OnePoyle  

  text only     Adoption Links     Website Driver Features     Internet Search Tips     Art Database     Site Map   privacy message  

  Avoiding Java Security Vulnerabilities

  next page

This page is about Java. Please do not confuse this with Javascript, which is something completely different.

Java is extremely vulnerable to attack and needs great care.
This advice should be taken very seriously indeed.

Summary of advice

If you have a reason to keep Java

Otherwise uninstall Java

line

Background

Java is the current target of choice in many malware attacks. 2012 and 2013 have been particularly bad years and several vulnerabilities are yet to be patched.

Very serious Java vulnerabilities keep emerging. A common view of many experts is that Java should not be used at all in any browser. There is plenty of further information on the web. A good place to start is the zdnet security blog [new window] or for more technical details at why fixing the java flaw will take so long [new window]

Vulnerabilities become more serious once they are know to exist because hackers quickly find and exploit them. Some of the vulnerabilites are currently actively deployed. The danger occurs when you visit a website page containing malicious code, which in principle can take over a computer or steal financial and personal information.

Do you need Java?

A number of commentators recommend uninstalling Java completely from PCs. If this is practical for you, then do it. However you may well have a number of applications that need Java, eg

  • Libre Office
  • Opera Browser
  • Jedit
  • A few web pages, particularly those with real-time applets, including broadband speed tests, and displays from automatic monitoring equipment eg Formula 1 Live Timing

Avoidance

A reasonable though not perfect safety plan is to permanently disable Java in all browsers. Then, when needed, temporarily enable Java in Chrome for any Java activity that you need.

To use Java on a specific web page:

  • close all other browser windows
  • enable Java
  • use the Java applet as needed
  • disable Java again

Uninstalling Java

  • do Control Panel > (Programs) > Programs and Features
  • scroll down to Java, select any version, click uninstall and wait until it disappears from the list
  • repeat for each version
  • once there are no entries for Java, it is no longer installed

Testing whether or not Java is enabled

Please note, we no longer consider it safe to use Java in any browser at any time

Use the java clocks test [new window] - if any clocks show, Java is enabled in your browser.

Chrome Browser - Java protection

Please note, we no longer consider it safe to use Java in any browser at any time

The Chrome browser prevents Java applets from running until the user gives permission, but this does not provide full protection.

You should get the message 'The Java plug-in needs your permission to run'

  • Choose the 'Run this time' option only if you are certain about the website
  • The 'Always run on this site' option is not recommended

Get the Chrome browser at Google Chrome download [new window]

Firefox Browser - plugin protection

Please note, we no longer consider it safe to use Java in any browser at any time

From 14.0.1 Firefox can be set so that all plugins require a confirmatory click. This might be better than the Chrome option, but the option is disabled by default. If enabled, Firefox is then as safe as Chrome for Java, but this still does not provide full protection. At present (September 2012) quite a few plugins do not work properly with this setting enabled and thus it cannot be recommended (eg Qualys Browser Check; Google Earth; PDF Download).

To enable the option (take great care):

  1. type about:config into a browser window
  2. agree to the warning about being careful
  3. in the resulting screen, scroll down to plugins.click_to_play (list is alphabetical)
  4. click on (select) the plugins.click_to_play line and double-click false which will change to true
  5. close the window

If there are unexpected problems with plugins after making this change, reset plugins.click_to_play with a similar procedure, ie at step 4. double-click true which will change back to false. Don't forget to disable Java as well.

Disabling Java

For comprehensive help on disabling Java, see how turn off java browser [new window]

The following instructions may also be useful:

  • Internet Explorer: Tools>Manage Add-ons. Select 'all add-ons' under Show. Scroll down to Sun Microsystems, select each Java entry in turn and click disable.
  • Firefox: Tools>Add-ons>Plugins and click disable for both the 'Java Deployment Toolkit' and the 'Java Platform'
  • Chrome:
  • Click the wrench icon and select Settings.
  • Click Show advanced settings.
  • In the "Privacy section", click the Content settings button.
  • Scroll down to the "Plug-ins" section, and click Disable individual plug-ins
  • Scroll down to Java and click Disable
  • Close all settings windows
  • Safari: Tools>Preferences>Security and uncheck 'Enable Java'
  • Opera: Tools>Advanced>Plug-ins and click disable for both the 'Java Deployment Toolkit' and the 'Java Platform'

Note: When a new version is installed, disabled Java browser plugins are updated, but they normally remain disabled.

Mike Hall
17/8/2011 revised 17/1/2013

line

Images from our photo gallery Copyright © 1980-2013 by Mike Hall or Joan Hall, all rights reserved.
Terms of Use

selection of joan - random gallery image
  winkworth: autumn colours
  photo joan hall   28/10/2009

selection of mike - random gallery image
  wisley: greenhouse flowers
  photo mike hall   28/11/2009

  scroll to top     next page

  text only     Adoption Links     Website Driver Features     Internet Search Tips     Art Database     Site Map   privacy message  

If you have comments, please email the webmaster@onepoyle.net
Avoiding Java Security Vulnerabilities (java) updated 08:36 Mar 11 2013     (main.pl 13.0.1/c utility 13.0.16/c)

  click for home page