Is it time to say goodbye to Java?

cyber attack

Java is a nearly-ubiquitous technology that has played an important role in the development of the Internet and cross-platform applications. It has offered a mature, net-savvy development framework for everything from high-end server applications and desktop applications (like OpenOffice) to mobile phones and interactive applications embedded in Web pages.

However, in recent months Java has come under fire. Java was once a fundamental technology included with almost every computer; however, Apple stopped shipping Java by default on new Macs almost two years ago, most Linux distributions don’t include Java by default, and even the latest versions of Windows don’t come with a stock Java installation. Why? Because, despite being a mature cross-platform technology, Java never really took off for desktop applications.

Worse, Java’s stature has been further cut down by a series of high-profile security exploits: the Mac-specific Flashback trojan relied on Java to spread itself, and (after months of apparent foot-dragging) database giant Oracle has just released a new Java update to patch multiple vulnerabilities currently being exploited by cybercriminals. Most recently, Java may also have been an attack vector in the 12 million iPhone and iPad device identifiers allegedly stolen from an FBI agent’s notebook earlier this year.

Is it time for everyday computer users to finally say goodbye to Java on their systems? How is that done? And what about people who have a legitimate need to use Java?

Nature of the beast

Java Logo

The Java situation is complicated — and is made more complicated by terminology. The security issues making headlines this week concern only a small part of the broader Java universe: It’s important not to paint with broad strokes and label everything related to Java as a massive security risk.

First, there’s confusion about what exactly is Java. Java is a programming language, like BASIC, Pascal, C, and C# (originally from Microsoft, now an open standard) and Apple’s Objective C. Programmers use Java to write programs, just like they’d use any other language. Java has actually been around more than 20 years, although it first started getting a lot of attention in 1995 when Sun released its first Java platform. Java is hardly a new kid on the block.

The idea behind Java was to create a high-level language with no platform-specific implementation dependencies. Rather than compiling to native code (say, for Windows, Mac OS or Unix) Java compiles to “bytecode” that runs on virtual machines. All JVMs are designed to run the same Java bytecode the same way, regardless of platform. That means a programmer can write a Java application that program should run on any platform with a compatible Java virtual machine. Voilà The Holy Grail of modern computing: a program that runs the same on every platform.

To put a Java application (or applet, as they’re called) into a Web browser, you need a third item: a Java browser plug-in. Like other plug-ins, a Java browser plug-in executes within a Web browser application and generally acts like an intermediary between the Java virtual machine available on the computer and the Java code on a website. Java plug-ins run applets in a security “sandbox” that’s supposed to prevent applets from doing anything harmful on a user’s system. However, the Java VM is a complicated system, plug-ins can be complicated, and Web browsers are enormously complicated. The interaction of these three Java components plus Web browser applications can have security implications — and that’s where we’re seeing the current spate of problems.

Notice what’s not a part of Java? JavaScript. Despite the unfortunate name similarity, the JavaScript client-side scripting engines built into modern Web browsers have nothing to do with Java. JavaScript has had its own share of security gaffes over the years, but turning off JavaScript will do nothing to protect users from security issues in Java — and vice versa.

Unplugging versus uninstalling

hacker keyboard

Complex modern software applications can have security issues at any step along the way. Java applications aren’t immune to security problems any more than applications written in other languages. No matter what language an application was written in, you need to hope that the developer updates its software promptly to close off security holes when they’re found. As development platforms and frameworks go, Java is actually in relatively good shape on the security front: After all, it’s had the better part of two decades to get its act together.

However, the so-called “drive-by” exploits involving Java that can compromise a person’s computer just by automatically loading a Java applet on a website rely on the Java plug-in. Plug-ins have long been popular targets of malware authors: Adobe’s Flash and Acrobat Reader plug-ins are also very common sources of security issues.

The good news is that these drive-by exploits can all be foiled by disabling the Java plug-in in your browser — no need to uninstall the Java runtime (or virtual machine). That’s handy if you do Java development or use one of the mainstream applications that do rely on the Java runtime:

  • Adobe Creative Suite 5.5 and 6
  • OpenOffice (and descendants like LibreOffice)
  • CrashPlan Pro
  • Wuala
  • Vuze (a BitTorrent client)
  • Runescape
  • Minecraft

That’s not counting specialized applications used by banks, universities, and corporations that rely on Java. For instance, anyone who runs software from Oracle probably needs Java.

Disabling the Java plug-in in browsers

Internet Explorer

You can disable the Java plug-in in every major Web browser without removing Java from your system.

Internet Explorer

Disabling Java in Internet Explorer is unnecessarily difficult. The United States Computer Emergency Readiness Team (US-CERT) offers detailed instructions for (mostly) disabling Java in Internet Explorer; however, they are not for the non-technical or faint of heart. A safer recommendation is to remove Java entirely (if you don’t need it) or switch to a different browser (like Chrome or Firefox) if you do.

To remove Java from Windows, go to Control Panel then Programs, find “Java” in the program list, and click Uninstall.

Firefox

  1. Choose Tools > Add-ons (or, in Windows 7 and Vista, click the Firefox button and choose Add-ons).
  2. Select the Plug-ins tab
  3. Find the Java plug-in in the list (it’ll have a name like Java(tm) Platform SE with version numbers).
  4. Click Disable.

Google Chrome

  1. Type chrome://plug-ins into the location bar and press Enter
  2. Locate the Java plug-in
  3. Click the Disable link

Safari (Mac OS X and Windows)

  1. In Safari, go to Preferences > Security
  2. Uncheck the Enable Java checkbox

Opera

  1. Type opera:plug-ins into the location bar and press Enter
  2. Locate the Java plug-in and click Disable.

Other options

Mac OS X Java Preferences

This is all fine and dandy for folks who don’t need Java on their systems, or who never need to use a Java applet on a Web page. However, if your situation or job makes Java impossible to avoid, here are some other options:

Use a second browser solely for Java

If you absolutely must use Java in a browser, consider dedicating a browser specifically to that task, and use another browser for all your other Web tasks. If you’re on Windows, you could use Internet Explorer for your Java-specific site(s) or pages (since Java is so fiendishly difficult to disable in IE), but install and use something like Firefox or Chrome (with Java disabled) as your primary browser for everything else. Similarly, there’s no reason you can’t run (say) Safari and Chrome side-by-side, one just for your Java needs, and the other for everything else. Be sure to set the browser with Java disabled as your primary browser, so it’s what opens when you click a link in email or a friend’s Facebook page. This setup isn’t ideal, but with a little care it can insulate you from risk without ripping Java out of your system.

Mac OS X

In Mac OS X, you can prevent Java applets from loading in all your Web browsers. Go to Applications > Utilities > Java Preferences, select the General tab, and uncheck “Enable applet plug-in and Web Start applications.” (Note: if you don’t have Java installed on your Mac, opening Java Preferences will prompt you to install it. Click “Not Now” to exit.)

Mac OS X is unique in that it will automatically disable Java applets in all browsers if users go 35 days without loading one. It’s a security measure Apple introduced for Mac OS X 10.6.8 and later in the wake of the Flashback trojan.

Is Java’s time done?

Java isn’t going to be going away anytime soon. It’s still used by some mainstream desktop applications, as well as a number of specialized apps, particularly in science and medicine. Moreover, Java is very much a leading technology for server software and mobile phones. Although Apple’s iOS doesn’t rely on Java, Google’s Android certainly does, and there are even hundreds of millions of feature phones in the world running it.

However, Java’s days as a de facto part of every major operating system seem to be over. Mainstream operating systems have stopped including Java by default, offering it only as an optional add-on for folks who need it.

Perhaps the saddest thing is that, for all of Java’s potential, few mainstream computer users will notice when it’s gone.

Computing

It took Dell years to fix 1 problem on its best laptop. Here’s how it did it

The new Dell XPS 13 moves the webcam from the below the screen to the top, finally vanquishing the one obstacle facing thin, sleek laptop displays. We have the exclusive story on how it was done.
Computing

Open RAR files with the greatest of ease using these awesome applications

Few things are more bothersome than not being able to open a file when you need it most. Check out our quick guide about how to open RAR files in Windows and MacOS. We will walk you through the process, step by step.
Computing

Yes, you can use Android apps on your Chromebook. Here's how

You can now get Android apps on your Chromebook! Google has enabled the Google Play Store app support on its Chrome OS and Chromebook hardware, so to get you started, here's our guide on how to get Android apps on a Chromebook.
Home Theater

Want to mirror your smartphone or tablet onto your TV? Here's how

A vast arsenal of devices exists to allow sending anything on your mobile device to your TV. Our in-depth guide shows you how to mirror content from your smartphone or tablet to the big screen from virtually any device available.
Deals

From Samsung to HP, here are the best cheap Chromebook deals right now

Whether you want a compact laptop to enjoy some entertainment on the go, or you need a no-nonsense machine for school or work, we've smoked out the best cheap Chromebook deals -- from full-sized laptops to 2-in-1 convertibles -- with most…
Product Review

The Digital Storm Aventum X is an unstoppable gaming PC. Trust us, we tried

Packed with dual-Nvidia RTX 2080 Ti graphics card and a 9th-generation Intel Core i9 processor, the Aventum X is an infinitely upgradeable gaming PC that’s capable of far more performance than you’ll ever need.
Computing

‘Flexgate’ is the latest controversy plaguing some MacBook Pro owners

iFixit recently uncovered a new "Flexgate" issue with MacBook Pros after some consumers reported a "stage light" effect, where the backlighting on the device would fail and cause the bottom of the display to become slightly distorted.
Computing

Breeze through security with these checkpoint-friendly laptop bags

Getting through airport security is a drag, but your laptop bag shouldn’t be. Thankfully, these checkpoint-friendly laptop bags will get you and your gear to your destination with ease.
Computing

Ditch the backdrop from your photos with these handy tools

Need to know how to remove the background from an image? Here's how, whether you prefer to use a premium program like Photoshop or one of the many web-based alternatives currently in existence.
Computing

Think someone's leeching off your Wi-Fi connection? Here's how to find out

It's important to find out immediately if anyone is stealing your bandwidth. Here's how to tell if someone is stealing your Wi-Fi using a few simple tools, along with some suggestions on improving security.
Web

Google Chrome’s latest decision could prevent most ad-blockers from functioning

Google Chrome's newest change is cited as a step forward for speed and security, but could profoundly alter how the majority of ad-blocking extensions operate. The move potentially gives Google more control over which ads can be blocked.
Computing

Samsung permits peek at an eye-popping, 15-inch 4K OLED laptop display

Samsung is now preparing for the new OLED laptop trend and is providing a look at an eye-popping 15.6-inch 4K OLED panel that is expected to power larger premium laptops in the new year.
Music

Here's our head-to-head comparison of Pandora and Spotify

Which music streaming platform is best for you? We pit Spotify versus Pandora, two mighty streaming services with on-demand music and massive catalogs, comparing every facet of the two services to help you decide which is best.
Computing

Latest ransomware targets gamers with a malicious sophistication

The latest piece of ransomware, Anatova, has been discovered by the security team at McAfee. Employing a smart tactic to confuse users and able to clean its tracks as it evolves, this is one tough piece of ransomware.