Future Tense

No, Seriously, Just Disable Java in Your Browser Right Now

Java applet message

The annoyance of this occasional notification on websites that use Java is nothing compared to the misery of a malware infection, say security experts.

Screenshot / Javagame.net

The last time hackers found a hole in Java’s browser plugin so bad that it sparked a warning from Homeland Security—which was less than five months ago, mind you—I wrote that you should “probably disable Java on your browser right now.” If you read that post and took action, then you were free to breathe easy this past weekend, when yet another critical Java zero-day vulnerability left hundreds of millions of Internet users potentially vulnerable to malware attacks. If you didn’t, well, now’s your chance.

The latest security flaws, which were widely publicized last week, once again gave cyber-crooks the ability to use Java applications to take control of your computer if you visited a hacked website. Oracle—which inherited Java when it bought Sun Microsystems in 2010—issued an emergency update on Sunday that attempts to patch the holes.

That might sound like a prompt response, until you consider that security researchers allegedly notified the company about the bug months ago. Or that the patch apparently leaves in place weaknesses that criminals could still exploit. Or that this is just the latest in a long string of Java problems that have made the language the overwhelming top choice for software-based computer hacks. According to Reuters, the security firm Kaspersky Lab estimates that Java was used in 50 percent of all attacks in which hackers broke into computers by exploiting software bugs.

So while many media reports will direct you to the Oracle website to promptly install Java 7 update 11, there remains a far better option. Unless you’re one of the few Web users who regularly uses an important site that requires Java, take the advice of security experts like Adam Gowdiak of Security Explorations and H.D. Moore of Rapid7 and just disable it in your browser already.

As noted before, disabling the Java plug-in on your Web browser doesn’t require uninstalling it from your machine entirely, and it won’t prevent you from Java-based software outside of your Web browser. It just means that you’ll see an image like the screenshot above when you happen to visit one of the relatively few remaining websites that use Java applets. If you find you really need it for some sites, you can always disable it in your main browser but keep it enabled in a secondary browser that you use just for those sites.

Basic instructions for unplugging Java from your browser are below, and more comprehensive how-tos are available here and here. Note: Do not confuse Java with Javascript, which is unrelated and is essential to the proper functioning of far more websites. Disable Java, but leave Javascript enabled. If you have more questions, the blog Krebs on Security has an excellent FAQ here. (No, you aren’t necessarily safe just because you don’t visit sketchy websites, or because you’re using Linux or a Mac.)

Lest you think disabling Java in your browser is too extreme a step, consider that both Apple and Mozilla responded to the latest vulnerability by essentially doing just that. You can do the same. It’s easy. And next time everyone is freaking out about a new Java hack, the only decision you’ll face is whether to nod sympathetically or smugly.

To unplug Java:

  • In Firefox, select “Tools” from the main menu, then “Add-ons,” then click the “Disable” button next to any Java plug-ins.
  • In Safari, click “Safari” in the main menu bar, then “Preferences,” then select the “Security” tab and uncheck the button next to “Enable Java.”
  • In Chrome, type or copy “Chrome://Plugins” into your browser’s address bar, then click the “Disable” button below any Java plug-ins.
  • In Internet Explorer, follow these instructions for disabling Java in all browsers via the Control Panel. There is no way to completely disable Java specifically in IE.

Ryan Gallagher has more on zero-day exploits, how they work, and what could be done about them in a new Future Tense article available here.