Java has a long history of being besieged with vulnerabilities.
Back in 2010, Microsoft’s Malware Protection Center released a Security Intelligence Report unveiling what the team called an “unprecedented wave of Java exploitation”.
Furthermore, Omaha based security firm Solutionary, reported several Java vulnerabilities over the past two years. In fact, according to research by Solutionary analyst, Robert Jeffries, there have been a palpable uptick in Java related vulnerabilities over the last 17 years.
I personally, think the recent surge in Java exploits is partially a function of its popularity.
Just last month, in September 2013, F-Secure published a whitepaper that showed Java is the second most targeted program. You can read the F-Secure exploitation report starting on page 36 of 69.
Java is everywhere and as more people depend on the Java platform it will become increasingly alluring to pernicious hackers.
You might spar with me by saying, “Vonnie, I see your point but as Java vulnerabilities climb, Oracle will patch them faster because it needs to protect its reputation of security. After all, wasn’t Oracle touting a marketing slogan with the phrase ‘Unbreakable‘ in 2002?”
Yes, Oracle did have a “Can’t break it, can’t break in” philosophy and undoubtedly it will strive to preserve it ; however, I don’t think the preponderance of Java vulnerabilities is enough to galvanize any substantive changes in Java’s implementation.
I think monolithic companies have a propensity to move slowly even amid clear and present danger. Oracle is currently the second largest software maker by revenue – Microsoft is first- and as such, it can’t move with the speed and dexterity of smaller shops.
To Oracle’s credit, it has been responding to to these threats by disseminating security updates and changing the default Java security setting to High but these actions often feel reactive not proactive – and that’s my concern.
What this means
Prudent users will disable Java and only enable it when they absolutely need it.
If you don’t depend on Java applications for your daily work then you should expunge the framework from your system. If you have non-web applications that need Java then you can retain the Java framework but should disable the browser plug-ins.
Let me show you how to do this.
To uninstall Java in Windows 8 type Programs and Features from the Start Screen and press enter.
In Windows 7, just click Start and type Programs and Features to open the list of programs to uninstall.
If for some reason you need to re-install the latest security patched version of Java you can always grab it directly from Oracle.
Disable Java in the Browser
If you prefer to leave the Java application on your computer then please, at the very least, disable the browser plugin. You can do this from the Java Control Panel.
From the Start Menu in Windows 7 or Start Screen in Windows 8/8.1, type java and hit enter.
The Java Control Panel should jump onto the screen.
Click the Security Tab, deselect “Enable Java content in the browser” and click OK.
The User Access Control dialog box abruptly pops on the screen admonishing your actions. Click Yes
Finally click OK on the confirmation box to finish up.
After restarting your browser Java will be disabled in Internet Explorer. This should also disable it in all your other browsers too – but I don’t like the word “should” here’s how to double check the Java plugin is really disabled.
Disabling Java in Chrome
Open Chrome and type this in the location bar:
If Java is really disabled then you shouldn’t see any entries here. If you do, just scroll down and click the blue Disable link.
Disabling Java in Firefox
Open Firefox, click the orange Firefox button in the upper left corner of the browser and choose Add-ons in the left pane (you can press Ctrl + Shift + a instead if you love keyboard shorties).
In the Add-ons Manager click the blue Lego block looking thing in the left pane to view all your plugins. If you see Java here, click the combo box to Never Activate.
Disabling Java in Safari
In Mac OS X, open Safari press command + , (comma) choose the Security tab and uncheck Allow Java.
In Windows, press Ctrl + , (comma) instead.
I will be as unequivocal as I can when I say this:
If you don’t need Java get rid of it.
Java has been beset with vulnerabilities for years and although Oracle chronically patches these issues, the platform is still innately insecure partially because of its ubiquity.
I’m convinced that disabling Java is one of the best ways to secure your computer. Of course it isn’t the only way, but it should be part of a defense-in-depth strategy that protects your system in layers.