Time to Boycott Java?

Category: Security , Software

In January 2013, a reader asked me if Java was safe to use. My answer then was somewhat equivocal; yes, Java complicates PC security, but you may want to keep it – carefully – if you run into situations where you need it. Basically, I felt the risk/reward ratio of Java was a toss-up. But my assessment is changing now. Read on to find out if you should keep Java or dump it…

Should You Kick Java to the Curb?

In my article “Is Java Safe And Do I Need It? I outlined the security issues with Java, and gave some tips on why you might want to keep it around, just in case. But the risks that Java poses now seem greater and the rewards are diminishing.

First, Java has become hackers’ favorite target. According to Microsoft’s latest Security Intelligence report more than three-quarters of all “drive-by download” attacks were aimed at Java vulnerabilities, up from 10 per cent in 2008. Cisco’s 2014 Annual Security Report states that 91% of all successful Web exploits targeted Java vulnerabilities. Do you see a pattern there?

Boycott Java

There are several reasons for Java’s popularity among bad actors. (If Alec Baldwin was a hacker, that would make a great double entendre.) Java is installed on over 1.1 billion digital devices and enabled in virtually every Web browser, providing lots of potential victims for exploits. Also, Java has proven to be very exploitable, with numerous vulnerabilities discovered over the years.

You Can't Put a Band-Aid on Cancer

Sure, patches have been issued, but there are problems with Java patches.

Many patches issued by Oracle Corp., the developer of Java, have not fixed known vulnerabilities; installing the latest patch gives users a false sense of security. The April, 2014, Java patch release included fixes for more than thirty “critical” vulnerabilities, and still some independent security researches are claiming that gaping holes remain.

Many users don’t even know they have Java installed, so when a pop-up window says a new update is available they ignore it. Some may figure that any unfamiliar alert is malware trying to trick them. And often, they'd be right.

Don't make the mistake of confusing Java and JavaScript! They are completely different, despite similar names. See Is Javascript the Same As Java?

Oracle issues “critical” updates to Java only once every three months, providing plenty of time for them to be exploited. Microsoft issues Windows updates monthly and barely keeps up with malware developers.

Icing the cake, Oracle allows foistware in all Java update packages. Deceptively worded instructions and pre-checked “opt-in” checkboxes either dupe users into installing things they don’t want or annoy users who have to take pains to avoid installing unwanted software. Extraneous programs like the Ask.com toolbar have no business in any security patch installation package. Their very presence constitutes a security vulnerability, for they provide more places in which malware can be concealed.

Do You Really Need Java?

Java is everywhere, especially in the “Internet of Things,” but that does not mean it’s essential for everyday computer users. Java applets won’t run at all on Android or iOS browsers, and millions of their users seem pretty happy. Desktop versions of Chrome and Firefox recently changed their default settings to “Java disabled in the browser,” and there hasn’t been major outcry. The “Metro” interface of Windows 8 does not support Java.

Only enterprises that have invested heavily in specialized Java applications are truly stuck with Java. That may include your employer, your bank, or another institution that’s critical to you. If so, you can enable Java for that rare exception. But in general, you won’t miss Java or its headaches, and my recommendation is that you disable or uninstall it. See “Is Java Safe And Do I Need It?” for help with that.

Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 15 May 2014

For Fun: Buy Bob a Snickers.

Prev Article:
Geekly Update - 14 May 2014

The Top Twenty
Next Article:
Learn More and Become Dangerous

Most recent comments on "Time to Boycott Java?"

Posted by:

15 May 2014

I have to keep Java alive and available because our tax authority bases its software on it and I am a CPA who works alone so one machine has to do everything. Once I had to throw out an entire computer because I updated Java and they didn't. Since then I only update it when my pet support techie does it for me...

Posted by:

15 May 2014

maybe you could explain the difference between Java and JS (java script) which are both disable-able (?) independantly on FireFoxs add on. Which is worse? I know several things I use a lot, like Craigs list, require them.

EDITOR'S NOTE: I guess you missed the sidebar in the article, which gives a link to answer that question.

Posted by:

15 May 2014

You convinced me before to dump it. I did so and have never looked back. If people read this article and don't heed your warnings, then they have no business complaining when they're compromised!

Posted by:

15 May 2014

Here is an article from the Chicago Tribune, warning about java, January 2013.


Posted by:

15 May 2014

The bank I use requires Java to be installed and working to view statements and do online bankking.

EDITOR'S NOTE: Yikes, what bank is that? (My local bank still has PCs running Windows XP, right out in the open.)

Posted by:

15 May 2014

Is it the application program JaVA or are the individual programs written in Java. Is this a developer issue or platform issue?

EDITOR'S NOTE: The biggest problem is the Java applets for web browsers, written of course in the Java program language. Not entirely sure what you're asking.

Posted by:

15 May 2014

You struck my pet peeve with the comment about the "ask.com" toolbar, which you have to be careful not to download and install while installing the Java security update. Another bad actor using the unwanted software download is Adobe. They update their Flash Player (which, unlike Java, almost everyone uses)fairly frequently and you have to be careful to not download and install the McAfee Security Scan software which is conveniently already checked for the unsuspecting.

Posted by:

RG Schmidt
15 May 2014

Okay, here's your question-from-a-dummy for today. How would one know whether one is dealing with an "enterprise invested heavily in Java"?

EDITOR'S NOTE: What I meant was "If you ARE an enterprise invested heavily in Java." ie: A software developer

Posted by:

15 May 2014

Like many people I was ambivalent about enabling JAVA until I chanced upon an article by a techie blogger I admire and respect (not unlike you) who gave similar advice contained in Carole's link and your recent article. These factors plus Oracle's apparent unwillingness to man up to the critiques convinced me to disable JAVA....best to be safe than sorry :)

Posted by:

15 May 2014

Bob, in your last paragraph you say that "....you can enable Java for that rare exception". To me this means that where I have a rare exception, I need to have the LATEST Java installed but disabled on my computer, then be able to re-enable it for that exception. Wow, I guess I have a lot of reading to find out how to re-enable for a specific exception.

Posted by:

Mac 'n' Cheese
15 May 2014

Java is to JavaScript as Crab is to CrabApple.

Posted by:

Ralph Sproxton
15 May 2014

Hi, Bob. Having read your recent "Geekly Update" and learning that Oracle is suing Google and if successful, Oracle's action could hamper and possibly destroy open-source programs such as Android, I've disabled Java (I'm not sure what effects I'll notice in my browser, but I'll try it).

Posted by:

16 May 2014

Bob, I had previously disabled Java and figured that it was completely disabled for all my accounts. When I went to Control Panel and searched for "Java Control Panel," I got the Java icon and clicked on it. The Security tab said that Java is disabled "for this user only." Uh oh. What about the Guest account? So I switched to the Guest Account and found the nasty check mark in place on the Security tab and immediately unchecked that box. So now Java is disabled for all of my browser accounts.

Posted by:

16 May 2014

A rule to live by:
Whenever you find Java on a user's machine, ask: "What do you have that requires Java?" If the answer is "What's Java?" or "I don't know," uninstall it.
If a program or webpages needs Java, it'll tell you. Then make the decision if that program or webpage is worth the hassle of keeping Java updated. For me, the answer is always no.
Oh ... and you never need more than one copy of Java, my record is uninstalling 8 copies on one machine. You may need Revo Uninstaller, but it will uninstall!

Posted by:

16 May 2014

I like to print Internet coupons, and there were a couple of coupon sites that still required Java, so I just decided to stop using those sites.

Recently, a cereal company who WAS using a "Java coupon printer" emailed their customers that they were switching to a different coupon printer and the subject line was "You spoke, we listened." Now I'm thinking I should email those other companies.

Posted by:

Sharon H
16 May 2014

I dsabled Java months ago and have yet to miss it. Makes absolutely no difference; so much so that one wonders why it was developed in the first place.

Posted by:

16 May 2014

Bob, you got me to thinking, with this article. I know, I know you have written about Java for years and the problems, it has. This time was different. You honestly said, that the good was out weighted, by the bad.

I remember, when Sun was a reliable and favored company, for Java. When Java, first came about, it was a new and innovative product. I guess, my first awareness of Java, was back in 1997 or 1998. Trust me, I didn't comprehend all of what I was reading, back then and I still, don't understand all of what Java can do ... Except, that I need to have it, for some games and other programs.

Today, it seems as though, Java is not as widely used, for many of the games and other programs. Why, I am saying this, I remember when installing games or programs, that Java was included, within the installing. I just don't see that Java is included, with the installing programs, these days.

My personal opinion, Oracle has done a bad job, of keeping up with Java's vulnerabilities and just doesn't seem to care, that much. Articles, that I have read, about this merger ... Oracle wanted Java to make money, for them. It seems, that was their end goal. As for Sun, I still wonder why, they sold Java? Did they foresee, the future? Knowing, that trying to keep up with security issues, was a forever, ongoing problem, that would never end.

Well, I completely uninstalled Java. I wanted to share with you and others, what was left in my Registry. I was using Revo Uninstaller Pro, to uninstall Java, the main Java program was used to "uninstall", then Revo gives you the results --- My results were: Keys 26; Values 23 --- I also, noted that one of the Keys was for Full Domain Access and Facebook was the one listed!!!

Just thought, I would share that bit of news, for those that wonder, just how "safe" Java, is these days. Facebook is becoming, mighty unsafe these days, in my book. It way too big and out of control. I honestly believe, that a lot of Foistware and Malware come down the pipeline, on Facebook, especially in the Application area for games and etc..

Posted by:

16 May 2014

Dear Bob,
I disabled Java on my computer and my home page in Internet Explorer would not display many of the usual items. There were plenty of blank spaces on that home page. I have Windows 7, 64 bit. I can't say that I disabled Java and couldn't tell the difference.
I have also heard that another way to limit problems with Java is to disable the applets, but I don't know how to do that. Can you help with that?
Thanks for any help.

Posted by:

17 May 2014

I leave it enabled at high security level, in case it's needed.

Posted by:

19 May 2014

Thanks for the suggestion. I will give it a try.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- Time to Boycott Java? (Posted: 15 May 2014)
Source: https://askbobrankin.com/time_to_boycott_java.html
Copyright © 2005 - Bob Rankin - All Rights Reserved