29 Jul, 2013 No Comments Bobby Software Security

Most everyone has Java installed on their computers whether they realize it or not. Is this good or bad? Java has a long reputation for poor security, so let’s explore why, and what we can do to stay safe.

Java Security

What Is Java?

In addition to being a wonderfully tasty beverage, Java is a programming platform that some developers use to write their software. The benefit of Java is that it’s cross-platform. That means it installs on many different operating systems like Windows, Mac, Linux, and others. That allows developers to create only one version of their program that will run on everything, rather than having to create a different version for each type of system.

Don’t get Java confused with JavaScript. They are not related. JavaScript is used in web browsers to create content for web pages and is widely used on the internet. Java also works in browsers, but it’s much more than that. It can also be used to develop stand-alone programs that are not on the internet.

Do I Need Java?

Just because Java is installed does not mean it’s being used. Oracle famously boasts that it’s installed on billions of devices. But does your computer need to be one of them? Maybe, maybe not.

There are two parts to Java and both get added to your computer when you install Java.

  1. The side that runs applications on your computer
  2. The browser plugin that websites can use to create internet content

While developers still use Java for a lot of stand-alone programs, it’s not used much by websites anymore. So you may need it for some things on your computer, but chances are you don’t really need it for browsing the web since it’s largely fallen by the wayside in internet usage.

Is Java Secure?

Java is the most highly exploited software by cyber bad guys. Critics point to a number of flaws inherent in the design of the platform that make it ripe for exploitation. But arguably worse, Oracle has a history of taking a very long time to patch any vulnerabilities, for whatever reason.

Java’s poor reputation for security is mainly focused on its browser plugin, because it’s “internet-facing” (exposed to the internet). This is where Java’s biggest vulnerabilities are. And unfortunately, the browser plugin is usually activated by default when you install Java.

Cyber criminals take advantage of this by writing evil Java code that gets injected into someone’s website they hack. When you visit that site, or a site the criminals have created themselves, this malicious code executes and installs malware (viruses and such) on your computer.

How To Use Java Safely

Despite its shortcomings, it’s possible to use Java safely. Here are some tips to get your system protected.

Uninstall Java If You Don’t Need It

If you don’t think or don’t know that you need Java, I would highly recommend uninstalling it completely. It’s not worth the risk of having it if it’s not being used. If you do end up needing it, you’ll find out when you try to run a program that requires it. If that happens, just download the latest version of Java and install it again. No harm done.

Unplug Java From Your Browsers

Disabling the Java Plugin will eliminate most of the problems with Java. Very few websites actually use the plugin anymore so it’s safe to disable the Java plugin in your browsers since you most likely won’t need it for anything important. Do it for all the browsers you have installed (Internet Explorer, Firefox, Chrome, etc). Disabling the plugin will not uninstall Java from your system, and you can always re-enable it if you need it.

Keep Java Updated

If you’re sure that you actually do need it, you should definitely keep it updated. This is important to do even if you have it disconnected from your browsers. Though you should check your browsers again after an update to make sure the plugin hasn’t reactivated.

To update Java, always go to the official website and get it there. You should avoid clicking on any pop-ups that tell you to update. They might be legitimate, but it’s better to be safe about it. This will prevent falling victim to any possible phishing attacks.

Keep Only One Version Of Java Installed

Example

Click to enlarge

Java has a bad habit of not automatically uninstalling old versions when it updates. Every time you install a new version, check to see if there is more than one version installed. If so, uninstall all but the latest one.

If you see any versions that say 64-bit, those are only used if you’re using a 64-bit browser (highly unlikely, even if you’re using 64-bit Windows) or running a 64-bit Java application (also unlikely). I would recommend uninstalling the 64-bit versions of Java, and only reinstall it if you find you need it.

Don’t Use The Java Plugin For Sensitive Sites

If you come across a website, such as for banking, that tries to run Java, do not use the site. The bank won’t be trying to harm you, but if their site gets hijacked, there’s no way to tell if the code it’s trying to run is malicious or not. I’ve actually seen some banks and credit unions that still use Java in their sites. This is bad practice on their parts. Steer clear and use a method other than their website.

The Bottom Line – What To Do About Java

This is my recommendation: First, uninstall Java. It won’t hurt anything. If you need it at some point down the road, you can always install it again by going to www.java.com. Java is simply too high-risk to have it if you don’t need it. Second, if it is installed, unplug it from your web browser. This is simple to do and you can always activate it again if you visit a website that needs it.

Related Articles