Another vulnerability has been discovered in Java; if Java is installed on your machine, malware authors can exploit it to infect your computer with something as simple as your visiting a malicious or hacked website.
As I write this, there is no update to Java, which means that there is no fix. Technically that makes this a “zero-day exploit”.
The fix that most experts, including myself, are recommending is to remove Java from your machine. Chances are you don’t actually need it anyway.
But before we go further, we have to do the old “Java vs. JavaScript” dance.
Become a Patron of Ask Leo! and go ad-free!
Java and Javascript are two different and unrelated things
Because of another exceptionally poor choice of names, there’s always instant confusion when we talk about Java because people often confuse it with JavaScript.
That’s wrong. Java is not Javascript. They are completely unrelated to each other.
Javascript:
Javascript: (not to be confused with Java) is a computer programming language that is most commonly used to … continue reading.
From the Ask Leo! Glossary
- Comes with your web browser; it’s part of Internet Explorer, Firefox, Chrome, and whatever other browser you might happen to have. There is no separate installation for JavaScript.
- Is used by thousands and thousands of websites. Even Ask Leo! requires that JavaScript be enabled in order to post a comment (as part of a spam-prevention technique). Disabling JavaScript globally would render many if not most of the websites that you visit regularly partially to completely unusable.
- Is considered a “scripting” language. While the term is somewhat vague, it generally means that JavaScript is a programming language used to augment some other environment, such as the display of HTML-based web pages in your web browser.
Java:
Java: (not to be confused with Javascript) is a general purpose programming language designed, as much as possible, to … continue reading.
From the Ask Leo! Glossary
- Is a separate download. Typically, the first time that you run into a need for Java, it is downloaded and installed at that time.
- Is a programming language used to write larger, full-featured applications.
- Uses a “common runtime” which is installed on your computer to provide features and functionality to the programs written in Java.
- May be installed either by installing a program that happens to use Java or by visiting a web page that itself contains a program written in Java.
- Is used by a more limited selection of applications and websites.
While JavaScript may have its own set of issues from time to time, that’s not what this is about, at all. This is about Java.
However, you may have Java installed if you visited such a website, or installed such an application, even once …
You probably don’t need Java
While you almost certainly need JavaScript, it’s quite likely that you do not need Java.
Java is used only by certain applications and websites, and the majority of websites don’t use it.
However, you may have Java installed if you visited such a website, or installed such an application, even once. The installation was required to make that site or application work, but it’s not practical to somehow automatically uninstall it after your visit or after uninstalling the application because there’s simply no way to know if it’s also needed by some other application that remains or site that you visit.
It gets complex very quickly. As a result, once installed, Java remains installed until you explicitly uninstall it.
And that’s exactly what I recommend you do.
Uninstalling Java
In Control Panel, go to Add/Remove Programs (Windows XP) or Programs and Features (Windows 7).
Look for lines titled “Java”, “Java VM”, “Java Update” and the like, all with the Java logo as an icon.
Right-click on each, and select Uninstall.
Once you’re done, you’ve uninstalled Java.
Didn’t find any Java items in the Programs list? Then you’re done before you even started; you didn’t have Java on your machine to begin with.
Disabling Java
Disabling Java in your browser without removing it can be a complex task. I strongly recommend that you follow the process above to uninstall it from your computer completely.
However, as we’ll see in a moment, that might not be practical.
Rather than reinvent the wheel, here are instructions from Sophos’ Naked Security site on disabling Java in Internet Explorer. At the end of their instructions are links to similar instructions for Firefox, Chrome, Safari, and Opera.
What if it turns out I need Java?
After successfully uninstalling Java using the instructions above, you may encounter this when you visit a website that requires or uses Java:
Depending on the browser, you may instead or also see a notification telling you that “Java(TM) is required to display some elements on this page.”
If you run a program on your PC that uses Java, you’ll see a similar error message (exact wording will depend on the program) indicating that Java is required, but not present.
You have a decision to make.
In my order of preference:
- Live without that website or program. Perhaps find an alternative that does not use Java.
- Reinstall Java on a separate “sacrificial machine” or virtual machine and use that to access these sites or run these programs, leaving it off the rest of the time.
- Reinstall Java, but disable it in all browsers except for one, which you use only to access the sites that require it. Use a different browser with Java disabled for your day-to-day web surfing.
- Reinstall Java and be super-extra-careful.
In any of the circumstances that involve re-installing Java, make certain to always keep Java up to date. Letting it update itself is the preferred approach, if offered.
Why is this such a mess?
The current situation isn’t an indictment of Java as a programming language – it actually is a pretty cool language, and ironically was itself designed with security in mind. One of its original selling points (‘write once, run everywhere’), while technically not 100% accurate, is a very popular reason for many to have adopted Java as a technology.
No, the devil here is certainly in the details.
All software has bugs, make no mistake. Even your favorite never-had-an-issue program that you use every day, whatever it is and whatever computer it’s running on, has bugs.
And so does the implementation of Java. It’s not the programs written in Java that are at issue (although they certainly have bugs of their own). The issue here is in that common runtime – often referred to as the “Java VM” or “Java Virtual Machine” – I mentioned earlier. It’s just software too, and like all software, it has bugs.
It might even have more than average, although I’m not going to say that for certain.
And it’s installed on a lot of machines.
As Java has become more popular over time, it’s become worth the time of hackers to see if there are bugs that haven’t been fixed that they can exploit. It’s popularity for hackers may not be based on millions of people actively using it, but rather millions of computers that happen to have Java installed because a website requiring it was visited once upon a time.
Update
In response to some of the comments:
- Yes, a fix was released for the most recent problem. I still encourage people to uninstall Java, simply because most don’t need it, and this is not the first time we’ve been in this position, and it simply seems likely to happen again. If you do need to keep Java, then as I said above keep it (and all your software) up to date.
- J2RE is a part of Java and can be removed.
- Javascript (which is not Java) does not appear in the add/remove programs list, as it’s part of your browser and not a separate install.
(Update added January 12, 2013.)
Update to the Update
Several people have noted that:
- A fix was released.
- Java version 6 didn’t have the problem.
I have to stress that this is about much more than just a single vulnerability.
As it turns out, within days of the bug fix release hackers announced that they had found at least two more vulnerabilities in Java 7.
In my opinion the track record for Java vulnerabilities is poor enough that I continue to strongly recommend that you uninstall all versions unless you’re certain that you need it. (And uninstalling it to find out if you need it is also, in my opinion, a valid approach.)
(Update added January 22, 2013.)
Additional references
Javatester.org, includes a partial list of applications and sites that use or require Java.
How do I disable Java in my web browser?, instructions from Oracle.
Java Update uninstalled. Now, what about J2SE Runtime Environment 5.0? Has a Java icon. Thx for the usable and clear advice.
I installed Java 7 Update 10 on 10th of January. Does this fix the vulnerability you mention? I can understand your reluctance to put a date in an article but in this case maybe it would be better than putting in “As I write…”?
13-Jan-2013
@Carol: This is probably Java version 5 which is really really old. I would uninstall it.
@Gerard: No. All editions of Java 7 have the latest flaw. Java 6 does not have this flaw (which does NOT mean that its perfectly safe). The good new with Update 10 that you have is that Java use by web browsers can be totally disabled with a single checkbox. See the Java Control Panel in the Windows control panel, Security tab.
Disabling Java in Internet Explorer, while leaving it enabled in other browsers is arguably impossible. This from Oracle themselves which says the only way to fully disable Java in IE is with the just mentioned checkbox introduced with Java 7 Update 10 that disables Java in ALL browsers, system wide.
For much more on this topic see
How to be as safe as possible with Java
http://blogs.computerworld.com/cybercrime-and-hacking/21626/how-be-safe-possible-java
13-Jan-2013
J2SE is not needed anymore as the new java 7 has it built in. i had a issue were i had to remove all java including j2se ad the firefox would not recognize the new java update was installed. so i went to website for java and it said to remove all java including this and re-install standalone java and it is all included. Now on to disabling java there is a new feature inside java console under security untick disable in browser and your done. all disabled in browser and only on the machine for programs that need it.
@Carol
Uninstalling Java means uninstalling all of Java, including J2SE Runtime Environment 5.0 and anything with the Java name and icon, but not Javascript which is not Java.
Thank you for your reply i now have uninstalled Java 7 update 9 thank you Leo for your advice
What about running Java on a Mac running OS X Mountain Lion. Does it still apply that it is best to uninstall it?
15-Jan-2013
Thanks for keeping us up to date on this issue. Unfortunately, I seem to need Java. I have disabled it in Firefox and IE but I keep having to enable it for one site or another, the latest being Ticketmaster.
I did just install v.7 update 11 as recommended by Javatester, but I’m keeping it disabled for now….
Dear Leo, I have removed Java from the computer BUT how is Java Script recorded in ADD/Remove so that I can ensure that I do not remove it ?
15-Jan-2013
Under XP, I found ONLY Java 7 Update 9, and JavaFX2.1.1. No other Java was found. Are they trouble and how do I get rid of these?
Jack
15-Jan-2013
Re: Java and it’s problems, as of 1/14/13 on both my home & work computer, I have gotten the pop-up “Update your Java”. Should I be doing this now and HOPE that it is the “fix”? I’ve not seen anything on the news about a fix yet.
15-Jan-2013
Should I also remove: Java2 Runtime Environment SEv1.4.2-03?
15-Jan-2013
Thank you so much for this. I uninstalled Java and another problem I was having went away – see below.
Should I also uninstal JRE and J2SE Runtime Environment?
There’s a forum on which I’m following a thread. Whenever there’s a reply, it auto-emails me and also shows a link to the thread. However, clicking on the link takes me to a site URL4SHORT. Uninstalling Java has stopped those diverts but if you search the internet for URL4SHORT you will see that this is a big problem for many users. What could be behind the problem? I bet you’ll find out, Leo! Keep up the good work & thanks again.
Hi Leo. Thanks for that. Running Windows Vista Home Premium on an HP Notebook computer. Found three instances of Java in my “Add/Remove Programs” list. Two I was able to uninstall without any problem, but the third Java (TM) 6 Update 7 refuses to uninstall. I get the following error message “Error 1719 – Windows Installer cannot be accessed. This may be because it is not properly installed. Contact your support personnel”. Can you advise me please?
Thanks so much, Leo!!! Love your column :)
Best solution: Live without a PC!
I cannot find Java in my programs buy it is on my uninstall list in two items that must be installed before they can be uninstalled. I seem to be in a catch 22. Is there a solution? read your article with interest.
I was able easily to remove Java from the control
panel, several Java listings. However, an icon
remained on the control panel. I selected it and tried
to bring it up, but without success. I did not select it
and use the delete function. Should this icon be
deleted also?
15-Jan-2013
What is Java FX 2.1.1., is this also a problem?
15-Jan-2013
I was too fast to follow Leo’s advice (respect)BUT as usually, I didn’t have to as a patch was found,and most important for me……i couldn’t play chess on line,so i learned my lesson
15-Jan-2013
Hi Leo and everybody, today I gota message to update this JAVA problem, it appears there is a fix by updating to JAVA to 11. You can do this in your control panel (XP on mine) right click the ICON and open to the tab, then check for the update tab, it only took a few minutes to complete, but watch for the freebee in the check box, uncheck if you don’t want it before you go to the “next” box. 1/15/13
15-Jan-2013
i used revo uninstaller to remove java from v6 up to 11.. works better than add/remove programs imho.
i did disable java. after reading your article i went into programs to uninstall. this is what happened. java7 update9 would not allow me to uninstall. the message came up as follows:
first box – windows installer, preparing to remove. next window –
an unidentified program wants to access your computer’ cancel, i don’t know where this program is from –
allow i trust this program i know where it is from or i’ve used it before.
this is the first time this ever
happened when i uninstalled a program.
just in case i use vista home basics and i did not do anything yet. thank you leo
Is J2SE Java or JavaScript or something else? It had the Java logo. I uninstalled it. ?
Thanks.
15-Jan-2013
I heard on the radio the other day about removing Java; so I immediately removed all Java files (it wasn’t listed as a program on the list of programs). However I did include all Javascript files when I deleted the files. So what do I do now?
15-Jan-2013
@Cameron
Since Java can run on a Mac, this vulnerability can be exploited on a Mac. While, there is probably less of a chance that the malware would affect a Mac, the possibility definitely exists.
@Gerry
JavaScript isn’t a program, so it isn’t listed in Add/Remove Programs. It is a language which is processed by web browsers. JavaScript can be disabled in most web browsers in the browser settings or options.
@John Mason
I’d try Revo Uninstaller, it often uninstalls things that Windows won’t uninstall.
Oracle says that the Java update issued on Sunday ( 7.11) solves the problem in version 7.10.
15-Jan-2013
As a researcher in molecular biology/genetics, we are absolutely dependent upon programs that run in Java. Is there a way to restrict Java to certain trusted websites/programs?
15-Jan-2013
Leo’s contribution contribution to this subject is, of course, not the only one but in many the distinction between Java and JavaScript is just not made or even alluded to. If ever there was proof of the value of Leo’s service to us all – this is it. So very worthwhile to Bookmark – thankyou Leo.
An extremely useful and well-written article for all us uninitiated computer users who try to keep up with “progress”. I’ve removed all Java including the update 7.11. But, it occurred to me to ask you why an exploit, even targeted at a software program (it’s listed under “programs” in my Win XP), isn’t going to be caught or detected by my antivirus program (Avast) or Malwarebytes (running in the background)? If not detectable, how much “damage” can the exploit actually do if users follow prudent operating precautions? Would System Restore be usable if infected? I have also followed your advice and routinely image my Dell laptop.
Just because YOU don’t want/need it, doesn’t mean that your readers don’t want and need it… you are selling too much of the MacroSloth line here. The exploit is well understood, only affects web browsers and has a fix. Stop selling FUD and start sharing facts!
Leo, you have been a godsend for many many peoople. Thank you for being here, and I LOVE to see what you are writing about in every issue. I have read about this recent java issue, in about 4 different places: cnet, pitstop,Bob Rankin and others. And they ALL say exactly what you are saying Leo. So MR.Gimbrone, Leo is not feeding or selling us “bull”, it is fact, and just because someone says there is a fix, it does not mean it is fixed and all your problems gone. Just be safe and disable it.
Are there programs that use Java internally, without requiring updates like one would expect?
Perhaps a better question is can you name any programs/webfiles that can profile these problems (other than Belarc Advisor) and help you decide what to use and avoid?
I occasionally get alerts from my AV browser about these types of exploits (maybe Javascript) and I can’t find anything in Add/Remove (I removed all I found long ago as well). As Microsoft makes several patches each month for similar exploits STILL in XP, Javascript itself is apparently a large target of hackers as well.
Is the .NET platform a response to these issues, I wonder?
I hope I’m not being paranoid, and thank you for everything you do, you are a godsend of simplicity and reason.
Is earlier version of the Sun Java work or not?
16-Jan-2013
Thank You Leo for these wonderful articles. Thank You again for the simple & practical ways to AVOID problems…. Your articles are structured & systematic and is helpful for not so computer savvy people like us….. Software experts can differ & argue on several aspects……!!!! There is no Fix for that…
Hi,
Just found the new update
Java (Version 7 Update 11)
said the bug fixed.
16-Jan-2013
Hi Leo
Here we go again with Java. Alas as I am addicted to crosswords I do need to run it. When I first learned of the latest and quite serious disaster I did indeed uninstall including manually editing the registry. When I learned of the latest update (Java 7 Update 11), I decided to reinstall through the Firefox plug-in (Which at that stage was not making any rumbling noises of discontent). This of course installed Java in IE also. I then disabled Java through tools etc, and installed no-script in Firefox. This besides no-script being a terrible pain in the arse to use properly. Prior to posting this I further disabled Java through the security option in the Java icon, so am wondering if this will post (JavaScript is enabled temporarily). Further to this all temporary permissions are revoked immediately on finishing crosswords or whatever I use Java with.
Question is:- Am I doing enough ?
NB Am having trouble with preview and posting so will give further permissions to your article and see what happens !
Hi again
Post did get through but it appears that to enable JavaScript in No-Script requires that “Enable all on this page” has to be clicked.
Hi Leo
I think your recommendation to remove Sun java is too draconian. It is useful for many websites and videos. If the user has a good AV kit (ie Kaspersky IP 2013) any Java weakneses are immediatel detected and a fix offered.
Happy new Year
John
thanks Leo..I checked my Firefox plug ins and Java is disabled [ I run no-script religeously as well ] I noted that this plug in comes with a warning and a recomendation to disable it anyway even in the table of plug ins – good to see and i don’t run IE anyway as its a P.I.T.A so i disabled it. Good thing too because I have come across some sites that premote a error box which sez “error opening IE” Waaaa!, I’m running firefox so why the hell would a site try and open IE on the side ? Hee Hee not caught out yet by golly.
Thanks for this article. I used to subscribe to a foreign language website, Camino del Exito, which used Java. I was thinking of subscribing to it again; now I won’t. Although it was a really good website for learning Spanish, I just don’t want to take the chance and infect my computer. Keep up the good work, Leo:)
I was unsuccessful in Uninstalling Java 7 update 9 from Win764 IE, even fresh from a restart. The procedure beginss, prepares, confirms and then seems to disappear without a trace, leaving the item still listed. Repeated 5 times just to be sure. I then went through the recommended disabling procedure, with no problems.
But why can’t I get rid of Java completely ?
16-Jan-2013
I believe that Pogo requires that Java be installed on a PC. My wife is a religious user of Pogo. So, if I follow Leo’s advice, I will probably need advice on a good divorce lawyer.
I found that earlier versions of Java, like Java 6, are NOT vulnerable. I am using Java 6, so this not a problem for me, at least for now. See below:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422
Last revised:01/17/2013
NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks.
22-Jan-2013
I removed JAVA that I found in the add/remove programs but the next time and every time now when I boot up the computer hangs and then there is a message saying it can’t find:
C:program filescommon filesJAVAJAVA UPDATEJUSCHED.EXE
I click OK and get on with life but I think I should do something about this shouldn’t I? I used CCleaner but this message still appears. Thanks for all you do.
22-Jan-2013
I followed the instructions and uninstalled java- now I have no available personal/private messaging in Facebook- not sure how, if at all, the two are related but it happened immediately! How might I fix what my FB needs! I can chat in the message box but not private messaging- get a blank screen or a message box with to way to input a name or message- or send! Thanks!!!
22-Jan-2013
thanks Leo! i read your article which i greatly appreciate. so i uninstalled java in win7 and thats fine. however now i am noticing a lot of videos require adobe flash player. when i download the new version it finishes and says its running but the video apps dont recognize it. then the flash site doesnt find an installed version. these are little facebook and youtube videos-nothing fancy and not all videos ask for the flash player. so i was told to reinstall java so i could get adobe flash to run. however i am concerned about the basic holiness of this java app as u have said–maybe THAT problem was fixed but the next one’s right around the corner..(yes i read that in your article :) so should i reinstall java to get flash to work or is there another way? does it have something to do w activex and is that safe?? my main goal is to have flash work, but if that is unsafe i will do my best to live without it–i’ve got norton AV and protect. java i usually dont need but now w flash i might??? thanks!
29-Jan-2013
I just got a new Macbook Pro. (Love) I had a tech savvy friend install some software, and while doing they installed Java. I’ve disabled it in Safari and Firefox…but is this enough? (Do I even need both browsers anyway?) I found a Java VM file when searching my applications. Can I remove it? And thanks for the article. I removed Java from my Netbook; not sure if it’s related, but after doing so, it is running much more smoothly.
Well, I agree that Java is unnecessary. But I think that for most sites JavaScript is also unnecessary! The content sites I visit display fine with JS disabled, and — there are no JS-generated ads! Lovely! With Flash blocked as well, I can browse content without the crapola. Firefox add-ons will block JS with the option of allowing it on a case-by-case basis, and block Flash with the same case-by-case option. And yes, Java is disabled as well. Oracle does have a dismal record on security.
I have Windows 8 and when I try to remove Java I get a pop-up asking if I want to allow Java to make changes to my computer. When I click “no” the uninstall discontinues. I tried clicking “yes” and Oracle proceeded to load an updated Java version (I assume). I cancelled the upload and tried uninstalling and again received the request to allow Oracle to update. What gives?
@HW Pelt
Maybe you can click yes and allow the process to complete. It might be that that would uninstall Java from your system in spite of what the message is saying. I’ve had similar experiences with other programs. If not, at least you’ll have a patched Java which is better than leaving it the way it is.
Hi,
I have visited a website that need java so I have to install it again. And now, the firefox version 20 browser will ask if you want to run the java when you visit that website firstly.
So, am I safe now keeping the java installed in the windows 7? Or that I better uninstall and install again when I want to visit that website?
thanks
Hi Leo, or indeed anyone else reading this question …
I am trying uninstall Java, after Windows Installer thinks about it for a while the following dialogue comes up “Do you want to allow the following programme (i.e. Java) to make changes to your computer?” It may seem obvious that I should click yes, however I’m concerned that if I do that it will do other things to my machine that I don’t want it to. Most programmes I’ve uninstalled have not asked that question before, and I want to check that clicking yes to this question won’t actually embed the programme even further into my machine. Your advice would be appreciated. Thanks, Liz
Yes. You are authorizing the Java uninstaller to uninstall (i.e. make changes).
When I try to uninstall Java this message comes up: “An unidentified program wants to access your computer. Have you used this program before and do you trust it?” I then have to make a choice as to whether to allow access to this unidentified program. When I choose “No” Java still remains in my computer. Of course I am not told the name of the unidentified program.
How can I proceed to uninstall Java?
What it sounds like is that “unidentified program” is the Java uninstaller. Allowing it to run might uninstall Java.