technology.
No, the devil here is certainly in the details.
All software has bugs, make no mistake. Even your favorite never-had-an-issue program that you use every day, whatever it is and whatever computer it’s running on, has bugs.
And so does the implementation of Java. It’s not the programs written in Java that are at issue (although they certainly have bugs of their own). The issue here is in that common runtime – often referred to as the “Java VM” or “Java Virtual Machine” – I mentioned earlier. It’s just software too, and like all software, it has bugs.
It might even have more than average, although I’m not going to say that for certain.
And it’s installed on a lot of machines.
As Java has become more popular over time, it’s become worth the time of hackers to see if there are bugs that haven’t been fixed that they can exploit. It’s popularity for hackers may not be based on millions of people actively using it, but rather millions of computers that happen to have Java installed because a website requiring it was visited once upon a time.
Update
In response to some of the comments:
- Yes, a fix was released for the most recent problem. I still encourage people to uninstall Java, simply because most don’t need it, and this is not the first time we’ve been in this position, and it simply seems likely to happen again. If you do need to keep Java, then as I said above keep it (and all your software) up to date.
- J2RE is a part of Java and can be removed.
- Javascript (which is not Java) does not appear in the add/remove programs list, as it’s part of your browser and not a separate install.
(Update added January 12, 2013.)
Update to the Update
Several people have noted that:
- A fix was released.
- Java version 6 didn’t have the problem.
I have to stress that this is about much more than just a single vulnerability.
As it turns out, within days of the bug fix release hackers announced that they had found at least two more vulnerabilities in Java 7.
In my opinion the track record for Java vulnerabilities is poor enough that I continue to strongly recommend that you uninstall all versions unless you’re certain that you need it. (And uninstalling it to find out if you need it is also, in my opinion, a valid approach.)
(Update added January 22, 2013.)
Additional references
Javatester.org, includes a partial list of applications and sites that use or require Java.
How do I disable Java in my web browser?, instructions from Oracle.
Java Update uninstalled. Now, what about J2SE Runtime Environment 5.0? Has a Java icon. Thx for the usable and clear advice.
I installed Java 7 Update 10 on 10th of January. Does this fix the vulnerability you mention? I can understand your reluctance to put a date in an article but in this case maybe it would be better than putting in “As I write…”?
13-Jan-2013
@Carol: This is probably Java version 5 which is really really old. I would uninstall it.
@Gerard: No. All editions of Java 7 have the latest flaw. Java 6 does not have this flaw (which does NOT mean that its perfectly safe). The good new with Update 10 that you have is that Java use by web browsers can be totally disabled with a single checkbox. See the Java Control Panel in the Windows control panel, Security tab.
Disabling Java in Internet Explorer, while leaving it enabled in other browsers is arguably impossible. This from Oracle themselves which says the only way to fully disable Java in IE is with the just mentioned checkbox introduced with Java 7 Update 10 that disables Java in ALL browsers, system wide.
For much more on this topic see
How to be as safe as possible with Java
http://blogs.computerworld.com/cybercrime-and-hacking/21626/how-be-safe-possible-java
13-Jan-2013
J2SE is not needed anymore as the new java 7 has it built in. i had a issue were i had to remove all java including j2se ad the firefox would not recognize the new java update was installed. so i went to website for java and it said to remove all java including this and re-install standalone java and it is all included. Now on to disabling java there is a new feature inside java console under security untick disable in browser and your done. all disabled in browser and only on the machine for programs that need it.
@Carol
Uninstalling Java means uninstalling all of Java, including J2SE Runtime Environment 5.0 and anything with the Java name and icon, but not Javascript which is not Java.
What about running Java on a Mac running OS X Mountain Lion. Does it still apply that it is best to uninstall it?
15-Jan-2013
Should I also remove: Java2 Runtime Environment SEv1.4.2-03?
15-Jan-2013
Thank you so much for this. I uninstalled Java and another problem I was having went away – see below.
Should I also uninstal JRE and J2SE Runtime Environment?
There’s a forum on which I’m following a thread. Whenever there’s a reply, it auto-emails me and also shows a link to the thread. However, clicking on the link takes me to a site URL4SHORT. Uninstalling Java has stopped those diverts but if you search the internet for URL4SHORT you will see that this is a big problem for many users. What could be behind the problem? I bet you’ll find out, Leo! Keep up the good work & thanks again.
Hi Leo. Thanks for that. Running Windows Vista Home Premium on an HP Notebook computer. Found three instances of Java in my “Add/Remove Programs” list. Two I was able to uninstall without any problem, but the third Java (TM) 6 Update 7 refuses to uninstall. I get the following error message “Error 1719 – Windows Installer cannot be accessed. This may be because it is not properly installed. Contact your support personnel”. Can you advise me please?
I was able easily to remove Java from the control
panel, several Java listings. However, an icon
remained on the control panel. I selected it and tried
to bring it up, but without success. I did not select it
and use the delete function. Should this icon be
deleted also?
15-Jan-2013
What is Java FX 2.1.1., is this also a problem?
15-Jan-2013
Hi Leo and everybody, today I gota message to update this JAVA problem, it appears there is a fix by updating to JAVA to 11. You can do this in your control panel (XP on mine) right click the ICON and open to the tab, then check for the update tab, it only took a few minutes to complete, but watch for the freebee in the check box, uncheck if you don’t want it before you go to the “next” box. 1/15/13
15-Jan-2013
i used revo uninstaller to remove java from v6 up to 11.. works better than add/remove programs imho.
Is J2SE Java or JavaScript or something else? It had the Java logo. I uninstalled it. ?
Thanks.
15-Jan-2013
I heard on the radio the other day about removing Java; so I immediately removed all Java files (it wasn’t listed as a program on the list of programs). However I did include all Javascript files when I deleted the files. So what do I do now?
15-Jan-2013
@Cameron
Since Java can run on a Mac, this vulnerability can be exploited on a Mac. While, there is probably less of a chance that the malware would affect a Mac, the possibility definitely exists.
@Gerry
JavaScript isn’t a program, so it isn’t listed in Add/Remove Programs. It is a language which is processed by web browsers. JavaScript can be disabled in most web browsers in the browser settings or options.
@John Mason
I’d try Revo Uninstaller, it often uninstalls things that Windows won’t uninstall.
Oracle says that the Java update issued on Sunday ( 7.11) solves the problem in version 7.10.
15-Jan-2013
As a researcher in molecular biology/genetics, we are absolutely dependent upon programs that run in Java. Is there a way to restrict Java to certain trusted websites/programs?
15-Jan-2013
Leo’s contribution contribution to this subject is, of course, not the only one but in many the distinction between Java and JavaScript is just not made or even alluded to. If ever there was proof of the value of Leo’s service to us all – this is it. So very worthwhile to Bookmark – thankyou Leo.
Is earlier version of the Sun Java work or not?
16-Jan-2013
Thank You Leo for these wonderful articles. Thank You again for the simple & practical ways to AVOID problems…. Your articles are structured & systematic and is helpful for not so computer savvy people like us….. Software experts can differ & argue on several aspects……!!!! There is no Fix for that…
Hi,
Just found the new update
Java (Version 7 Update 11)
said the bug fixed.
16-Jan-2013
Hi Leo
I think your recommendation to remove Sun java is too draconian. It is useful for many websites and videos. If the user has a good AV kit (ie Kaspersky IP 2013) any Java weakneses are immediatel detected and a fix offered.
Happy new Year
John
I found that earlier versions of Java, like Java 6, are NOT vulnerable. I am using Java 6, so this not a problem for me, at least for now. See below:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422
Last revised:01/17/2013
NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks.
22-Jan-2013
I removed JAVA that I found in the add/remove programs but the next time and every time now when I boot up the computer hangs and then there is a message saying it can’t find:
C:program filescommon filesJAVAJAVA UPDATEJUSCHED.EXE
I click OK and get on with life but I think I should do something about this shouldn’t I? I used CCleaner but this message still appears. Thanks for all you do.
22-Jan-2013
I followed the instructions and uninstalled java- now I have no available personal/private messaging in Facebook- not sure how, if at all, the two are related but it happened immediately! How might I fix what my FB needs! I can chat in the message box but not private messaging- get a blank screen or a message box with to way to input a name or message- or send! Thanks!!!
22-Jan-2013
thanks Leo! i read your article which i greatly appreciate. so i uninstalled java in win7 and thats fine. however now i am noticing a lot of videos require adobe flash player. when i download the new version it finishes and says its running but the video apps dont recognize it. then the flash site doesnt find an installed version. these are little facebook and youtube videos-nothing fancy and not all videos ask for the flash player. so i was told to reinstall java so i could get adobe flash to run. however i am concerned about the basic holiness of this java app as u have said–maybe THAT problem was fixed but the next one’s right around the corner..(yes i read that in your article :) so should i reinstall java to get flash to work or is there another way? does it have something to do w activex and is that safe?? my main goal is to have flash work, but if that is unsafe i will do my best to live without it–i’ve got norton AV and protect. java i usually dont need but now w flash i might??? thanks!
29-Jan-2013
I have Windows 8 and when I try to remove Java I get a pop-up asking if I want to allow Java to make changes to my computer. When I click “no” the uninstall discontinues. I tried clicking “yes” and Oracle proceeded to load an updated Java version (I assume). I cancelled the upload and tried uninstalling and again received the request to allow Oracle to update. What gives?
@HW Pelt
Click yes and allow the process to complete. That’s sound like it’s the Java uninstaller asking for permission. I’ve had similar experiences with other programs. If not, at least you’ll have a patched Java which is better than leaving it the way it is.
Hi Leo, or indeed anyone else reading this question …
I am trying uninstall Java, after Windows Installer thinks about it for a while the following dialogue comes up “Do you want to allow the following programme (i.e. Java) to make changes to your computer?” It may seem obvious that I should click yes, however I’m concerned that if I do that it will do other things to my machine that I don’t want it to. Most programmes I’ve uninstalled have not asked that question before, and I want to check that clicking yes to this question won’t actually embed the programme even further into my machine. Your advice would be appreciated. Thanks, Liz
Yes. You are authorizing the Java uninstaller to uninstall (i.e. make changes).
When I try to uninstall Java this message comes up: “An unidentified program wants to access your computer. Have you used this program before and do you trust it?” I then have to make a choice as to whether to allow access to this unidentified program. When I choose “No” Java still remains in my computer. Of course I am not told the name of the unidentified program.
How can I proceed to uninstall Java?
What it sounds like is that “unidentified program” is the Java uninstaller. Allowing it to run might uninstall Java.
The NSA just listed a number of memory-safe programs and Java is on the list. Of the programs I’m familiar with, the listed programs are higher-level languages that don’t have access to the more sensitive parts of the system. Has Java’s security improved since this article was written.
The NSA list of memory-safe programming languages has been updated
In no particular order, the NSA suggests these memory-safe programming languages
Go
Rust
C#
Swift
Java
Ruby
Python
Delphi/Object Pascal
Ada
Memory-safe isn’t quite the same as “secure”. Memory safe simply means it’s difficult to access memory you didn’t intend to (buffer overruns, for example). That’s almost trivial in C/C++.
So memory-safe removes one common way that vulnerabilities happen. But not all. :-)
To be fair, I suspect Java has been updated quite a bit in the years since this article was written.