Java and Flash: Do I really need them?

Topic

New Reply

Here’s the thing: I ran into Chrome a few months ago on my bro’s PC, and ever since, I’ve been using it as the primary browser on almost all of my PCs. On 2 of my PCs, I use IE as the default browser, mainly because I don’t use them that often, and rather than try and keep track of updating 2 browsers, I figured there was no harm in letting IE be the default browser. Recently, one of them acquired a backdoor via Flash (have no idea how), and instead of removing it with an AV program, I just reformatted and reinstalled Windows, as the PC wasn’t used that often. This is a Win7 Home Premium machine. The reinstall was successful. Then, when I was testing out IE in that PC, IE kept demanding Flash for viewing a YouTube video. After some time, it switched over to HTML5, but there was no video; only audio.

I never installed Flash or Java yet on this PC. It already came down with an infection once, thanks to Flash, and I’m really leery of installing it again. Now here’s my question: Shall I just install Chrome on this PC and deal with having to update 2 browsers, or shall I bite the bullet and install Flash (and also, possibly Java), and vigilantly be on the lookout for new malware? :confused: Which is easier? Keep in mind, I don’t use this PC too often (perhaps 4 times a week), so I can’t constantly be on the lookout for new updates.

Thanks!

Reply | Quote

Replies

Use Chrome instead of IE, (Flash Player is integrated into Google Chrome), and don’t install Java unless you must. If you keep getting infected, might also want to consider Malwarebytes Anti-Malware Premium[/url]. It detects and protects against malware in real-time.

Reply | Quote

Thanks for your suggestion. I used to have MSE on this PC, but since it couldn’t stop the backdoor from entering my PC, I installed MalwareBytes Premium after the reinstall. Anyways, like you said, I’m only going to install Java if necessary.

But another question: How will I know which programs require Java? Websites always inform me, but will all programs also behave likewise? I ask this, because if a program does require Java, and installs it without informing me, then I’m pretty sure it’ll be an out-of-date version.

And the only thing worse than Java, is an out-of-date version of Java.

Reply | Quote

The page should prompt you if it needs Java.

Reply | Quote

When I access my Domain one feature on the main page is a link to World Time Clock. It uses a script to call the clock and if Adobe Flash Player is not installed I get a message. It’s occurs mostly when I’m setting up/working on someone else’s computer.

Before you wonder "Am I doing things right," ask "Am I doing the right things?"

Reply | Quote

Java won’t auto install and even requires its own UAC for it to run.

I have both 32 and 64 bit versions installed and kept up to date but have Java disabled in browsers through its console in All Control Panel Items.

This is done by right clicking on the “coffee cup” and selecting Open then under the Security tab, uncheck the box for Enable Java content in browsers/Apply and ensure that in IE/Manage add-ons, all Java items are set to Disabled – this way if you are prompted that Java is required then you only have to check that box and restart IE to effect.

It was probably a failing of MSE that allowed that infection rather than Flash, otherwise Google would be awash with complaints about Flash Player.

Adobe do have the odd out of cycle security updates to combat a Zero Day Exploit, but for the main, as with Java – keeping them up to date is usually sufficient and best advice is to ensure you have a more effective AV than MSE.

Reply | Quote

Adobe do have the odd out of cycle security updates to combat a Zero Day Exploit, but for the main, as with Java – keeping them up to date is usually sufficient and best advice is to ensure you have a more effective AV than MSE.

“odd out of cycle security updates”? No, exceptional ooc updates; normal updates are only every 3 months:

July 2014: Critical Patch Update that contains 20 fixes for Java, the most severe having a rating of 10.0.

April 2014: Critical Patch Update that contains 37 fixes for Java, 35 of which Oracle indicated can be exploited by an attacker without the need for authentication.

January 2014: Critical Patch Update that contains 36 fixes for Java, 34 of which Oracle indicated can be exploited by an attacker without the need for authentication.

October 2013: Critical Patch Update that contains 51 new security fixes for Oracle Java SE. Oracle indicated that fifty (50) of the Java SE vulnerabilities fixed in this Critical patch Update are remotely exploitable without authentication.

Yup, that’s well over a hundred Java exploits ‘fixed’ in the last year that wouldn’t have triggered UAC.

Bottom line is:- don’t use Java, if you do, keep it updated, don’t allow it in IE.

It’s been the main infection route into Windows for years!

Reply | Quote

It may have been this I was thinking about http://krebsonsecurity.com/2014/05/why-you-should-ditch-adobe-shockwave/ but I seem to remember something about Flash Player being exploited/security scare.

Reply | Quote

Thanks for all your suggestions guys. Following your advice, I decided it’s better to install Chrome and just deal with having to keep 2 browsers up to date, rather than obsessing over Flash or Java-related malware. Once again the day is saved…;)

Reply | Quote

Good decision. 😉

Reply | Quote

The need for flash and Java depends on the sites you visit. Some sites require either or both and some don’t. A lot of sites are getting away from Java now. I spend a large amount of time on Pogo (games) which requires Java for some of the games, but disable it when not on that site. In the upper left where the address block is you will usually see a little icon that looks like a small lego block, you can click that and turn on or off flash and Java (I think – lol)

Reply | Quote

The only popular app I know uses Java is OpenOffice and LibreOffice. Otherwise I see no reason to maintain it on a system unless you run an app that uses it.

Flash is hard to avoid with all of the online video one comes across.

Reply | Quote

The only popular app I know uses Java is OpenOffice and LibreOffice. Otherwise I see no reason to maintain it on a system unless you run an app that uses it.

Flash is hard to avoid with all of the online video one comes across.

As far as possible, I stick to MS Office, so I think I’m good there. 🙂

Reply | Quote

And that’s one of the very reasons to use Chrome: Flash is embedded in Chrome and Chrome automatically updates itself.

Reply | Quote

And that’s one of the very reasons to use Chrome: Flash is embedded in Chrome and Chrome automatically updates itself.

Internet Explorer has had automatic updates including Flash for years too.

Reply | Quote

Intel’s auto detect is another that requires Java, but until you need it then it’s best disabled in browsers.

Reply | Quote

Intel’s auto detect is another that requires Java, but until you need it then it’s best disabled in browsers.

I don’t recall using Intel AutoDetect, like ever. So another no-no for Java.

Reply | Quote

To avoid updating two browsers …. ‘remove’ IE … by unclicking it ….. here …. Control Panel / Programs and Features / Turns Windows features on or off …

Reply | Quote

To avoid updating two browsers …. ‘remove’ IE … by unclicking it ….. here …. Control Panel / Programs and Features / Turns Windows features on or off …

Thanks for your suggestion. However, I don’t feel really good about disabling IE, as it is used behind the scenes for various stuff. Since I don’t use that PC often, I’ve just set WU to Auto Update.

Reply | Quote

To avoid updating two browsers …. ‘remove’ IE … by unclicking it ….. here …. Control Panel / Programs and Features / Turns Windows features on or off …

The following post is only applicable to North American versions of Windows. See the end of this post for possible differences between US and New Zealand versions of Windows.

This “IE removal” trick which has been around for years, does not remove or disable Internet Explorer.

Parts of IE will still be available through things like Active-X, which also is needed for the desktop and the local Explorer to function. Among other things.

IE is deeply embedded inside the Windows Operating System and never goes away. It will still need its updates.

Further, IE updates come as part of the regular monthly MS Updates (and sometimes as out of band updates through the MS Updates mechanism. If you are on automatic updates, or if you ever manually run MS Updates (which we al know you must do) IE will get its updates along with Office and Windows.

All you are doing with this trick is removing the desktop, taskbar and Start Menus Icons for IE. That is purely cosmetic.

Articles like THIS ONE are misleading at best, and potentially dangerous to people with little or no tech knowledge. The methods in that article only remove the IE 9 or IE 10 UPDATES, which will return your PC to IE 8, and do NOTHING MORE.

In North American versions of Windows, IE is not a separate program or feature. In EU versions, there is full choice of browsers, and removing IE is possible. I live in North America.

I don’t know about the localized versions of Windows available in Australia or NewZealand, but I get the impression they work like the EU versions. This is why Hitmaker’s claim is not really false; it is simply region-specific and does not work in North American versions of Windows.

-- rc primak

Reply | Quote

To avoid updating two browsers …. ‘remove’ IE … by unclicking it ….. here …. Control Panel / Programs and Features / Turns Windows features on or off …

That merely removes the start menu shortcuts to IE. In reality IE is required for Windows to function correctly.

Several times I have had to reinstall Windows on customers’ PCs after they had forcibly uninstalled IE (manually deleted IE files & registry keys). The next time Windows is restarted it will almost always crash with a BSOD during startup.

For most users Windows Update should be set to “Install updates automatically”, which will keep whatever version of IE is installed on the system updated.

Reply | Quote

As for Java and Flash Player and Google Chrome’s native PepperFlash:

Yes, Flash Player (Adobe version) has many security exploits. This is the primary reason it gets patched so often.

Flash is aging technology. HTML 5 would have displaced Flash by now if such widespread embedded Web video players as JW Player did not use Adobe Flash as their basis. Flash Player has numerous ways to be hijacked to spy on people, even having the capability to take control of webcams and microphones. The embedded players won’t display streaming video if ad blocking is active. Nasty stuff, but if you want to see online videos, I’d say over three-quarters of that class of content requires some form or another of Flash Player.

Google Chrome’s Pepper Flash plugin is basically Adobe Flash Player, with a NACL container around it. This allows limited sandboxing and some permissions restrictions. Good, but not entirely free of backdoors. And then there’s the entire “Google Botnet” privacy concern, which you buy into just by intstalling Chrome on a Windows PC or device. Not a perfect world, by any means!

Java in OpenOffice/LibreOffice is not needed for most of the features most folks will encounter during personal or small business uses. Java can be disabled for OpenOffice to test whether your personal or business uses require Java-dependent features. (Go to Options>>Advanced to unset or reset Java Runtime use.) If no issues happen, it is perfectly safe not to have any Java at all on a Windows PC or device. (Linux does need Java, but that’s an entirely different OS environment with entirely different security concerns.) Definitely disable Java in all browsers through the Java Control Panel. Most likely, nothing you do on the Web will need it.

I hope this clears up what Windows Secrets contributors have been saying for a couple of years now (mostly in paid content).

-- rc primak

Reply | Quote

I don’t understand all this paranoia about running Java. Yes in the past their were a lot of java exploits that took advantage of holes in Java, but I don’t believe its a problem with the current version since they went to white listing where you have to approve each instance of Java code. I have Java enabled in all my browsers and haven’t experienced any issues. I have a number of puzzle and game apps that use Java.

Yes, if you don’t have any web sites that use Java, I would not have it installed. But if you do run into a web site that uses Java, I wouldn’t lose any sleep over installing it. Just keep Java up to date.

Jerry

Reply | Quote

…I never installed Flash or Java yet on this PC. It already came down with an infection once, thanks to Flash, and I’m really leery of installing it again…

I have always had both Flash and Java installed on all my own PCs, but make sure they are updated as new versions are released.

Almost all customers’ PCs I work on have both Flash and Java and, as long as they are reasonably up-to-date, there is rarely any problems that can be definitely stated to have been caused by either.

Flash is used on many websites, not only for video but also for those fancy animated menus etc, so it is almost inevitable that Flash is installed on your system even if you are not aware of it.

Use of Java on websites is not really very common; however don’t confuse Java with JavaScript. JavaScript is extremely common in webpage code.

You can download/install the latest Java from: http://www.java.com/en/download/manual.jsp

The Java FAQ is at: http://www.java.com/en/download/faq/whatis_java.xml

The latest Flash Player can be downloaded/installed from: http://get.adobe.com/flashplayer/

Reply | Quote

In reality IE is required for Windows to function correctly.

To illustrate more of that interoperability you can put the path/address to a Folder or file in IE’s Address bar to open Windows Explorer to that point, e.g. C:UsersUSERLOGIN NAMEDocuments.

Before you wonder "Am I doing things right," ask "Am I doing the right things?"

Reply | Quote