Security Warning About Java: Get Rid of It or Disable It!

September 8th, 2012

I regularly listen to Steve Gibson’s Security podcasts and Steve’s recent podcast explains alarming problems recently discovered with Java. Security experts are recommending you remove Java or at least don’t let it run from your browser. Here is a PC World summary explanation of the problem. Note: this problem applies to any machine with Java (Windows, Mac, Linix).

Windows: Removing Java from Windows machines is pretty easy. Just to Add/Remove programs and remove all instances of Java. Most versions of Windows come with Java already installed.

Mac OS X: Recent versions of OS X don’t come with Java installed but Java will be installed if you’ve said yes to web sites that use it or run a game that uses it. Removing Java from OS X is involved so if you have installed it the best thing to do is to disable it. See the link below for instructions on disabling it.

Click here for instructions for how to remove or disable Java from any machine.

Update 9/9/2012: Peter below asks why bother?

The references I give above go into great detail about why. Probably more than most want to read. A short summary is: There are bugs in both of the last two versions of Java that allow code to be executed on your machine, as a result of simply clicking on a link, that allow a hacker to do ANYTHING they want on your machine. And Oracle, who own’s Java, apparently is not going to fix the problem for months because they only make updates to Java every 3 months. In the mean time the hacker community is ecstatic because they now have a way to do anything on anyone’s machine, that is running Java, by just getting people to click on a link.
Update 10/20/2012: Today Apple announced that it is dropping Java from Mac OS X for security reasons. Here are the details.
Share this

12 Responses to “Security Warning About Java: Get Rid of It or Disable It!”

  • Has anyone said why, apart from someone recommending removal?
    What are the bad effects of leaving it in place ?

    Peter

  • @Peter- the references I give go into great detail about why. A short summary is:
    There are bugs in both of the last versions of Java that allow code to be executed on your machine, by simply clicking on a link, that allow a hacker to do ANYTHING they want on your machine. And Oracle, who own’s Java, apparently is not going to fix the problem for months because they only make updates every 3 months. In the mean time the hacker community is ecstatic because they now have a way to do anything on anyones machine that has will run Java in a browser.

  • Thank you, Larry.
    On several occasions I was notified by pops-up that I had to update a Java program.
    I never felt the need to do that and I am glad I ignore it.

  • Larry, thank you so much for sharing this article. This is problematic for me as a Home Appraiser because many of the GIS sites where I obtain data for appraisals are Java intense (required). Thank you.

  • @Bill – It is less risky when you are going to a well known, trusted site that you know uses Java. The risk of course is if you leave Java on all the time in your browser you are vulnerable. Mac browsers have a setting that will ask you if you want to run Java, every time the browser is about to run Java… I don’t think Windows has that feature. In the last few weeks the only hacking exploits have been on Windows machines.

  • Removing Java is an over reaction IMHO. If you are in fear of this issue temporarily disabling it is enough to stop feared intrusions. It should also be said that as long as you aren’t visiting dangerous websites (warez and porn come to mind) and stick to mainstream sites the potential for intrusions is considerably reduced.

    The proliferation of sites that safely use Java is huge. Go ahead and disable/remove Java and then go check out all your favorite websites. Including your bank…. You will rapidly find that not having Java installed to run Javascripts on all your favorite sites is a royal pain. To exclude that service from my web experience isn’t helpful to me at all. If you want to dumb down your web experience then by all means remove Java.

    This is no different than the past noise about Adobe flash. Staying on safe websites and keeping your anti-virus software current (on both Windows or OS X) is the best defense.

    This chasing of rabbit holes in the software we all use daily will never end. I love what computing has brought to my life. I embrace it. My pencil and paper are happily lost and forlorn…

  • @Rick- “not having Java installed to run Javascripts on all your favorite sites is a royal pain”
    You don’t have to have Java installed to run Javascript. Javascript and Java, despite the fact that they both have “Java” in the name, have nothing to do with each other! Javascript is a browser scripting language without the ability to access files or anything outside your browser… Java on the other hand is a general purpose programming language able to access the file system and much more. Listen to Steve Gibson’s podcast if you don’t believe me.

  • Yup I fubared on the javascript thing. I agree. I still stand by everything else I said though. I come from 16 years in a corporate IT world where Java was and still is King. Java has had its share of security holes. Along with Windows, OS X, Linux and Unix. I choose to not buy into the latest OMG the sky is falling craze. That’s all.

  • GoDaddy must’ve had Java loaded on their DNS servers!

  • this sucks as the software for our Real Estate forms requires it. I actually had to enable it to get it to work.

  • @Jason- Just be super careful about only going to sites that you know are safe while Java is enabled… Oracle is expected to have a fix by mid-October… hopefully much sooner!

  • java is as secure as flash or anything else.
    ” now have a way to do anything on anyone’s machine, that is running Java, by just getting people to click on a link.”
    sure just like any other exploit that doesn’t use java.
    java drive-by have been around for years and will be used for many years to come just like any other exploit using java or not.
    in fact there’s much easier expliots then just using this java method.
    the best security feature is not to click on unknown links.

Trackback URI Comments RSS

Leave a Reply