Is it time to say goodbye to Java?

cyber attack

Java is a nearly-ubiquitous technology that has played an important role in the development of the Internet and cross-platform applications. It has offered a mature, net-savvy development framework for everything from high-end server applications and desktop applications (like OpenOffice) to mobile phones and interactive applications embedded in Web pages.

However, in recent months Java has come under fire. Java was once a fundamental technology included with almost every computer; however, Apple stopped shipping Java by default on new Macs almost two years ago, most Linux distributions don’t include Java by default, and even the latest versions of Windows don’t come with a stock Java installation. Why? Because, despite being a mature cross-platform technology, Java never really took off for desktop applications.

Worse, Java’s stature has been further cut down by a series of high-profile security exploits: the Mac-specific Flashback trojan relied on Java to spread itself, and (after months of apparent foot-dragging) database giant Oracle has just released a new Java update to patch multiple vulnerabilities currently being exploited by cybercriminals. Most recently, Java may also have been an attack vector in the 12 million iPhone and iPad device identifiers allegedly stolen from an FBI agent’s notebook earlier this year.

Is it time for everyday computer users to finally say goodbye to Java on their systems? How is that done? And what about people who have a legitimate need to use Java?

Nature of the beast

Java Logo

The Java situation is complicated — and is made more complicated by terminology. The security issues making headlines this week concern only a small part of the broader Java universe: It’s important not to paint with broad strokes and label everything related to Java as a massive security risk.

First, there’s confusion about what exactly is Java. Java is a programming language, like BASIC, Pascal, C, and C# (originally from Microsoft, now an open standard) and Apple’s Objective C. Programmers use Java to write programs, just like they’d use any other language. Java has actually been around more than 20 years, although it first started getting a lot of attention in 1995 when Sun released its first Java platform. Java is hardly a new kid on the block.

The idea behind Java was to create a high-level language with no platform-specific implementation dependencies. Rather than compiling to native code (say, for Windows, Mac OS or Unix) Java compiles to “bytecode” that runs on virtual machines. All JVMs are designed to run the same Java bytecode the same way, regardless of platform. That means a programmer can write a Java application that program should run on any platform with a compatible Java virtual machine. Voilà The Holy Grail of modern computing: a program that runs the same on every platform.

To put a Java application (or applet, as they’re called) into a Web browser, you need a third item: a Java browser plug-in. Like other plug-ins, a Java browser plug-in executes within a Web browser application and generally acts like an intermediary between the Java virtual machine available on the computer and the Java code on a website. Java plug-ins run applets in a security “sandbox” that’s supposed to prevent applets from doing anything harmful on a user’s system. However, the Java VM is a complicated system, plug-ins can be complicated, and Web browsers are enormously complicated. The interaction of these three Java components plus Web browser applications can have security implications — and that’s where we’re seeing the current spate of problems.

Notice what’s not a part of Java? JavaScript. Despite the unfortunate name similarity, the JavaScript client-side scripting engines built into modern Web browsers have nothing to do with Java. JavaScript has had its own share of security gaffes over the years, but turning off JavaScript will do nothing to protect users from security issues in Java — and vice versa.

Unplugging versus uninstalling

hacker keyboard

Complex modern software applications can have security issues at any step along the way. Java applications aren’t immune to security problems any more than applications written in other languages. No matter what language an application was written in, you need to hope that the developer updates its software promptly to close off security holes when they’re found. As development platforms and frameworks go, Java is actually in relatively good shape on the security front: After all, it’s had the better part of two decades to get its act together.

However, the so-called “drive-by” exploits involving Java that can compromise a person’s computer just by automatically loading a Java applet on a website rely on the Java plug-in. Plug-ins have long been popular targets of malware authors: Adobe’s Flash and Acrobat Reader plug-ins are also very common sources of security issues.

The good news is that these drive-by exploits can all be foiled by disabling the Java plug-in in your browser — no need to uninstall the Java runtime (or virtual machine). That’s handy if you do Java development or use one of the mainstream applications that do rely on the Java runtime:

  • Adobe Creative Suite 5.5 and 6
  • OpenOffice (and descendants like LibreOffice)
  • CrashPlan Pro
  • Wuala
  • Vuze (a BitTorrent client)
  • Runescape
  • Minecraft

That’s not counting specialized applications used by banks, universities, and corporations that rely on Java. For instance, anyone who runs software from Oracle probably needs Java.

Disabling the Java plug-in in browsers

Internet Explorer

You can disable the Java plug-in in every major Web browser without removing Java from your system.

Internet Explorer

Disabling Java in Internet Explorer is unnecessarily difficult. The United States Computer Emergency Readiness Team (US-CERT) offers detailed instructions for (mostly) disabling Java in Internet Explorer; however, they are not for the non-technical or faint of heart. A safer recommendation is to remove Java entirely (if you don’t need it) or switch to a different browser (like Chrome or Firefox) if you do.

To remove Java from Windows, go to Control Panel then Programs, find “Java” in the program list, and click Uninstall.

Firefox

  1. Choose Tools > Add-ons (or, in Windows 7 and Vista, click the Firefox button and choose Add-ons).
  2. Select the Plug-ins tab
  3. Find the Java plug-in in the list (it’ll have a name like Java(tm) Platform SE with version numbers).
  4. Click Disable.

Google Chrome

  1. Type chrome://plug-ins into the location bar and press Enter
  2. Locate the Java plug-in
  3. Click the Disable link

Safari (Mac OS X and Windows)

  1. In Safari, go to Preferences > Security
  2. Uncheck the Enable Java checkbox

Opera

  1. Type opera:plug-ins into the location bar and press Enter
  2. Locate the Java plug-in and click Disable.

Other options

Mac OS X Java Preferences

This is all fine and dandy for folks who don’t need Java on their systems, or who never need to use a Java applet on a Web page. However, if your situation or job makes Java impossible to avoid, here are some other options:

Use a second browser solely for Java

If you absolutely must use Java in a browser, consider dedicating a browser specifically to that task, and use another browser for all your other Web tasks. If you’re on Windows, you could use Internet Explorer for your Java-specific site(s) or pages (since Java is so fiendishly difficult to disable in IE), but install and use something like Firefox or Chrome (with Java disabled) as your primary browser for everything else. Similarly, there’s no reason you can’t run (say) Safari and Chrome side-by-side, one just for your Java needs, and the other for everything else. Be sure to set the browser with Java disabled as your primary browser, so it’s what opens when you click a link in email or a friend’s Facebook page. This setup isn’t ideal, but with a little care it can insulate you from risk without ripping Java out of your system.

Mac OS X

In Mac OS X, you can prevent Java applets from loading in all your Web browsers. Go to Applications > Utilities > Java Preferences, select the General tab, and uncheck “Enable applet plug-in and Web Start applications.” (Note: if you don’t have Java installed on your Mac, opening Java Preferences will prompt you to install it. Click “Not Now” to exit.)

Mac OS X is unique in that it will automatically disable Java applets in all browsers if users go 35 days without loading one. It’s a security measure Apple introduced for Mac OS X 10.6.8 and later in the wake of the Flashback trojan.

Is Java’s time done?

Java isn’t going to be going away anytime soon. It’s still used by some mainstream desktop applications, as well as a number of specialized apps, particularly in science and medicine. Moreover, Java is very much a leading technology for server software and mobile phones. Although Apple’s iOS doesn’t rely on Java, Google’s Android certainly does, and there are even hundreds of millions of feature phones in the world running it.

However, Java’s days as a de facto part of every major operating system seem to be over. Mainstream operating systems have stopped including Java by default, offering it only as an optional add-on for folks who need it.

Perhaps the saddest thing is that, for all of Java’s potential, few mainstream computer users will notice when it’s gone.

Computing

Turn your iPad into a display for your new Mac Mini with this workaround

The folks at Luna Display have figured out a workaround which lets you get the best of both worlds and use Wi-Fi and an adapter in order to turn your iPad into a display for the 2018 Mac Mini.
Computing

Here’s how to install Windows on a Chromebook

If you want to push the functionality of your new Chromebook to another level, and Linux isn't really your deal, you can try installing Windows on a Chromebook. Here's how to do so, just in case you're looking to nab some Windows-only…
Computing

A dead pixel doesn't mean a dead display. Here's how to repair it

Dead pixel got you down? We don't blame you. Check out our guide on how to fix a dead pixel and save yourself that costly screen replacement, or an unwanted trip to your local repair shop.
Computing

Will Chrome remain our favorite web browser with the arrival of newest version?

Choosing a web browser for surfing the web can be tough with all the great options available. Here we pit the latest versions of Chrome, Opera, Firefox, Edge, and Vivaldi against one another to find the best browsers for most users.
Mobile

Keep on clicking with the 10 best browsers for Android

Browsing the web on an Android device should not be a pain. Check out our picks for the best browsers for Android, so you can surf the web with greater ease and access a trove of unique features.
Computing

Latest SMS breach could allow hackers access to your online accounts

A new security breach that exposed more than 26 million text messages could be a huge nightmare for users relying on two-factor authentication. Many of the SMS on the database contained security codes and account reset links.
Computing

Microsoft’s Windows 10 Mail client goes freemium with the introduction of ads

Microsoft Windows Insiders are finding a nasty surprise inside the Mail app on the latest Windows 10 preview build in the form of banner ads. These ads will appear in the Mail app regardless of the webmail service you use.
Computing

All the best Apple MacBook deals for Black Friday 2018

Shoppers looking for a new Apple laptop could find huge savings on a new MacBook come Black Friday. Retailers are offering discounts as much as $650 on select MacBook, MacBook Air, and MacBook Pro models this holiday season.
Computing

Apple discontinues AirPort Extreme, Time Capsule as it exits Wi-Fi router business

Apple is now officially no longer in the router business. The company had already stopped selling the AirPort Express, and now its retail stores and websites have stopped offering the AirPort Extreme and Time Capsule.
Computing

Secure your Excel documents with a password by following these quick steps

Excel documents are used by people and businesses all over the world. Given how often they contain sensitive information, it makes sense to keep them from the wrong eyes. Thankfully, it's easy to secure them with a password.
Computing

Lost your router? Here's how to find its IP address to help track it down

Changing the login information for your router isn't always easy, that's why so many have that little card on the back. But in order to use it, you need to know where to go. Here's how to find the IP address of your router.
Computing

PDF to JPG conversion is quick and easy using these simple methods

Converting file formats can be an absolute pain, but it doesn't have to be. We've put together a comprehensive guide on how to convert a PDF to JPG, no matter which operating system you're running.
Computing

Crypto hangover could take blame for Nvidia’s potential GeForce RTX 2060 delay

Nvidia's delay in announcing a ship date for its GeForce RTX 2060 GPU could be due to a burst in the cryptocurrency mining bubble. Executives blamed the crypto hangover for an oversupply of inventory on existing GTX 1060 cards,
Computing

Save $900 on the ThinkPad X1 Carbon and more with Lenovo’s Cyber Monday sales

In the latest set of holiday sales, Lenovo is heavily discounting its fifth-generation ThinkPad X1 Carbon and other popular Windows laptops and 2-in-1s for the holiday shopping season.