Security alert: Remove Java from your browsers

Topic

New Reply

	TOP STORY Security alert: Remove Java from your browsers
	By Woody Leonhard With nearly every news outlet — along with the U.S. Department of Homeland Security — calling for its removal from PCs, who wouldn’t worry about running Java on their computer? Fortunately, there are steps every Windows user can take to lessen the chances of being bitten by a Java exploit.

---

The full text of this column is posted at windowssecrets.com/top-story/security-alert-remove-java-from-your-browsers/ (paid content, opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

32930-java

The suggestions in the article are unneccesarily complicated – all the many methods to disable Java in various browsers- and there is a hitch regarding the version of the control panel ….

Disable Java in ALL browsers – even Oracle tells you how!

http://java.com/en/download/help/disable_browser.xml

If you have a website – like a bank etc. – that needs Java in your browser you can very easily switch back and forth by enabling and disabling Java in your browser(s) using the control panel applet. Just remember to disable again if you have enabled it!

Note: The ability to use this method (the control panel) requires that the latest version of Java (Java 7 Update 11 ) is installed – but there is a hitch. I have seen computers with Java 7 Update 11 which don’t have this new version of the control panel. To ensure that you have this new version of the control panel, you can just remove Java from the computer and then reinstall it from the Java website – this takes only minutes.

Note: the control panel applet, as shown above, has a check box “Enable Java content in the browser” – this must be Deselected (ie remove the check) . This will disable the Java plug-in in all browsers.

Note: Oracle’s suggestion now (http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html) is to “change to the default Java Security Level setting from “Medium” to “High”. With the “High” setting, the user is always prompted before any unsigned Java applet or Java Web Start application is run.” Why not just disable it altogether and then enable it the few times you might need it?

Reply | Quote

Thank you, copenhagenmail. I came here to pose the question that you answered: I’ve downloaded the new build several times, but still have the old format in Control Panel. I will take your suggestion to remove, then download again.

Reply | Quote

If you don’t need Java, removal with JavaRA will completely get rid of all versions of Java.

-- rc primak

Reply | Quote

why the deactivation – should we not rather uninstall for once and all times?

Reply | Quote

why the deactivation – should we not rather uninstall for once and all times?

It is a question of whether you need to use Java on a website that requires Java.

In Denmark, all contact with banks and the government and other institutions uses a “NEMID” Java logon to verify your identity and the throw away one time code you need to use each time you login.

Other countries or businesses have similar techniques.

But, if you don’t ever use this sort of thing or other Java based functions, you do not need Java on your computer. Woody Leonhard explains this and the difference between Java and the much more common Java Script in his article.

Remember that it is only the webbrowser part of Java which is being disabled. Whatever else you might have on your computer that runs using Java is not affected by this fix.

Reply | Quote

Dear Woody, on my pc’s it is the other way around: Firefox asks every time permission to start Java, and Chrome uses Java without any question!! (both updates to the last version).

Reply | Quote

My Chrome in Windows 7 and Windows 8 asks for permission to run or update any plugin, Java included. Firefox under Windows XP also asks, but I think it may be an Extension which is doing the asking (NoScript or Ghostery).

-- rc primak

Reply | Quote

I have the version of Java you indicated. In my Java Control Panel, the only thing listed under security tab is certificates. There is nothing else under that tab. How about that?

Reply | Quote

Thanks, very helpful. I had already disabled it in Firefox but it’s done in all of them now. The Java CP did show up in my Windows CP, I had to search for it.

Bob

Reply | Quote

I have the same problem as brooksro, the Java Control Panel Security tab does not allow disabling Java in browsers, only has a box for security certificates.

Are you saying I need to uninstall and re-install Java to get the “new” control panel? Just want to make sure I am clear on this.

Thanks!
Emily

Reply | Quote

I have the same problem as brooksro, the Java Control Panel Security tab does not allow disabling Java in browsers, only has a box for security certificates.

Are you saying I need to uninstall and re-install Java to get the “new” control panel? Just want to make sure I am clear on this.

Thanks!
Emily

Yes, need to uninstall and re-install Java to get the “new” control panel. I have seen this issue on many computers now. See my reply to brooksro.

Reply | Quote

Yes, need to uninstall and re-install Java to get the “new” control panel. I have seen this issue on many computers now. See my reply to brooksro.

I may have already said this, but re-installing Java (from their website) only produced the same version I had just uninstalled – twice!!

Reply | Quote

I have the version of Java you indicated. In my Java Control Panel, the only thing listed under security tab is certificates. There is nothing else under that tab. How about that?

The control panel applet you describe is the old version.

As I wrote above “Note: The ability to use this method (the control panel) requires that the latest version of Java (Java 7 Update 11 ) is installed – but there is a hitch. I have seen computers with Java 7 Update 11 which don’t have this new version of the control panel. To ensure that you have this new version of the control panel, you can just remove Java from the computer and then reinstall it from the Java website – this takes only minutes.”

I have now seen this issue on ALL of the computers I have encountered today, so there is an issue that the Java 7 Update 11 doesn’t clean up the old control panel applet and replace it with the new applet. Clean up of old versions etc has always been an issue with Java. At one time you could have 10 or more Java versions installed until you manually deleted the old ones.

Reply | Quote

Really now, it’s quite simple to disable Java in IE, is it not?

Just go to Manage Add-Ons (via the gear in the top-right of the window in IE9, or the Tools menu in IE8), and disable anything that looks like Java(tm) Plug-In SSV Helper, Java(tm) Plug-In 2 SSV Helper, or that otherwise is listed as coming from Oracle or Sun. Does that not get the job done?

The equivalent can be done with the add-ons in Firefox and Chrome.

EDIT: Oh wait, apparently the SSV Helper does nothing. Phooey.

Well, guess I might as well uninstall Java and not bother with it again until I actually need it.

I have the same problem as brooksro, the Java Control Panel Security tab does not allow disabling Java in browsers, only has a box for security certificates.[/quote]If I’m not mistaken, you’re looking at the control panel for Java 6. I think you should just uninstall Java 6 from the appropriate control panel (since Java 6 is probably even less secure than the current version of Java 7, and probably just as useless).

Reply | Quote

I was just going to post what kehander did:

Just go to Manage Add-Ons (via the gear in the top-right of the window in IE9, or the Tools menu in IE8), and disable anything that looks like Java(tm) Plug-In SSV Helper, Java(tm) Plug-In 2 SSV Helper, or that otherwise is listed as coming from Oracle or Sun.

I did this just now because the dialogue box giving me the option to disable in all browsers did not show up in my Java Control Panel. It only had the Certificates option. Oh, just read another post telling me why that happened. I’ll try to get rid of Java 6, too.

Please let me know if I need to do something else besides what kehander and I did!

Thanks,

Linda

Reply | Quote

Really now, it’s quite simple to disable Java in IE, is it not?

Just go to Manage Add-Ons (via the gear in the top-right of the window in IE9, or the Tools menu in IE8), and disable anything that looks like Java(tm) Plug-In SSV Helper, Java(tm) Plug-In 2 SSV Helper, or that otherwise is listed as coming from Oracle or Sun. Does that not get the job done?

The equivalent can be done with the add-ons in Firefox and Chrome.

EDIT: Oh wait, apparently the SSV Helper does nothing. Phooey.

Well, guess I might as well uninstall Java and not bother with it again until I actually need it.

If I’m not mistaken, you’re looking at the control panel for Java 6. I think you should just uninstall Java 6 from the appropriate control panel (since Java 6 is probably even less secure than the current version of Java 7, and probably just as useless).

Where do I post my reply????? I have same issue as emilys7 and brooksro. I disabled the SSV helpers, but I see it does nothing. When I go to the Java control panel, security tab, I too have only certificates – no information about Java and my browser (IE 8). I checked my installed programs and have the following Java on my machine – Java 7 Update 11, Java 7 Update 5 (64 bit), and Java FX 2.1.1. Should I just uninstall all Java? Please note, I have Norton 360, who informed me I am protected against possible Java exploits. So should I do nothing? Who do I trust/believe?

Reply | Quote

I checked my installed programs and have the following Java on my machine – Java 7 Update 11, Java 7 Update 5 (64 bit), and Java FX 2.1.1. Should I just uninstall all Java?

It takes only minutes to uninstall Java 7 Update 11 and then reinstall it. You will then get the neccesary control panel applet so that you can turn Java for browsers on and off as needed.

Do you have any special need for the additional 64 bit version, which is not updated? In any event, unless that specific version is required, you should uninstall it and FX and let the Java website update it too.

According to Oracle:
http://www.java.com/en/download/faq/remove_olderversions.xml

Should I uninstall older versions of Java?
We highly recommend users uninstall all older versions of Java from your system.
Keeping old and unsupported versions of Java on your system presents a serious security risk.
Uninstalling older versions of Java from your system ensures that Java applications will run with the most up-to-date security and performance improvements on your system.

Please note that Oracle states:

Internet Explorer
The only way to completely disable Java in Internet Explorer (IE) is to disable Java through the Java Control Panel

http://java.com/en/download/help/disable_browser.xml

Reply | Quote

The CERT site information about Internet Explorer appears out of date since the Microsoft KB2751647 article does not apply to Windows 8 Internet Explorer 10.

Disabling Java Runtime Environment (JRE) 1.7 in Windows 8 Internet Explorer 10 appears much simpler, at least according to the controls in IE10. To wit:

(Assuming JRE 7u11 is installed) go to Internet Options – Programs – Manage add-ons – Toolbars and Extensions – show All add-ons. Find Oracle America, Inc. Java Plug-in 10.11.2 (the latest, it would appear).

Click Disable. That’s it!

Am I missing something here?

Harry

32937-DisableJREinIE10a

Reply | Quote

You mention lots of web browsers but not Opera???

Reply | Quote

I’ve heard that the problems are with Java version 7, perhaps the later updates 10 and 11.

I am running version 6, update 30 (something on my PC “fails to download” the latest update when I try to update Java either manually or automatically from the Administrator login).

I do not seem to have had any problems on any websites on IE8 under Windows 7.

So my questions are:
– do I need to worry about the problems alluded to?
– anyone know about the “fail to download” issue? I’ve spoken to Tech Support for my PC. I think the problem was somehow circumvented to get to Ver 6, Upd 30 but I don’t recall what we did. However, every update since then has again “failed to download.” I’m not sure I’ve missed anything so I haven’t pursued it.

Thks.

Fred

Reply | Quote

I followed your instructions in step 1 to ensure latest Java version was installed. However, when I went to the Windows control panel an clicked on Java, the “Security” tab in the Java Control Panel looked like the attached. Specifically, the “Security” tab does not contain any of the information shown in Figure 1 of your column, but only a title called “Certificates”, a statement about their intent, and a button titled “certificates”.

I am running the 64 bit version on Windows 7 professional. Thanks for your assistance.

Reply | Quote

I deleted the java.jre but there is still another program, “JavaFX 2.1.1” WHat is this program and do we follow the same procedures with it?

Reply | Quote

You mention lots of web browsers but not Opera???

If memory serves: Smack F12, click “Enable Java”. Done!

java can easily be deabled in windows 7 and windows 8. In windows 7 ie9 by the following options present in ie9

I mentioned that already. That is the Java SSV Helper, which apparently only does something related to letting administrators easily switch to older versions of Java if necessary. It seems Java will still run even if those add-ons are disabled.

Reply | Quote

Win 8 has a very special version of Java which only works with certain parts of Win 8.

See: http://www.java.com/en/download/faq/win8_faq.xml

Reply | Quote

Win 8 has a very special version of Java which only works with certain parts of Win 8.

See: http://www.java.com/en/download/faq/win8_faq.xml

I don’t think there’s a special version of Java for Windows 8; it’s the same download as for previous versions of Windows.

Bruce

Reply | Quote

I don’t think there’s a special version of Java for Windows 8; it’s the same download as for previous versions of Windows.

Bruce

It is the same download, but pls. read http://www.java.com/en/download/faq/win8_faq.xml for how it interacts with Win8. As Microsoft loves to say “this is by design.”

Reply | Quote

The CERT site information about Internet Explorer appears out of date since the Microsoft KB2751647 article does not apply to Windows 8 Internet Explorer 10.

That’s only because they were both written before Windows 8 existed.

Disabling Java Runtime Environment (JRE) 1.7 in Windows 8 Internet Explorer 10 appears much simpler, at least according to the controls in IE10.

It appears that simple in previous versions too.

Bruce

Reply | Quote

Hi All,

There are times that I’m simply aghast at the over-reaction to certain threats.
As is pointed out ,Java is a cross-platform programming language and is used on billions of devices.
Un-installing it completely is draconian to say the least and is complete overkill.
Not only that ,it could cause major inconvenience in using or addressing your particular device or “programs”.
It seems that a lot of people are forgetting that eg. modems ,routers and many other devices employ Java
to be adjusted or set up.
Also many games, online or local, use Java.Lots of screensavers use Java to show special effects by running applets
or specially designed “classes”. Lots of “speedtests” use Java as well.

For the life of me I can’t understand why people have to resort to extreme measures ,
rather than take a more rational approach and run their web browsers sandboxed.
There are so many ways to do this ,ranging from running a VM (virtual machine)
to something like Sandboxie http://sandboxie.com/ or BufferZone http://www.trustware.com/ and many other similar programs.

Somebody please tell me when panic is a suitable replacement for reason?
It’s like saying if Windows is vulnerable to attack ,just uninstall it.
However in this case ,Java being cross-platform , just uninstall Linux and OS-X too.
Just use a platform and device that doesn’t use Java at all.
Good luck with that 🙂

BTW ,I’ve used Sandboxie since 2005 and never had an infection on my system due to something
picked up while surfing the web. Yes I had many infections inside the sandbox ,but they are inconsequential,
since they disappear the moment the sandbox is deleted.

Reply | Quote

Also many games, online or local, use Java.Lots of screensavers use Java to show special effects by running applets
or specially designed “classes”. Lots of “speedtests” use Java as well..

The issue, and the fixes suggested, ONLY concern Java in webbrowsers. It is only the webbrowser function that is disabled.

Reply | Quote

The issue, and the fixes suggested, ONLY concern Java in webbrowsers. It is only the webbrowser function that is disabled.

Yes I understand. My comment was in reaction to suggestions ,here and elsewhere, to totally un-install Java.
In addition to your comments and suggestions , readers may want to check the article here
http://securitywatch.pcmag.com/none/307129-if-you-can-t-disable-java-what-can-you-do
It also gives more reasons why disabling Java is preferred over uninstalling.
In addition to what they list , several stock trading programs ,some file hosting sites(up- and down- load)
also use Java and there must be many others not even listed.

It would be helpful if a security site were to list all -or most of the applications that use Java via a browser interface,so people would know how they’re affected.
As an alternative ,people can check for themselves in the Java control panel – General tab and Temp Internet Files > View and see which applications use Java.
(This only applies if the box “Keep Temp Internet files” is checked – reached via Settings)

Not to take away from Woody’s article ,but another useful perspective is offered
by Michael Horowitz http://blogs.computerworld.com/cybercrime-and-hacking/21626/how-be-safe-possible-java

Regardless ,my first and pretty well only choice , is to use a sandboxed browser at all times.

Pete.

Reply | Quote

some file hosting sites(up- and down- load)

Pretty much every file hosting site I’ve seen lately uses Flash. A lot of video-downloader sites do seem to use Java applets, but I really don’t trust them and there are much better ways to download videos anyway (namely the DownloadHelper addon in FireFox).

However, it does occur to me that PDFill (and probably a lot of other “print to PDF” programs) requires Java, so I guess I’ll be keeping it around after all.

Reply | Quote

Hi All,

For the life of me I can’t understand why people have to resort to extreme measures ,
rather than take a more rational approach and run their web browsers sandboxed.
There are so many ways to do this ,ranging from running a VM (virtual machine)
to something like Sandboxie

Perhaps it’s because such approaches are quite complicated for average users, and hopelessly complex for low-skill Windows users.

Anyway, what I’m don’t get is why bother disabling Java, just uninstall it. If nobody needs it then it serves no purpose being there in the first place.

Also….Susan’s explanation of the difference between java and javascript leaves me even more confused.

Reply | Quote

BTW ,I’ve used Sandboxie since 2005 and never had an infection on my system due to something
picked up while surfing the web. Yes I had many infections inside the sandbox ,but they are inconsequential,
since they disappear the moment the sandbox is deleted.

That likely has more to do with your careful surfing practices than with your sandbox. I’ve never used a sandbox, and in over 15 years the only infection I EVER had was caught from my camera! (I unloaded some pictures in a Thai internet cafe, and brought back a “souvenir.”)

Reply | Quote

I simply removed the java program using the windows control panel (not the Java panel). If, and when I discover a valid need for java, I will install it again. Most of the experts seem to indicate java is unnecessary except for a few very specific instances. I don’t see this as panic, but rather prudent given all the reported problems.

Reply | Quote

Look before you jump. This is only with the java 7 set of releases: http://www.us-cert.gov/cas/techalerts/TA13-010A.html
Removing or disabling all Java might give you additional problems you hadn’t counted on.
Java 6 is typically used in a number of browsers when accessing network equipment. Motorola WiNG 3.x and 4.x controllers/APs come to mind. Many corporate applications may also be built using Java 6 (1.6.20). removing Java will keep you from accessing the GUI interface to those devices, which you might be required to maintain. You can still easily go into the Java control panel and disable the offending versions and then see what Java apps you might be using are still working.

Reply | Quote

A few nits about Woody’s article Security alert: Remove Java from your browsers

The section titled Scorched earth: Remove Java from all browsers
‘Scorched earth’ is overly dramatic and ‘remove’ inaccurate. Woody describes the means to DISABLE Java in all browsers. Not destroy it. Java remains installed, just disabled. You needn’t re-install Java when you need it. Merely re-enable it.

Woody states, “I have no idea why Microsoft made it so hard to disable Java in IE, particularly when it’s such a simple process in Firefox and Chrome.” Microsoft appears to have made disabling Java a simple process in Windows 8 IE 10. Please see Disabling JRE 1.7 much simpler in Windows 8 IE 10 I think.

Reply | Quote

java can easily be deabled in windows 7 and windows 8. In windows 7 ie9 32938-IE9-ABOUT by the following options present in ie932939-TOOLS
same way you can do this in windows 8 ie10 but only on desktop mode

Reply | Quote

java can easily be deabled in windows 7 and windows 8. In windows 7 ie9 32938-IE9-ABOUT by the following options present in ie932939-TOOLS
same way you can do this in windows 8 ie10 but only on desktop mode

As already mentioned by several others who have posted here, it is not enough to just do what you have suggested. That is only a “hurry up” function to Java.

Please note that Oracle states:

Internet Explorer
The only way to completely disable Java in Internet Explorer (IE) is to disable Java through the Java Control Panel

http://java.com/en/download/help/disable_browser.xml

Reply | Quote

Did you uninstall all versions of Java on your PC? I had an older one and installing the latest Java didn’t get me the new control panel security scree until I uninstalled all Javas and followed by an install of the latest version.

Jerry

Reply | Quote

I also had the problem of not seeing the security slider in the security tab of the Java Control Panel with Java 7 update 11 installed on a Win7 64bit system.

Finally tracked it down to this resolution: http://www.java.com/en/download/help/jcp_securityslider.xml Seems the older installation of Java FX doesn’t update the control panel app correctly.

you can also access the correct control app directly (the slider shows up this way) from these locations:

“Alternate method of launching Java Control Panel

Click Windows Start button.
In the Start Search box, type:
Windows 32-bit OS: c:Program FilesJavajre7binjavacpl.exe
Windows 64-bit OS: c:Program Files (x86)Javajre7binjavacpl.exe ”

this is from the Java.com help for disabling Java in the browser http://www.java.com/en/download/help/disable_browser.xml

Reply | Quote

Yup–dzellman found the answer to that missing security slider and option to turn off Java in browsers. Just to add some additional info: The “JavaFX” application was installed as a second, separate application by an earlier update. As long as JavaFX is installed, the security slider and option to turn off Java in browsers won’t appear in the Java Control Panel. I believe you can get those options back by simply uninstalling the “JavaFX” application–you don’t need to uninstall Java itself.

Reply | Quote

Yup–dzellman found the answer to that missing security slider and option to turn off Java in browsers. Just to add some additional info: The “JavaFX” application was installed as a second, separate application by an earlier update. As long as JavaFX is installed, the security slider and option to turn off Java in browsers won’t appear in the Java Control Panel. I believe you can get those options back by simply uninstalling the “JavaFX” application–you don’t need to uninstall Java itself.

Thanks for this info. My Java FX installed same date (Aug 4, ’12)as Java 7 5 (the 64 bit version). But Java 7 11 installed Sep 6, ’12. Can anyone else verify I don’t need JavaFX before I uninstall it.

Reply | Quote

I also had the problem of not seeing the security slider in the security tab of the Java Control Panel with Java 7 update 11 installed on a Win7 64bit system.

Finally tracked it down to this resolution: http://www.java.com/en/download/help/jcp_securityslider.xml Seems the older installation of Java FX doesn’t update the control panel app correctly.

you can also access the correct control app directly (the slider shows up this way) from these locations:

“Alternate method of launching Java Control Panel

Click Windows Start button.
In the Start Search box, type:
Windows 32-bit OS: c:Program FilesJavajre7binjavacpl.exe
Windows 64-bit OS: c:Program Files (x86)Javajre7binjavacpl.exe ”

this is from the Java.com help for disabling Java in the browser http://www.java.com/en/download/help/disable_browser.xml

Wow, that was so easy! Thanks a bunch!

Reply | Quote

Seems the older installation of Java FX doesn’t update the control panel app correctly.

Best way to resolve this permanently is to uninstall Java 7 update 11 and install it again, as mentioned in many other posts here.

Reply | Quote

This thanks is to dzellman, whose info is on page 3 of the threads. I obviously don’t know how to post correctly.

Thanks, thanks, a million thanks.

I’m going to do as you suggested and see if it works. And you told me what the mysterious JavaFX2.1.1 is. I’ll let you know if this works.

Reply | Quote

I also had the problem of not seeing the security slider in the security tab of the Java Control Panel with Java 7 update 11 installed on a Win7 64bit system.

Finally tracked it down to this resolution: http://www.java.com/en/download/help/jcp_securityslider.xml Seems the older installation of Java FX doesn’t update the control panel app correctly.

you can also access the correct control app directly (the slider shows up this way) from these locations:

“Alternate method of launching Java Control Panel

Click Windows Start button.
In the Start Search box, type:
Windows 32-bit OS: c:Program FilesJavajre7binjavacpl.exe
Windows 64-bit OS: c:Program Files (x86)Javajre7binjavacpl.exe ”

this is from the Java.com help for disabling Java in the browser http://www.java.com/en/download/help/disable_browser.xml

Again, thanks. I got the updated Java control panel via the search box and disabled Java in my browser. The java page explaining why the old control panel goes on to recommend uninstalling all Java and Java FX before installing Java 7 11. I have all three on my system now but have disabled Java in the browser. Do I really need to uninstall all and then reinstall? Also, I cannot find downloads on the Java site for Java 7 5 (I have a 64 bit machine) and JavaFX 2.1.1. Don’t I need all these Java’s?

Reply | Quote

Jerry, I had only one version of Java.

Reply | Quote

Based on the column, I disabled Java in Firefox. The first two web sites I visited, Facebook and Hotmail, wouldn’t function properly. That makes it tough to embrace the “No Java” option. :huh:

Victoria

Reply | Quote

Based on the column, I disabled Java in Firefox. The first two web sites I visited, Facebook and Hotmail, wouldn’t function properly. That makes it tough to embrace the “No Java” option. :huh:

I don’t know about Hotmail, but Facebook most assuredly does not use any form of Java.

As per Ms. Bradley’s piece[/url], Javascript is completely different from Java, and if you disabled Javascript, then yes, that would break any number of things. Don’t disable Javascript; there is nothing wrong with it.

Reply | Quote

Thanks, Kehander. It’s been a challenging day & my brain is fried. I’ll revisit the article after a little shut-eye.
Victoria

Reply | Quote

FWIW, I completely removed Java (not Javascript) from two PCs last August. One is an XP SP3 laptop and the other is a Win 7 Pro 64-bit laptop. I figured I could always re-install the latest version. Both of the PCs surf all over the web, get email, use MS Office daily. Both of the machines are used in the office, at client sites, at airports, at Starbucks, and so on. We use MSE, SuperAntiSpyware, MalwareBytes, and SpywareBlaster, and generally stay paranoid about any slightly odd website and email.

So far, we have not missed Java at all, and no site that we use seemed to depend upon it.
Your mileage my vary.

Reply | Quote

According to: http://blogs.computerworld.com/cybercrime-and-hacking/21626/how-be-safe-possible-java

One interesting point here is Internet Explorer. Oracle says that it is not possible to completely disable Java in Internet Explorer while leaving it enabled in another browser.

This is one more reason to use the new control panel applet to disable all webbrowsers (and enable them when/if needed), rather than the method of disabling each indvidual webbrowser.

Reply | Quote

That’s an interesting point. The reality, is that the browser is the application for processing web content. When it encounters content that requires a helper application, it passes off a call to the operating system. In this case, the installed JAVA machine is invoked to process the JAVA code.

How Microsoft has written its code to integrate Oracle’s JAVA machine is probably a secret. It certainly is possible though, that the OS can “apply” global settings to all of its installed browsers that “supercede” the settings made in the individual browsers. Or the settings made in an individual browser might become global. Or neither. 🙂

Without more certainty, the control panel approach may be the wise choice. Suffice it to say, there is no threat until a browser encounters JAVA code in a web page. If the browser alerts you, ala Chromium, then you’re ok. If it executes automatically and without warning, then all bets are off. Windows users especially should appreciate this, because the vast majority of the exploits target them, and they are more likely to operate with permissions that allow the code to complete.

Reply | Quote

Without more certainty, the control panel approach may be the wise choice. Suffice it to say, there is no threat until a browser encounters JAVA code in a web page. If the browser alerts you, ala Chromium, then you’re ok. If it executes automatically and without warning, then all bets are off. Windows users especially should appreciate this, because the vast majority of the exploits target them, and they are more likely to operate with permissions that allow the code to complete.

Oracle admits that there is an issue and suggests (http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html) that users “change to the default Java Security Level setting from “Medium” to “High”. With the “High” setting, the user is always prompted before any unsigned Java applet or Java Web Start application is run.”

They are referring to the slider on the security tab of the new control panel applet. They are promising that this setting will result in the user being “prompted before any unsigned Java applet or Java Web Start application is run.” But, I do not believe that this is enough security and I am sure that the developers of the exploits will be able to circumvent this type of security. It is much better to use the control panel “Java off for web browsers unless needed” approach.

Reply | Quote

Oracle has finally discovered that there is an issue with the missing disable Java check box and security slider in the Control Panel after installing Java 7 update 10 or 11.

http://java.com/en/download/help/jcp_securityslider.xml

Here is the notice about that and what they suggest that you do. They want you to remove all versions of Java and JavaFX through the Windows Uninstall Control Panel AND also use the Microsoft uninstall utility to repair corrupted registry keys that prevent programs from being completely uninstalled or blocking new installations and updates.

I have uninstalled JAVA (on some machines several versions) and FX on many machines (with various Windows flavors) the past few days to get the the new Java applet in the control panel and have not had any issues that would require using the Microsoft uninstall utility.

[BTW the Microsoft uninstall utility – msicuu2.exe – which I think that they believe that they are referring users to, has been replaced by an online Fixit tool.]

Why are the disable Java check box and security slider not in the Control Panel after installing Java 7 update 10 (7u10) or 7u11? ——————————————————————————–
This article applies to: •Platform(s): Windows 8, Windows 7, Vista, Windows XP, Windows 2000, Windows 2008 Server
•Java version(s): 7.0, 7u10+

——————————————————————————–
SYMPTOMS

After installation, the checkbox to enable/disable Java and the security level slider do not appear in the Java Control Panel Security tab.
This can occur with 7u10 or 7u11.

——————————————————————————–
CAUSE

This is due to a conflict between Java 7u10/7u11 and standalone installations of JavaFX.
Example: If Java 7u5 and JavaFX 2.1.1 are installed and if Java is updated to 7u11, the Java Control Panel does not show the checkbox or security slider.

——————————————————————————–
To resolve this issue it is recommended to uninstall all versions of Java and JavaFX before installing Java 7u10 or 7u11.
Please follow the steps below for resolving this issue.
1.Remove all versions of Java and JavaFX through the Windows Uninstall Control Panel.
Instructions on uninstalling Java.
2.Run the Microsoft uninstall utility (http://support.microsoft.com/mats/Program_Install_and_Uninstall/en )to repair corrupted registry keys that prevents programs from being completely uninstalled or blocking new installations and updates.
3. Download and install the Windows offline installer package (http://java.com/winoffline_installer/).

Reply | Quote

Hello Copenhagenmail, and anyone else who cares to reply!

I have read & re-tread thru all these posts, plus other ones at different web site & all I am is more confused now than before.

Is this problem with Java or Java Scripts in the browsers??
The articles said to turn off Java in the different browsers, (I assume the control panel willl only work on installed versions of the browsers though)?
So is that not turning off the scripts then?

I currently use installed versions of IE8, FF18.0.1 and also portable versions of FF18.0.1, Opera-12.12.1701,
Iron Portable Version 23.0.1300.0 (170000), and Maxthon Portable 4.0.0.2000_Rev1.

I have already removed JAVA, (the installed program from my PC’s!

Is that all I have to do?

Do I have to disable the JavaScript in the browsers?

Thanks a bunch!
I look forward to your answer(s) to my questions.
Sincerely,
Cin

Reply | Quote

Hello Copenhagenmail, and anyone else who cares to reply!

I have read & re-tread thru all these posts, plus other ones at different web site & all I am is more confused now than before.

Is this problem with Java or Java Scripts in the browsers??
The articles said to turn off Java in the different browsers, (I assume the control panel willl only work on installed versions of the browsers though)?
So is that not turning off the scripts then?

I currently use installed versions of IE8, FF18.0.1 and also portable versions of FF18.0.1, Opera-12.12.1701,
Iron Portable Version 23.0.1300.0 (170000), and Maxthon Portable 4.0.0.2000_Rev1.

I have already removed JAVA, (the installed program from my PC’s!

Is that all I have to do?

Do I have to disable the JavaScript in the browsers?

Thanks a bunch!
I look forward to your answer(s) to my questions.
Sincerely,
Cin

Be advised that removing JAVA from the machine eliminates all risks, but will affect everything that uses JAVA. That’s overkill, IMO. The advice Copenhagen posted about moving the new control panel applet setting to “HIGH” seems a reasonable alternative.

You have to determine your own needs though, based on your habits, software, and whether others use your computer.

I would add that JAVA has a useful place in web page design, and I doubt that designers are going to rush to abandon it.

Reply | Quote

Is this problem with Java or Java Scripts in the browsers?? ………Do I have to disable the JavaScript in the browsers?

Just Java in browsers, not Java Script.

Pls. see https://windowssecrets.com/known-issues/java-more-than-the-usual-cup-of-coding-coffee/ and Woody Leonhard’s article where he writes “Java is not JavaScript”. The issue is only with Java.

Reply | Quote

Unfortunately I need Java 7 Update 11 for nettbank. I mostly use the Chrome browser now so I have turned this Java Plug-In off for the time being but left it running in my IE9 browser. I use IE9 now only for nettbank.
However, even if I turn on the Java Plug-In in Google Chrome it will not function on my Windows 7 … it functions OK on Vista/Chrome.
Does anyone know the solution to getting it to work with Windows 7 and Chrome please.

Reply | Quote

Unfortunately I need Java 7 Update 11 for nettbank. I mostly use the Chrome browser now so I have turned this Java Plug-In off for the time being but left it running in my IE9 browser. I use IE9 now only for nettbank.
However, even if I turn on the Java Plug-In in Google Chrome it will not function on my Windows 7 … it functions OK on Vista/Chrome.
Does anyone know the solution to getting it to work with Windows 7 and Chrome please.

Yeah, now you’ve stumbled into the real mess. There are a plethora of compatibility issues with JAVA versions and the versions of applications that require them. The implementation of JAVA is a collaborative effort with both the JAVA developers and the platform developers. Sadly, neither are inclined to bother much with backward compatibility. Microsoft will immediately give the disclaimer that it supports only IE.

Additionally, I am aware that some application installation packages of some versions (Open Office, for example) include JAVA while later ones do not. So how JAVA is installed on the system and controlled/removed, may not be intuitively obvious.

While you can look in the respective forums for help, a Google search is probably the way to go. A poster in another thread described your same problem, and a recommendation was to uninstall and re-install Chrome.

Sorry, I can’t be more helpful.

Reply | Quote

32930-java

Unfortunately I need Java 7 Update 11 for nettbank. I mostly use the Chrome browser now so I have turned this Java Plug-In off for the time being but left it running in my IE9 browser. I use IE9 now only for nettbank.
However, even if I turn on the Java Plug-In in Google Chrome it will not function on my Windows 7 … it functions OK on Vista/Chrome.
Does anyone know the solution to getting it to work with Windows 7 and Chrome please.

This is why Woody Leonhard’s explanation of methods is unneccesarily complicated…….

All you need to do is to is to use the Java applet in the control panel – irregardless of which version of Windows or which browser you use – to turn Java for browsers on or off as needed. Use only the system wide method, there is no reason to try to manage the individual browsers.

When you need to use your netbank, go to the control panel and enable Java for browsers, and when you are finished using your netbank, disable Java for browsers again in the control panel. This only requires seconds each time.

BTW – as mentioned in other messages – Oracle says that it is not possible to completely disable Java in Internet Explorer while leaving it enabled in another browser. There are very likely other interactive issues with other browsers if Java is left “on” system wide.

Remember to remove whatever other changes you made.

Reply | Quote

A belated update…
Once I installed the latest Java update, the option to disable Java (NOT Javascript) in all browsers did become available. I’m very grateful to those of you with more advanced skills who are willing to help others!
Thanks,
Victoria

Reply | Quote

I have received, every few minutes, a request to down load SSVAGENT.exe, Java FX 2.1 Runtime. It’s very persistant. SHOULD I DO THIS OR NOT, if not, how to I get rid of this popup.

Thanks, Twinkie

Reply | Quote

I have received, every few minutes, a request to down load SSVAGENT.exe, Java FX 2.1 Runtime. It’s very persistant. SHOULD I DO THIS OR NOT, if not, how to I get rid of this popup.

Do you have the latest version of Java installed? It is Java 7 Update 11.

As of Java 7 update 6, Java FX 2.1 is installed with Java.

I suspect that you might have one or more older versions of Java installed. What you should do is to go to the control panel (programs applet – different names depending upon Windows version) and uninstall ALL versions of Java that you have – also perhaps an older version of Java FX. When this is done, go to the Java.com website and install the latest version of Java. Read the thread above to see how you can disable Java for web browsers when not needed.

Reply | Quote

I’ll try your suggestions. I have Java 7 update 9 & JavaFX 2.1.1 I had thought it was the Java Runtime that was the problem and that is what it wants to download.

Thanks, Twinkie

Reply | Quote

I’ll try your suggestions. I have Java 7 update 9 & JavaFX 2.1.1 I had thought it was the Java Runtime that was the problem and that is what it wants to download.

The Java FX 2.1 Runtime is NOT the Java Runtime. I know that this is confusing, but Java FX is a separate developer system, also made by Oracle. It is now planned that when Version 8 of Java is ready, it will be integrated completely with Java. That is why it is now “bundled” with new versions of Java.

Just uninstall both Java programs you have and install the newest version of Java and you will be covered.

Then go to the control panel and disable Java for browsers, and when and if you ever need Java you can enable Java for browsers again in the control panel. This only requires seconds each time.

Reply | Quote

I have an older “garage” computer running XP and Chrome 8 that when I disabled JavaScript had GoDaddy’s webmail promptly fail. I tried adding exceptions and nothing seemed to work. Reading all the install and uninstall steps posters have been through leaves me very reluctant to do much at this point. There has got be be an easier way. My Firefox browser has an older version of JavaScript installed and said it was disabled so I left it alone.

Reply | Quote

I have an older “garage” computer running XP and Chrome 8 that when I disabled JavaScript had GoDaddy’s webmail promptly fail. I tried adding exceptions and nothing seemed to work. Reading all the install and uninstall steps posters have been through leaves me very reluctant to do much at this point. There has got be be an easier way. My Firefox browser has an older version of JavaScript installed and said it was disabled so I left it alone.

It is Java and not Java Script that should be disabled. There is no reason to disable Java Script.

Reply | Quote

I’m probably approaching this problem from a different angle!
I’m attached to my 2006 computer running XP and to date it has never had a reinstall or major hiccup.

Following Woody’s article I checked the Java main screen as indicated and found, [“Do I Have JAVA?”] in IE, Firefox and Chrome, that none of the browsers could tell me whether Java was enabled or not.

I have 712 instances of Java and Javascript folders and files to sort out so there’s quite a learning curve ahead.

Russ

Reply | Quote

I’m probably approaching this problem from a different angle!
I’m attached to my 2006 computer running XP and to date it has never had a reinstall or major hiccup.

Following Woody’s article I checked the Java main screen as indicated and found, [“Do I Have JAVA?”] in IE, Firefox and Chrome, that none of the browsers could tell me whether Java was enabled or not.

I have 712 instances of Java and Javascript folders and files to sort out so there’s quite a learning curve ahead.

Russ

You can see which versions of Java you have in Add/Remove programs.

You should remove all the old versions (see Oracle’s admonition in one of my earlier messages to this thread) and install the very latest version. At the moment that is Version 7 Update 11.

If Java isn’t disabled it is enabled. The browsers can’t tell you. Only the new Control Panel applet gives you the option to disable for ALL web browsers.

Woody does not say that you should figure out whether IE, Firefox or Chrome should be enabled or disabled individually. He also does not say that you should disable/enable system wide. (He just lists all options and,as we have seen in this thread, this is confusing for many people.) But, if Java is enabled on IE you can’t be sure of whether Firefox or Chrome are disabled/enabled – and vice versa. So, what is the real option? The only real choice is to disable/enable Java on ALL web browsers system wide via the Version 7 Update 11 control panel applet.

It is both easy and effective and doesn’t require fiddling around with settings in the individual browers that could have adverse results.

Reply | Quote

If Java isn’t disabled it is disabled.

Aah, they finally made it safe! 😉

Reply | Quote

Aah, they finally made it safe! 😉

Sorry for the typo! I have fixed it now.

I think you might be right that it was “wish fulfillment”! :rolleyes:

Reply | Quote

Thanks hemeloser & Copenhagenmail for your comments above. Sorry about delayed ‘thanks’ but I did not get a notification … fixed My Subscriptions now.

It seems to be ‘shifting sands’ with Chrome and yet another Chrome update has been issued. Since I now only use IE9 for nettbank I will leave Java on in the JCP. I have turned it off in Chrome Plug Ins so no Java for the time being until we learn more.

What a joke Java is not!

Reply | Quote

Thanks Copenhagenmail

This topic seems to have generated more heat that usual. Thanks for your tips. I’ve calmed down now and will uninstall the older versions. I’ve learned a lot from the diverse reactions to Woody’s article.

Russell

Reply | Quote

Apparently there is now a new version/update of Java out: Version 7 Update 13

I presume it is now prudent to update to this new version/update but still keep Java disabled in the browsers (from Java Control Panel) and only temporarily enable it if and when specifically needed.

Does anybody know if the new version/update is any good?

Reply | Quote

Apparently there is now a new version/update of Java out: Version 7 Update 13

I presume it is now prudent to update to this new version/update but still keep Java disabled in the browsers (from Java Control Panel) and only temporarily enable it if and when specifically needed.

Does anybody know if the new version/update is any good?

Thank you for this info!!

I have found the Release notes, and the information contained is very meagre but please note the information which I have highlighted below with bold letters. It appears that they have rushed this release. It also appears that there was an Update 12 that was not released – we can only guess why not.
Yes, you should update ASAP. But, I would wait to see reports regarding whether this new Update was deemed sufficient before permanently enabling Java for web browsers quite yet. :

Oracle Java SE Critical Patch Update Advisory – February 2013

Note: The original Critical Patch Update for Java SE – February 2013 was scheduled to be released on February 19th, but Oracle decided to accelerate the release of this Critical Patch Update because active exploitation “in the wild” of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers, was addressed with this Critical Patch Update.

Description
A Critical Patch Update is a collection of patches for multiple security vulnerabilities. The Critical Patch Update for Java SE also includes non-security fixes. Critical Patch Updates are cumulative and each advisory describes only the security fixes added since the previous Critical Patch Update and Security Alert. Thus, prior Critical Patch Update and Security Alert advisories should be reviewed for information regarding earlier accumulated security fixes. Please refer to:

Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 50 new security fixes across Java SE products.

Reply | Quote

Tested it on my Windows 7 IE9 & Google Chrome browsers … it now functions on my Chrome.
But just for now I have turned it off …

Reply | Quote

I am a bit confused by the stream of Java Updates, and whether or not to disable it.

Today, I installed (updated) Version 7.0.250 on Win XP. I had disabled but it is used for webinars that I have to attend from time-to-time. Enabling and disabling it is a hassle, and I would prefer the thing just to work. (Apologies for perhaps being lazy, or wanting to limit my time to doing things more productive or enjoyable!)

Is it now OK to just have it there, or is it still necessary do disable it and use it only when required?

Reply | Quote

I have found a more detailed explanation of this fix here. Please notice the last paragraph (highlighted with Bold letters by me) :

https://blogs.oracle.com/security/

Friday Feb 01, 2013
February 2013 Critical Patch Update for Java SE Released
By Eric P. Maurice on Feb 01, 2013
Hi, this is Eric Maurice again.

Oracle just released the February 2013 Critical Patch Update for Java SE. The original Critical Patch Update for Java SE was scheduled on February 19th, but Oracle decided to accelerate the release of this Critical Patch Update because active exploitation “in the wild” of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers, was addressed with this Critical Patch Update.

In addition to a number of security in-depth fixes, the February 2013 Critical Patch Update for Java SE contains fixes for 50 security vulnerabilities. 44 of these vulnerabilities only affect client deployment of Java (e.g., Java in Internet browsers). In other words, these vulnerabilities can only be exploited on desktops through Java Web Start applications or Java applets. In addition, one vulnerability affects the installation process of client deployment of Java (i.e. installation of the Java Runtime Environment on desktops). Note also that this Critical Patch Update includes the fixes that were previously released through Security Alert CVE-2013-0422.

3 of the vulnerabilities fixed in this Critical Patch Update apply to client and server deployment of Java; that means that these vulnerabilities can be exploited on desktops through Java Web Start and Java applets in Browser, or in servers, by supplying malicious input to APIs in the vulnerable server components. In some instances, the exploitation scenario of this kind of bugs on servers is very improbable; for example, one of these vulnerabilities can only be exploited against a server in the unlikely scenario that the server was allowed to process image files from an untrusted source.

Finally, 2 of the vulnerabilities fixed in this Critical Patch Update only apply to server deployment of the Java Secure Socket Extension (JSSE).

The maximum CVSS Base Score for the vulnerabilities fixed in this Critical Patch Update is 10.0. This score affects 26 vulnerabilities: 23 of which are client-side vulnerabilities, and 3 applicable to client and server deployments.

This Critical Patch Update is consistent with previous Java security releases, in that most of the vulnerabilities addressed in this Critical Patch Update only affect Java and Java FX client deployments. This reflects the fact that the Java server environment is more secure than the Java Runtime Environment in browsers because servers operate in a more secure and controlled environment.

The popularity of the Java Runtime Environment in desktop browsers, and the fact that Java in browsers is OS-independent, makes Java an attractive target for malicious hackers. Note however that, as stated in a previous blog entry, Oracle reports the most severe CVSS Base Score.

Furthermore, to help mitigate the threat of malicious applets (Java exploits in internet browsers), Oracle has switched the Java security settings to “high” by default. The “high” security setting requires users to expressly authorize the execution of unsigned applets allowing a browser user to deny execution of a suspicious applet (where in the past a suspicious applet could execute “silently”). As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet. In addition, Oracle has recently introduced the ability for users to easily disable Java in their browsers through the Java Control Panel on Windows.

As stated at the beginning of this blog, Oracle decided to release this Critical Patch Update earlier than planned. After receiving reports of a vulnerability in the Java Runtime Environment (JRE) in desktop browsers, Oracle quickly confirmed these reports, and then proceeded with accelerating normal release testing around the upcoming Critical Patch Update distribution, which already contained a fix for the issue. Oracle felt that, releasing this Critical Patch Update two weeks ahead of our intended schedule, instead of releasing a one-off fix through a Security Alert, would be more effective in helping preserve the security posture of Java customers. The size of this Critical Patch Update, as well as its early publication, demonstrate Oracle’s intention to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers.

Reply | Quote

In academic contexts, use of the Scopus journal search system relies on “Quosa” to download documents; this is Java. Without it, I cannot work. Unfortunately, despite discussion, they have no interest in finding an alternative. Fortunately, Firefox’s (18.0.1) red plugin warning seems to work nicely, so I can enable Java for what has to be a trusted site.

With a right-click you can drag the Java cpl icon to create a shortcut anywhere convenient, for access to the enable/disable function. There are also several warning options in the Advanced tab for prompts and so on.

As someone else said, no need to panic.

Reply | Quote

In academic contexts, use of the Scopus journal search system relies on “Quosa” to download documents; this is Java. Without it, I cannot work. Unfortunately, despite discussion, they have no interest in finding an alternative. Fortunately, Firefox’s (18.0.1) red plugin warning seems to work nicely, so I can enable Java for what has to be a trusted site.

With a right-click you can drag the Java cpl icon to create a shortcut anywhere convenient, for access to the enable/disable function. There are also several warning options in the Advanced tab for prompts and so on.

As someone else said, no need to panic.

1. If this system doesn’t rely upon Java in a webbrowser, it doesn’t matter. If you use Java on a computer for any other purpose, it is OK.

2. If you use the Java cpl to enable/disable function there is no need for other actions to turn Java on or off in Firefox or other browsers.

Reply | Quote

I advise my clients to disable Java if they don’t have a need for it. If they do, I suggest keeping it enabled, install all Java updates, and use common sense on what you click on. I have it installed and enabled on all my PCs. If you are really paranoid about it, you can have a separate browser with Java installed used just for the sites that need it or just enable and disable as needed but its an unnecessary hassle as far as I’m concerned.

Jerry

Reply | Quote