Is Java Safe and Do I Need It?

According to the latest articles I'm reading, the update issued by Oracle on Sunday only fixes 2 vulnerabilities, which still leaves PCs vulnerable to attack by hackers intent on committing cyber crimes. When some security consultants are advising businesses to remove Java from the browsers of all employees except for those who absolutely need to use the technology for critical business purposes, you have to ask, "Is it really worth the risk to use Java right now?"

Quoted from MercuryNews: BOSTON -- Oracle (ORCL) released an emergency update to its Java software for surfing the Web on Sunday, but security experts said the update fails to protect PCs from attack by hackers intent on committing cyber crimes. Now what?

EDITOR'S NOTE: As I said in the article, you can disable it completely, or keep it active only in a secondary browser.

Aren't the "classic" security precautions enough? I think that being careful about the sites you visit and the links you click, and of course, keeping a good antivirus software enabled, should keep most security holes covered. Of course, I can be terribly wrong. So what do you think? Are those security flaws in Java "broadcasting" themselves to the "mischief community" out there? (I use Java as a development tool, so I'm forced to keep it on)

Thanks for the information on Java, it was very informative. I appreciate it.

It is my understanding that java and javascript are two different things. Correct? Seems to be a lot of confusion generated over the two.

EDITOR'S NOTE: They are quite different. See http://askbobrankin.com/is_javascript_the_same_as_java.html

I recently downloaded MP3 Rocket to try - apart from installing the Ask toolbar and updater (and the changes it made to my firewall settings) it also plonked 160mb worth of Java on my system. MP3 Rocket may be a good program but I'll never know as I removed the lot immediately, it's hard enough staying clean as it is without that malware sponge.

As an example, you suggest enabling Java in Internet Explorer, and only using it when needed. Internet Explorer itself sometimes has unpatched security holes. I would suggest not ever using Internet Explorer, unless a particular web site requires it. It you need to run Java, run it with a different web browser. This is particularly true if you are still running Windows XP and can't use the latest version of Internet Explorer.

EDITOR'S NOTE: All browsers have unpatched security holes. IE is at least as secure as any of the other majors. (I might have said differently 8 or 10 years ago, but things have changed for the better with IE.)

You forgot to mention that there are computer based (i.e. not on the Internet) applications that require Java. I know because, when I uninstalled Java, one of my PC programs stopped working. Since I don't need Java in my browser, I reinstalled Java but disabled it in my browsers. Now my PC application is happy!

I keep getting a pop up that says "Java Scrips has crashed" Most of the time I can continue with no problem but sometimes my computer locks up Is that related to the Java??

EDITOR'S NOTE: I assume you mean "JavaScript". No relation to Java, despite the similar name.

Bob, slight change for Firefox direction

In Firefox, click the Firefox button, or open the Tools menu.
Select Add-ons Choose the Plugins tab, select the Java plugin(s) and click disable.

thank you for giving us an easy way to manage this.
ed

EDITOR'S NOTE: Good catch, fixed now!

I really think you should address Stuart's point in the article. The majority of Java development today has very little to do with web applets. Most Java development is for server side (JSP and the likle, which the common user won't see anyway) but also, more importantly, for desktop applications. As an example, some major parts of Libre Office require Java, and all of ThinkFree Office.

Disabling Java in your browser does not disable Java on your computer.

I think your statement, "If you are sure that you never use any websites that need Java ..." is wrongly stated. We shouldn't require users to know what a website uses. A better statement would be, "*Unless* you know a website you use requires Java, uninstall it." That is the safest route. If one encounters a website that needs Java, it will tell you; then make the decision whether that function is important enough for you to install Java *and* keep it updated. For me, the answer has always been no but YMMV.
Keeping it around "just in case" (remembering that you'll also have to keep it updated) is not a good decision.
Finally, not updating Java is *bad*! Lots of current bad malware is Java-based - because Java is so powerful and functional. As soon as a Java vulnerability is found, all the current malware 'kits' are updated and yet another way to exploit your computer is published. Driving an un-patched PC on the Internet is like driving without a seatbelt. Do you really want a random website be able to run any program on your PC?
-bb

I use XP and IE. I searched for Java and there were so many items and I am not that PC literate that I didn't dare delete any of them and don't know how to just disable them in case I needed to put them back on. I will download the "partial" fix you noted but I guess I just hope for the best after that.

My bank uses Java for their security program, you have to have Java to enter your password which is from a random arrangement on screen number pad and the letters from your keyboard. How could I get along without Java?

Thanks for the correction and reply about Java Scrip. Now can you tell me what JavaScrip is, do I need it and if I don't how do I get rid of it and if I need it how do I fix it so it doesn't "crash"
Thanks so much

I found that other versions of Java, like Java 6, are NOT vulnerable. I am using Java 6, so this not a problem for me, at least for now. See below:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422

Last revised:01/17/2013

NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks.

After the recent Government warning on Java, I decided to take Java off each of my 7 computers. I've had NO problems until today. Today, I read a report that said that UPnP devices can be easily attacked, and that they should be disabled. I then found an application called "Scan Now for UPnP" described like this ... "The free scanner checks whether your network-enabled devices might be vulnerable to attack through the UPnP protocol. Find out if you might be one of the millions of users at risk through these vulnerabilities and what steps you can take to reduce risk", so I downloaded it and attempted to execute it. The result was an error message that I needed Java to run it and a link to Suns Java download page. BOOOOOOOOOOOO !!!!!

EDITOR'S NOTE: I've addressed this conundrum in a subsequent article: http://askbobrankin.com/security_alert_universal_plug_and_play_vulnerability.html

Why should I trust you telling me to use Java if your webpage has an ad for MacKeeper on it? You're very clearly full of crap.

EDITOR'S NOTE: I'd reply to you personally, but you entered "nope@nope.com" as your address. So I'll talk about this here. First, I recommend that you read this article (http://www.cultofmac.com/170522/is-mackeeper-really-a-scam/) for a balanced view of the MacKeeper controversy. It appears to me that some of the criticism is undeserved, and possibly orchestrated by a competitor.

Second, I don't decide what ads appear on the page. They are automatically selected based on contextual relevance and user-based factors. I don't see any Mac-related ads when I view the page. But since you have an Intel Mac running Safari on OS X 10.7.5, that makes it much more likely that you'll see ads for Mac products.

And third, I didn't actually tell you to use Java! In fact, I discouraged it.