Is Java Safe and Do I Need It?
A reader asks: 'I've been seeing warnings lately that Java has a security flaw, and everyone should remove it. I'm not even sure what Java is. What is Java? Is Java safe? Should I disable or uninstall it?' Read on to find out...
Should You Allow Java on Your Computer?
If you encounter a website with an embedded Java app, and you don't have Java installed (or enabled), you'll just see an empty space where the program (applet) should be displaying. Many sites will provide a helpful link to where you can download the Java runtime environment. Even cell phones commonly push Java at users. But what is Java, and why should you install or enable it?
Java is a both a programming language and a platform for development of applications that work on multiple operating systems, such as Windows or Mac OS or Linux. Java consists of many software components that work together to provide a "cross-platform environment". Essentially, that means a program written in the Java programming language will run on any type of computing platform, not just on an Intel or Apple or Nokia piece of hardware; provided, of course, that the essential Java operating components are present. That's where the Java runtime environment becomes necessary.
Java is handy for programmers; they need only write a program once and not worry about whether the user has a PC or a Mac computer, or be concerned with which browser is being used. Java applications can be embedded in web pages, cell phones, industrial controls, household thermostats, even coffee makers. So you will run into Java often.
Is Java Safe?
Java is touted as a secure computing environment, one that makes it difficult for bad guys to snoop, cripple, or take over your computer. The Java runtime forces all Java programs to run in what's called a "sandbox", a portion of computer memory to which they are strictly confined. In the sandbox, a program cannot do certain things without the user's explicit permission - like read your email or format your hard drive. But a sandbox takes up space.
Java sets up this sandbox in a "virtual machine" which consumes considerable computing resources. The amount of resources required varies according to the needs of a given Java application. A mortgage calculator won't slow your overall computing down noticeably. A 3D animated game might, if your computer is short on memory and/or processor power.
It's true that a serious flaw was recently discovered in Java. And yes, many voices have been calling on users to remove or at least disable Java as a result. However, a Java update is available that fixes this issue. If you download the latest version of Java (see link above), you can continue to use Java safely. Or maybe not... some
security experts are warning that the most recent fixes do not fully address all the security concerns.
Do I Really Need Java?
I'll agree that the usage of Java seems to be waning on the Web. Other development tools, notably HTML5, are gaining in popularity, but I still regularly encounter sites that use it. You may come across online games, financial calculators and other applications that prompt you to run a Java applet on a web page.
If you are sure that you never use any websites that need Java, I do recommend that you remove or disable it. Chrome, Firefox, Internet Explorer, and most other Web browsers let you enable and disable Java at will in their "Options" settings.
- In Chrome, enter chrome://plugins, then click "Disable: link next to Java(TM).
- In Firefox, click the Firefox button, or open the Tools menu. Select Addons, Choose the Plugins tab, select the Java plugin(s) and click disable.
- In Safari, go to Safari Preferences, then Security, and uncheck "Enable Java."
- In Internet Explorer, it's a little messier. See this link for instructions on how to disable or Java or completely remove it from your computer.
If you do use or encounter a website that requires Java, chances are you can find an alternative that doesn't. If you need to use a Java app for work, or there's just no good alternative, be sure to always keep your Java software updated.
If you want to keep Java for that "just in case" option, or one specific trusted site, I recommend that you disable it in your everyday web browser, and use a second Java-enabled browser just for those apps that require it. For example, if you use Google Chrome or Firefox primarily, disable it there, and let it stay enabled in Internet Explorer. When you need to use a Java app, fire up IE, run the app, then return to your primary browser.
I also suggest you read Leo Notenboom's excellent article on the Java security mess, for some additional background, and tips on dealing with the issues.
Do you have something to say about Java? Post your comment or question below...
This article was posted by Bob Rankin on 14 Jan 2013
|For Fun: Buy Bob a Snickers.|
Geekly Update - 09 January 2013
The Top Twenty
Geekly Update - 16 January 2013
There's more reader feedback... See all 26 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Is Java Safe and Do I Need It? (Posted: 14 Jan 2013)
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Is Java Safe and Do I Need It?"(See all 26 comments for this article.)
Joseph B Fischer
14 Jan 2013
As an example, you suggest enabling Java in Internet Explorer, and only using it when needed. Internet Explorer itself sometimes has unpatched security holes. I would suggest not ever using Internet Explorer, unless a particular web site requires it. It you need to run Java, run it with a different web browser. This is particularly true if you are still running Windows XP and can't use the latest version of Internet Explorer.
EDITOR'S NOTE: All browsers have unpatched security holes. IE is at least as secure as any of the other majors. (I might have said differently 8 or 10 years ago, but things have changed for the better with IE.)
14 Jan 2013
You forgot to mention that there are computer based (i.e. not on the Internet) applications that require Java. I know because, when I uninstalled Java, one of my PC programs stopped working. Since I don't need Java in my browser, I reinstalled Java but disabled it in my browsers. Now my PC application is happy!
14 Jan 2013
I keep getting a pop up that says "Java Scrips has crashed" Most of the time I can continue with no problem but sometimes my computer locks up Is that related to the Java??
14 Jan 2013
Bob, slight change for Firefox direction
In Firefox, click the Firefox button, or open the Tools menu.
Select Add-ons Choose the Plugins tab, select the Java plugin(s) and click disable.
thank you for giving us an easy way to manage this.
EDITOR'S NOTE: Good catch, fixed now!
14 Jan 2013
I really think you should address Stuart's point in the article. The majority of Java development today has very little to do with web applets. Most Java development is for server side (JSP and the likle, which the common user won't see anyway) but also, more importantly, for desktop applications. As an example, some major parts of Libre Office require Java, and all of ThinkFree Office.
Disabling Java in your browser does not disable Java on your computer.
14 Jan 2013
I think your statement, "If you are sure that you never use any websites that need Java ..." is wrongly stated. We shouldn't require users to know what a website uses. A better statement would be, "*Unless* you know a website you use requires Java, uninstall it." That is the safest route. If one encounters a website that needs Java, it will tell you; then make the decision whether that function is important enough for you to install Java *and* keep it updated. For me, the answer has always been no but YMMV.
Keeping it around "just in case" (remembering that you'll also have to keep it updated) is not a good decision.
Finally, not updating Java is *bad*! Lots of current bad malware is Java-based - because Java is so powerful and functional. As soon as a Java vulnerability is found, all the current malware 'kits' are updated and yet another way to exploit your computer is published. Driving an un-patched PC on the Internet is like driving without a seatbelt. Do you really want a random website be able to run any program on your PC?
14 Jan 2013
I use XP and IE. I searched for Java and there were so many items and I am not that PC literate that I didn't dare delete any of them and don't know how to just disable them in case I needed to put them back on. I will download the "partial" fix you noted but I guess I just hope for the best after that.
15 Jan 2013
My bank uses Java for their security program, you have to have Java to enter your password which is from a random arrangement on screen number pad and the letters from your keyboard. How could I get along without Java?
15 Jan 2013
Thanks for the correction and reply about Java Scrip. Now can you tell me what JavaScrip is, do I need it and if I don't how do I get rid of it and if I need it how do I fix it so it doesn't "crash"
Thanks so much
20 Jan 2013
I found that other versions of Java, like Java 6, are NOT vulnerable. I am using Java 6, so this not a problem for me, at least for now. See below:
NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks.
30 Jan 2013
After the recent Government warning on Java, I decided to take Java off each of my 7 computers. I've had NO problems until today. Today, I read a report that said that UPnP devices can be easily attacked, and that they should be disabled. I then found an application called "Scan Now for UPnP" described like this ... "The free scanner checks whether your network-enabled devices might be vulnerable to attack through the UPnP protocol. Find out if you might be one of the millions of users at risk through these vulnerabilities and what steps you can take to reduce risk", so I downloaded it and attempted to execute it. The result was an error message that I needed Java to run it and a link to Suns Java download page. BOOOOOOOOOOOO !!!!!
EDITOR'S NOTE: I've addressed this conundrum in a subsequent article: http://askbobrankin.com/security_alert_universal_plug_and_play_vulnerability.html
11 Apr 2013
Why should I trust you telling me to use Java if your webpage has an ad for MacKeeper on it? You're very clearly full of crap.
EDITOR'S NOTE: I'd reply to you personally, but you entered "firstname.lastname@example.org" as your address. So I'll talk about this here. First, I recommend that you read this article (http://www.cultofmac.com/170522/is-mackeeper-really-a-scam/) for a balanced view of the MacKeeper controversy. It appears to me that some of the criticism is undeserved, and possibly orchestrated by a competitor.
Second, I don't decide what ads appear on the page. They are automatically selected based on contextual relevance and user-based factors. I don't see any Mac-related ads when I view the page. But since you have an Intel Mac running Safari on OS X 10.7.5, that makes it much more likely that you'll see ads for Mac products.
And third, I didn't actually tell you to use Java! In fact, I discouraged it.
24 May 2013
I use Frontpage 2002 for our company's website (old I know, but that's the way it is) and this week changed my buttons to be hover buttons. My work computer ran it just fine. Now I have discovered that apparently you must have java on your computer for these to work. My laptop (using Chrome) asked to use java and I said yes. My home PC however will not display the buttons because I don't have java on it.
Now I have to figure out if the hover buttons (which looks so cool to me) are worth it if our customers don't have java.
26 Jun 2013
This always confuses me. I don't have just "java" or "java script" but rather:
Java Deployment Toolkit
Java (TM) Platform SE
Which is the java you are referring? Or neither?
24 Aug 2013
Like the previous poster, I have:
1) Java (TM) Platform SE 7 Update 13 (PLUG-IN) & 2) Java 7 Update 13 (PROGRAM, used "rarely")
Firefox is telling me the plugin is vulnerable and should be updated.
I'm thinking I'll uninstall the "rarely" used program, and update the "vulnerable" plug-in.
(Hopefully, since Bob's January article, Java has gotten it's act together.)
27 Dec 2013
Bob, as a subscriber to your excellent site, I apologize for some of the totally unnecessary rude remarks made by some posters who obviously have no manners or self respect.
Folks, we are all imperfect and make mistakes, so why criticize Bob? He does an excellent job and achieves excellence in his endeavors to help us.
Rather thank him for his fine contribution to us PC users, and point out things you don't agree with in a respectful and kind manner.
By your disrespect, you are only showing what you yourself are at heart... Have you noticed how self-controlled and mannerly Bob is by refusing to respond in kind to hateful remarks? Why abuse the privilege of your freedom of speech?
Thank you Bob, for your fine and helpful articles and your humility when you find good sense in a kindly post!
14 Jan 2014
Bob In Illinois the State Police require that I have JAVA on my computer in order to get my Digital ID Number then and only then can I apply for my concealed Carry Permit from the State police. Should I install it get my permit and then disable it. of course I do not know how to do any of that but I can get help.
EDITOR'S NOTE: Yes, it should be fine to do that. There are tips in this article on how to turn Java on or off.
11 Mar 2014
We had Java installed on both our computers, as Java is required to play bridge on pogo.com, which we enjoy. We constantly had problems with malware (conduit, mysearchdial, etc.)and the older computer worked very slow. Since removing Java, we have not had such issues. Any advice would be appreciated. We do miss playing bridge on pogo.com, but it's not worth the problems.
23 Apr 2014
Java tries to install the horrendous ASK toolbar. I don't trust any software that tries to inflict such nastiness on the unwary. I don't trust that it won't install something I don't want even if I untick the appropriate boxes. Any company promoting this leechware is a disgrace.
15 May 2014
I found this tool:
JavaRa is an effective way to deploy, update and remove the Java Runtime Environment (JRE). It can assist in repairing or removing Java when other methods fail.