Future Tense

Why You Should Probably Disable Java on Your Browser Right Now

Java founder James Gosling at Oracle conference

Sun Microsystems chairman and co-founder Scott McNealy (left) shakes hands with Java founder James Gosling at the 2009 Oracle Open World conference in San Francisco.

Photo by Justin Sullivan/Getty Images

UPDATE, Thursday, Aug. 30, 4:16 p.m.: Oracle has issued a new version of Java that it says fixes the vulnerabilities described below. For more, see my new post here.

Original post: Hackers have found a flaw in Oracle’s Java software that allows them to break into users’ computers and install nasty malware, security experts report. The attack, first spotted on Sunday by researchers at the security firm FireEye, is what security types call a “zero-day” threat, exploiting a previously unknown vulnerability for which there is currently no fix available.

The loophole appears to affect Java Version 7 (also known as 1.7) on all browsers. So far the attacks have been against PCs, but Mac users are vulnerable as well. Businesses should be especially concerned about targeted attacks, but just about anyone who uses Java on the Internet is at risk, especially since the attack has been added to the Internet’s most popular hacking kit, BlackHole.

Given the potential seriousness and pervasiveness of the attacks—and Oracle’s reputation for being slow on the draw in response to Java vulnerabilities—experts say that everyday Internet users should probably just disable Java entirely. Like, right now.

“Java has been the most exploited program for well over a year now and it simply isn’t worth the risk,” Chet Wisniewski of the security firm Sophos told me in an email. “I would recommend removing Java entirely, if you can.”

That’s not as problematic as it might sound. Java is not as popular on websites as it once was, and the average browser will rarely run across it, Wisniewski says. Sadly, it does mean that my old favorite Java game, Voodoo Bowl, is out of the question.

UPDATE, Wednesday, Aug. 29, 11:12 a.m.: Several readers have asked how exactly one goes about disabling Java. In most cases, you don’t actually have to uninstall it from your operating system—you can just disable it in the main browsers that you use. The procedure is slightly different for each browser, but it’s actually pretty simple for all of them except Internet Explorer. (One important note: Java should not be confused with Javascript. Disabling Javascript will result in a bunch of websites not working properly, and it won’t do anything to address this threat.) Here are the basics for disabling Java:

  • In Firefox, select “Tools” from the main menu, then “Add-ons,” then click the “Disable” button next to any Java plug-ins.
  • In Safari, click “Safari” in the main menu bar, then “Preferences,” then select the “Security” tab and uncheck the button next to “Enable Java.”
  • In Google Chrome, type “Chrome://Plugins” in your browser’s address bar, then click the “Disable” button below any Java plug-ins.

If you’re an Internet Explorer user, the process is a bit more complex. The blog Krebs on Security summarizes a procedure that “may or may not work.” Alternatively, you could uninstall Java from your system, provided you don’t need it for some particular application or website that’s important to you.

My brief instructions above may not work for everyone, so for more specifics and for links to pages that detail Java-disabling procedures for various browsers, see this post from the United States Computer Emergency Readiness Team. For those who can’t live without Java, Wisniewski’s blog post at Naked Security offers a few other suggestions.

One final point: This flaw does not appear to affect the previous version of Java (Version 6, a.k.a. 1.6), which is the default on most Macs. So while Mac users are theoretically as vulnerable as Windows users, only those who have specifically installed Java 1.7 should be at risk.