In this week’s Top Story, “Security alert: Remove Java from your browsers,” Woody Leonhard discusses why andhow you should remove Java from your browsers.
From a malware-prevention perspective, the distinction between the two languages is important. It’s Java that we’re regularly updating on our PCs (if we have it installed). But even with the most up-to-date version of Java, we’re still vulnerable to malware attacks, as reported in an ISC Diary blog post.
The ultimate cross-platform application language
Many developers love Java because they can code an application once and run it on a wide variety of platforms. You’ll find Java on Windows, OS X, Linux, and Android devices. According to Oracle, it’s also found on many dedicated devices such as cable boxes, DVD players, and routers — even ATMs and parking meters. (It’s not natively supported in iOS.)
“Code once” doesn’t mean never update. As with browsers and other apps, staying as secure as possible means always updating to the latest Java. If you have a bank or other financial institution that demands a version prior to Java 6, you really need to question that firm’s security stance — as well as its concern for your financial assets. Contact the firm and ask someone why they’re not protecting you as well as they should. Even a Java help page recommends:
“If you are being asked to run an application on an older version of Java and this version is installed on your machine, we strongly recommend trying the application with the most current version of Java installed on your system first.”
As detailed by Michael Horowitz on his Java Tester site, a Java component — called Java Virtual Machine or Java Runtime Environment — must be installed on a computer before Java programs will run. An Oracle Java page states:
“The JRE consists of the Java Virtual Machine (JVM), Java platform core classes, and supporting Java platform libraries. The JRE is the runtime portion of Java software, which is all you need to run it in your Web browser”.
Although you’ll typically see Java listed among your installed apps and add-ons, it’s the runtime components you’re disabling — if you follow the instructions in Woody’s Top Story, “Security alert: Remove Java from your browsers.”
Common — and uncommon — apps that use Java
Computers often come with Java components preinstalled. Michael Horowitz notes that trying to keep up with applications that demand Java is difficult. In his April 9, 2012, blog, Ed Bott listed numerous apps that use Java. Michael followed up with the following list:
- GoToMyPC — works more easily with Java, though it’s not required
- GoToMeeting [Java not required with newest browsers]
- GoToWebinar [Java not required with newest browsers]
- The Wall Street Journal website, wsj.com, uses Java for dynamic charts
- Secunia’s Online Software Inspector
- ThinkFree Office Online
- FreeMind — mind-mapping software
- France’s online voting system
- LuxSci webmail — Java used only for some advanced features
- time.gov — the official U.S. time site (Java can be disabled)
Of those applications, I’m most concerned that Secunia’s Online Software Inspector requires Java for its scanning processes. I recommend switching to Secunia Personal Software Inspector (site) to scan your PC for needed updates.
The threat from Java-based attacks
If you must run Java on your computer and in a browser, how vulnerable are you? Merely stumbling across a website that has a Java-based attack script could result in an infection. But how prevalent are these attacks? Therein lies the rub; it’s hard to tell whether a new zero-day exploit will be a passing worry or a major threat. Like Woody, I recommend erring on the side of caution and removing Java. Then see what breaks.
Subscribe to our Windows Secrets Newsletter - It's Free!
Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!
Subscribe and get our monthly bonuses - free!
Want to hack the new Start screen and tiles for your Win8 Device, the new Lock screen, the new tile-based apps, or the automatic notification information? Yes, you can do that. How about running other operating systems inside Windows 8, running Windows 8 on a Mac, or hacking SkyDrive and social media? We'll show you how to do that as well. Get this excerpt and other 5 bonuses if you subscribe now!