If you have read any tech news in the last few months you have almost certainly heard about multiple security flaws found in Oracle’s Java software. Even if you’re not the tech news reading type, the vulnerabilities have even made it to some mainstream news publications.
What is Java?
The first question you might ask is – what is Java? While most users’ systems we come across have Java installed, many users would not be aware of installing it or know what it is for. Put simply, Java is a programming language that allows programmers to write software that is platform independent – that is, it will run on a wide variety of different systems with different operating systems and hardware. Rather than having to write a version of the software for each different ‘platform’ (as is the case with ‘native’ software), as long as the system has Java installed, the other specifics of the machine – operating system, hardware specs etc. – don’t matter.
Most people end up with Java on their systems one of two ways: it either comes pre-installed on your new PC, or it is installed when another piece of software you are installing requires it. (The blocky 3D construction game Minecraft is one well-known example.)
Do I Need It?
So with all the worry about how insecure Java is, the first question to ask is, do I even need it? The easiest way to tell if you’re not sure is to simply uninstall Java by going to Control Panel -> Programs and Features (Add/Remove Programs in Windows XP), finding any Java installations, selecting them and clicking ‘uninstall’. If you do have any software installed that requires Java it will stop working (and possibly prompt you to download and install Java again). In this case you can simply download and install the latest Java version again and everything should be OK. If this seems a little drastic, it’s worth remembering that this is good security practice for all software – if you don’t need it, uninstall it! Every unnecessary program on your system is a potential vulnerability.
Let’s say it turns out you do need Java – or you’re simply not comfortable uninstalling and re-installing things in case you break something. Fair enough. At this point it is worth making a very important point about the Java security flaws we are talking about here: all these flaws relate to the Java plugin in the web browser. The Java software on your computer that runs Minecraft or Rank Tracker or Subsonic is, as far as any software on your PC can be, safe. The problem is that when Java is installed it installs a web browser plugin for all the major browsers by default. This is dangerous, for the simple reason that giving web pages access to powerful software like Java has the potential to allow those web pages to break out of the web browser’s sandbox and attack your system. This is exactly the kind of thing that the security vulnerabilities recently found in Java are allowing attackers to do – create malicious web pages that are able to exploit Java to take over a computer and infect it. Once this happens an attacker is able to do whatever they like with the compromised system.
Update Update Update!
So you have decided to keep Java installed on your system. The first thing you need to do is make sure you have the latest version. First, we need to uninstall any really old versions hanging around. Go to Control Panel -> Programs and Features (Add/Remove Programs in XP). Once your list of installed programs loads, scroll down to the software beginning with ‘J’ until you find your Java install/s (if there is nothing here, congratulations, you don’t have Java installed!) You may see multiple entries. Uninstall any version 6 (or older) by selecting it and clicking ‘Uninstall’. Also uninstall all but the latest version 7 if there are more than one of these (they are in the form of ‘Java 7 Update 12’, ‘Java 7 Update 13’ etc., with the higher numbers being the later versions.) Then you need to go to the Java website and download the latest version here. Run the installer you have downloaded and follow the prompts, but pay attention as you click each next button as there is a trap waiting – make sure you untick the box that says ‘Install the Ask toolbar and make Ask my default search provider’. The Ask toolbar is annoying adware that takes me an additional five minutes to remove when I come to your home or office to fix your computer (it may also violate your privacy and slow down your computer in the meantime).
And this brings us to our second solution. If you decide to keep Java installed, you most certainly need to disable the browser plugins. Once upon a time you had to do this separately in each web browser you had installed, but Java 7 Update 10 introduced a Control Panel option that allows you to disable all of them at once. Because you have just updated your Java installation to the latest version, this is the method I will show you how to use.
Disable Java Browser Plugins
Open the Control Panel from the Start menu. Here you should see an icon labelled ‘Java 32-bit’. (If not, you might be in ‘Category View’. Select ‘View by: Small Icons’ (Windows Vista/7/8) or ‘Switch to Classic View’ (Windows XP) to all the icons.) Double click the ‘Java 32-bit’ icon. In the window that opens, select the ‘Security’ tab across the top. If it is ticked, untick the box next to ‘Enable Java content in the browser’ at the top of that window. Click OK and you’re done!
If You Really Do Need Java Browser Plugins
For the most part, if you have followed these steps (and your computer is otherwise secured with antivirus, firewall and the latest Windows updates), you should be safe from the kind of Java exploits we have been hearing so much about lately. If you find that you in fact do need the Java browser plugin – a work website, for example, is a common scenario – all hope is not lost. First, unless you know you need a specific Java version – again, an unfortunately common scenario with corporate intranets – keep your Java installation up-to-date. Don’t ignore those ‘A new version of Java is available’ pop-ups! Second, download and install a different browser from the one you normally use – for example Firefox if you usually use Chrome or Internet Explorer – and enable the Java browser plugin only in that browser. (You will need to search for specific instructions on enabling/disabling the Java plugin in each browser as I won’t be covering that here). The idea is that by using your chosen Java plugin-enabled browser only for the specific site that needs it, you won’t be ‘surfing’ or following links from emails that may take you to a site that is going to try and exploit a Java vulnerability. When you do do that in your main browser, you’ll be safe, because the Java plugin is completely disabled in that browser.
It’s Not Just About Java
Many of the concepts relating to Java security mentioned here can be applied across the board. Keep your software up-to-date. Some people are reluctant to update because they don’t want their programs to change or they have had bad experiences in the past with something ‘breaking’ after an update. The reality is the chance of problems is small, change is a fact of life (and is often for the better) and the alternative – a serious malware infection installed via an unpatched software vulnerability – is much worse. And if you have software installed that you don’t need, uninstall it! A regular scan through installed programs and removal of any that are no longer used is highly recommended, with the added benefit that it will also help keep your computer running more smoothly.