Security alert: Remove Java from your browsers

Woody Leonhard

With nearly every news outlet — along with the U.S. Department of Homeland Security — calling for its removal from PCs, who wouldn’t worry about running Java on their computer?

Fortunately, there are steps every Windows user can take to lessen the chances of being bitten by a Java exploit.

Why everyone should be concerned about Java

In the computing world, Java is very nearly ubiquitous. As noted on Oracle’s Java FAQ site, it runs on lots of PCs, but it also runs on “billions of devices worldwide, including mobile and TV devices.” Java is not JavaScript, as Susan Bradley notes in her companion piece, “Java: More than the usual cup of coding coffee,” about what Java is and isn’t.

In this article, I focus on one task — disabling Java in your Web browser(s). It’s the most effective way to protect yourself from most Java-based threats. Yes, some PC users still need Java in their browsers to work with specific websites. But most of us have little to lose and much security to gain by keeping our browsers Java-free. (And yes, Mac users should block Java, too.) Java in browsers has been a malware magnet for years — it’s unlikely that fact will change anytime soon.

I’m not going to review the most recent round of Java exploits, their patches, or new exploits built onto the backs of Java fixes. Java updates are routinely covered in the twice-monthly Patch Watch column. Brian Krebs has an interesting Krebs on Security post detailing the latest war between Java security and hackers.

Scorched earth: Remove Java from all browsers

These days, it’s common for PC users to use multiple browsers. Most versions of Windows have Internet Explorer installed, and many — if not most — PC users are running Firefox or Chrome — or both. On any PC with multiple browsers, the most effective security policy is to disable Java in all browsers; then see what, if anything, breaks. Most likely, you’ll never miss it.

Websites requiring Java are on the decline, but if you hit one, you can just move on to a different site. On the other hand, if your bank, brokerage company, or some other critical site requires Java, then you need to limit your Java exposure. (I’ve been running Java-free for about six months now, and I haven’t missed it one bit.)

Here’s how to disable Java in all your browsers simultaneously. (Note: some of this information was provided in the Jan. 17 Patch Watch column.)

  • Step 1. Make sure you have the latest version of Java. My personal preference is to run Secunia PSI (see Fred Langa’s July 26, 2012, Top Story) and automatically keep up to date on all sorts of software, including Java.

    Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

    PC Drive Maintenance (Excerpt)

    Subscribe and get our monthly bonuses - free!

    Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!



    If you don’t have PSI installed, go to the main Java page and, under the bright-red “Free Java Download” button, click the Do I have Java? link. Now click the Verify Java Version button. You should be running Java 7 Update 11 (or later, depending on when you read this column and whether Oracle has its act together). If you don’t have Java 7 Update 11, go back to the main Java page and click the Java download button.

  • Step 2. Crank up the Java Control Panel. It’s typically found in the Windows Control Panel. If you don’t see it, try typing “Java” into the Control Panel’s search box (upper-right corner of the CP window). In some unusual circumstances, you might have to go directly to the Java Control Panel applet by navigating to it — C:\Program Files (x86)\Java\jre7\bin or C:\Program Files\Java\jre7\bin (or something similar) — and clicking javacpl.exe.

  • Step 3. Disable Java in all browsers. In the Java Control Panel, click the Security tab and uncheck the Enable Java Content in the Browser box (see Figure 1).

    There’s a small problem with this setting’s labeling: The checkbox should say “Enable Java Content in all browsers.” Once unchecked, this setting should disable Java in every browser installed on your system.

    The Java Control Panel

    Figure 1. Unchecking the Enable Java content in the browser box disables Java in all installed browsers, simultaneously.

  • Step 4. Click OK and close the Java Control Panel. A couple of important notes on this process. Java is still installed on your PC; it’s just disabled in browsers. With Java disabled, the Java site will no longer be able to verify the installed version of Java.

You’re ready to start surfing the Web with Java reliably turned off in all your browsers.

Turn off Java in each browser separately

If you must use a site that depends on Java, the best way to limit your Java-exploit exposure is to leave Java enabled in just one browser. Use that browser for sites that need Java, and use a browser with Java disabled for general Web access.

That means you’ll have to leave the “Enable” box in the Java CP checked and manually disable Java in specific browsers. It’s easy to turn off Java in Firefox, Chrome, and Safari, but it’s unbelievably difficult to turn off Java in Internet Explorer. (Don’t shoot me — I’m just the messenger.)

In a perfect world, it’s best to turn off Java in IE and Firefox but leave it enabled in Chrome, which is smart enough (and polite enough) to explicitly ask you for permission to run a Java program whenever it encounters one (see Figure 2).

Chrome's Java warning

Figure 2. By default, Chrome always asks before running a Java app.

But as I said, turning Java off in IE is difficult — so difficult, it isn’t worth the effort. Here are the steps for disabling Java in Chrome and Firefox — and, if you’re feeling lucky, IE.

  • Chrome: In the browser’s address bar, type chrome://plugins and hit Enter. Scroll down to the entry Java (2 files) – Version: 10.7.2.11 (or 10.7.2.21), and click the Disable link. Restart Chrome and you’re done.

  • Firefox: By default, Firefox disables outdated Java plugins. If you have an old version, it might not show up on the Firefox Plugins list. To check, click the Check to see if your plugins are up to date link at the top of the Plugins list.

    To disable Java, click Firefox’s Tools menu option and select Add-Ons. Select the Plugins tab (“plugins” and “add-ons” are used somewhat interchangeably) on the left, and scroll down to Java(TM) Platform SE 7 U11. Select it and click Disable. Repeat for any add-ons you see that refer to Java, then restart Firefox. Easy.

  • Internet Explorer: I’ve looked all over the Net and talked to several of my security-enhanced friends, and I’ve not found a better way than the one documented by (gulp!) the Department of Homeland Security/Carnegie Mellon’s CERT site.

With the CERT approach, you download and run a Registry-altering file that zaps almost 800 possible Java entry points in Internet Explorer. You then delete two files which you have to find manually. It’s ugly. More to the point, nobody’s absolutely certain that the CERT approach (or Microsoft’s method, given in KB 2751647) will protect IE from future attacks. So running through this process is not only difficult; it might be insufficient.

So now you know why I recommend that you disable Java for all your browsers and take your lumps.

I have no idea why Microsoft made it so hard to disable Java in IE, particularly when it’s such a simple process in Firefox and Chrome.

= Paid content

All Windows Secrets articles posted on 2013-01-24:

Woody Leonhard

About Woody Leonhard

Woody Leonhard is a Windows Secrets senior editor and a senior contributing editor at InfoWorld. His latest book, the comprehensive 1,080-page Windows 8 All-In-One For Dummies, delves into all the Win8 nooks and crannies. His many writings tell it like it is — whether Microsoft likes it or not.