Tech Made Simple

Hot Topics: How to Fix Bluetooth Pairing Problems | Complete Guide to Facebook Privacy | How to Block Spam Calls | Snapchat Symbol Meaning

author photo

Critical Java Security Risk Requires Immediate Action

by on January 13, 2013
in Computers and Software, News, Computer Safety & Support, Blog :: 68 comments

Techlicious editors independently review products. To help support our mission, we may earn affiliate commissions from links contained on this page.

Security experts have identified a serious security flaw in Java that allows hackers to execute almost any type of malicious activity on affected computers, whether Windows, OSX or Linux. Worse, this flaw was identified because it has already been integrated into commonly used commercial hacking software.

According to the Computer Emergency Response Team at Carnegie Mellon University:

This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available. We have confirmed that Windows, OS X, and Linux platforms are affected. Other platforms that use Oracle Java 7 may also be affected.

We are recommending that everyone, whether you use a Mac or Windows PC, follow the steps below to protect yourself immediately.

UPDATE 1/14/13: Oracle released a patch, Java Version 7 Update 11, to address the security hole and change the default security setting in Java to "High", requiring users to confirm an applet is safe before running. However, our advice remains the same—all users should disable or uninstall Java as soon as possible unless you require it to run a specific application. Java has been a constant source of security exploits and there is no guarantee that the current fix actually fixes the problem (this issue was supposed to have been fixed with a patch released back in August). And, while the security setting change is welcome, many users are too accustomed to hitting the "confirm" button to run applications without really considering the potential risk, or they may easily be tricked into thinking an application is safe when it really is not.

Who is impacted by the Java security flaw?

Anyone who has Java Version 7 installed is vulnerable to being exploited. According to Oracle, the makers of Java, Java is installed on as many as 850 million personal computers worldwide.

Some reports have suggested that earlier versions of Java may be impacted as well. However, the well-respected security expert Brian Krebs says this is not the case. Until this question is resolved, it is safest to assume that all versions of Java could be vulnerable.

Java is used to run various types of local and web applications, and many of us may have knowingly or unknowingly installed it at some point in the past. Because Java is its own separate application used by programmers for cross-platform compatibility, the flaw affects all major operating systems and all browsers. (Note the risk here is specifically with "Java", not the more commonly used "Javascript", which is a completely different application.)

Some sites have suggested that Mac users may be protected with a security update Apple released on Friday to block Java applets. However, if you do not have automatic updates turned on or the fix turns out not to be complete, you may still be at risk.

Victims can be infected when they visit a compromised website and load a malicious Java applet. Depending on your browser settings, you may or may not see the option to block the applet before loading. Since any website with poor security can be compromised by hackers, don't assume that a site is safe just because it is "legitimate."

How do I know if Java is installed on my Computer?

Follow this link to check if Java is installed on your PC and what version you have.

UPDATE 1/14/13: We have determined that this method from Oracle is not reliable. It may tell you that you do not have Java on your computer even if you have the plug-in installed on your browser. The most certain may to determine if you have Java is to follow the steps below to check for the plug-in in your browser.

I have anti-malware software, am I safe?

The answer to this question is not clear. Even if you have anti-malware software installed on your PC, we recommend following the steps to disable Java below.

How to disable or uninstall Java

The easiest and most certain way to protect yourself is simply to uninstall Java, as you would any other other program. If you don't need Java, and most people do not, this is the safest course. If you encounter a program in the future that requires Java to run, you will be prompted to reinstall it, and you can decide whether or not to do so.

UPDATE 1/14/13: Uninstalling Java may not remove the plug-in from your browser. After the uninstall, we recommend you check your individual browser settings as outlined below, as well.

For Windows users, the latest version of Java, Version 7 Update 10, also allows you to disable Java in all of your browsers through the Java Control Panel. Find the Java icon from within the Windows Control Panel, go to the Security Tab and uncheck "Enable Java content in the browser"

Disable Java from the control panel

Mac users and Windows users with earlier versions of Java who wish to disable Java should follow the instructions below for individual browsers.

Internet Explorer

  • Click on the Tools dropdown menu, then Manage Add-ons.
  • Find the Java Plug-in under Toolbars and Extensions (it's listed under Oracle America), highlight it and click Disable.

Chrome

  • Click on the Chrome menu, and then select Settings
  • At the bottom of Settings window, click Show advanced settings
  • Scroll down to the Privacy section and click on Content Settings
  • In the Content Settings panel, scroll to the Plug-ins section and click Disable individual plug-ins.
  • Find the Java plugin and click Disable

Firefox

  • Click on the Firefox tab and then select Add-ons
  • Select Plugins, find "Java (TM) Platform plugin" and click Disable (a of 1/11/13, Firefox has automatically disabled the Java plugin, but you should check to verify this has been done for your browser).

Safari

  • Choose Safari Preferences
  • Choose the Security option and uncheck Enable Java

What if I need to use Java?

Java custom security settingsUse of Java on websites is becoming more rare and most users will never need to use it. However, there are certain applications that do require Java (such as the online trading app I use for Schwab). If you need to use Java, you can set your Java security settings to require a prompt before running any Java apps. You can do this through the custom security setting from within the Security tab in the Java Control Panel.

Alternatively, you can turn off Java in your standard browser (e.g., Chrome), but keep it turned on in an alternative browser (e.g., Firefox) that you only use to access those sites where Java is required.

 


Discussion loading

javascript?

From Michelle Gauvin on January 14, 2013 :: 11:24 am

do i need to disable javascript also?

Reply

You do not have to

From Suzanne Kantra on January 14, 2013 :: 11:37 am

You do not have to disable Javascript, just Java.

Reply

thanks!

From Michelle Gauvin on January 14, 2013 :: 11:53 am

thanks for the great article and the quick reply!

Reply

Techlicious is a Lifesaver

From Gloria on January 18, 2013 :: 1:31 pm

Thanks so much for keeping us all updated!

I am not a computer geek whatsoever and the information I receive from the newsletter is so very valuable to me! I have learned so very much!

Thanks so very much! You ROCK!

Reply

Java 6

From Ladykale on January 14, 2013 :: 11:43 am

I checked and have Java 6 installed. Is the problem only with Java 7 or should I uninstall Java 6 as well?

Reply

You should uninstall Java 6, too

From Josh Kirschner on January 14, 2013 :: 11:55 am

While it appears that this issue only affects Java 7 (though there has been some back and forth on that), it makes sense to uninstall Java 6, as well. Oracle will not continue patching Java 6 and future security issues discovered in Java 6 will leave you at risk.

So, unless there is some reason why you need to keep Java on your computer, it is safest just to uninstall it. If you find that you need it in the future, it’s easy to reinstall.

Reply

Please see our updated note

From Josh Kirschner on January 14, 2013 :: 12:07 pm

Please see our updated note regarding checking your browser plugins after uninstall, as well.

Reply

Did it, but can't use email accts!

From Betsy on January 14, 2013 :: 11:50 am

Hey there, great article, and I received the head’s up a few days ago. Trouble is, with Jave disabled I can’t use my email accounts. Any thoughts?

Reply

What email are you using?

From Josh Kirschner on January 14, 2013 :: 12:04 pm

Hi Betsy,

What email are your using and how are you accessing it? I can confirm that Gmail and Yahoo Mail work fine without it.

Best,
Josh

Reply

Thank you, Suzanne! We

From Jan on January 14, 2013 :: 11:58 am

Thank you, Suzanne!  We really appreciate the warning and will disable Java on all our computers.  One question though…we have an ipad that is on our home network.  Do Apple products need this same treatment?

Reply

Your iPad should be fine

From Josh Kirschner on January 14, 2013 :: 12:14 pm

iOS products, such as your iPad or iPhone, do not have the Java plugin and will not be impacted by this type of security issue. Apple Macs, however, are impacted and should be protected as outlined in our article above.

Reply

Thank you, Josh!

From Jan on January 14, 2013 :: 1:33 pm

I will pass the info along to my son, who has a Mac and to my son in law, whose graphics business uses All Apple computers.

With much appreciation….

Reply

I re-enabled javascript, but...

From Betsy on January 14, 2013 :: 12:18 pm

Thanks Suzanne and Josh for clarifying about javascript, which is the culprit for not letting google and yahoo function properly. I did a computer search for java and came up with nothing other than Javavisualizer, so I’m hoping I just don’t have it.

Does that sound right?

Reply

Check your browser plugins

From Josh Kirschner on January 14, 2013 :: 12:41 pm

The safest thing to do is check your browser plug-ins as outlined at the bottom of the article. It appears that the other methods I outlined originally are not reliable.

Reply

This really gets confusing...

From Walter Boomsma on January 14, 2013 :: 12:29 pm

I used the link to see if Java was installed… it wanted to install Java Run Time Environment, but also said no working Java was found on my system. I did not allow the installation requested… so I’m hoping that not installing the requested Java didn’t give me a false positive. This stuff really makes my head hurt!

Reply

It makes my head hurt,

From Josh Kirschner on January 14, 2013 :: 12:44 pm

It makes my head hurt, too! Unfortunately, we just discovered the Java install link can give you a false negative. But if it is asking you to install the Java Run Time Environment, you at least have the plug-in disabled. But the safest thing to do is check your browser plug-ins as outlined at the bottom of the article.

Reply

update your method of checking browser on W7

From james on June 02, 2013 :: 12:04 am

Your instructions don’t apply to w7. Please update. Also I think I deleted the wrong Java because its was by Microsystems not oracle. How can install again?

Reply

Java

From Patricia K. Smith on January 14, 2013 :: 12:37 pm

Bare with me..What are the specific reasons that I might need Java?

Reply

There are specific applications you

From Josh Kirschner on January 14, 2013 :: 1:04 pm

There are specific applications you may encounter on the Web that require Java. For instance, Schwab’s online trading application requires Java. Some businesses also use internal applications that require Java. If you don’t have Java installed on your system and you try to access one of these applications, you’ll get a message saying you’re missing the plug-in and need to install it.

So, if you’re not sure, the safest thing to do is disable it and then re-enable it only if you need it. If you do need to have it enabled, make sure to install the latest version and keep the security settings on high.

Reply

Jave

From Patricia K. Smith on January 14, 2013 :: 1:38 pm

Thanks for the info.

Reply

Java

From Patricia on January 14, 2013 :: 1:21 pm

Thank you.  I heard about this and could not seem to follow the instructions provided by other groups.  Techlicious makes it so easy to follow along and do what needs to be done.  Keep up the great work.

Reply

Thanks. Just went into the

From Greg on January 14, 2013 :: 3:15 pm

Thanks. Just went into the settings on my smartphone and disabled Java.

Reply

Are you sure your didn't disable "Javascript"?

From Josh Kirschner on January 14, 2013 :: 6:28 pm

I’m not aware of a setting on smartphones to disable Java. Where did you see that? There is a setting to disable “Javascript”, which is something completely different.

Reply

Disabled Java in smartphone

From Greg on January 14, 2013 :: 3:18 pm

Thanks. I made sure to go into settings and disable Java there too!

Reply

Java

From John Hopkins on January 14, 2013 :: 4:05 pm

In response to the recent advice regarding Java I downloaded the latest update and now I can not get Java to work on Google Chrome. Works after a bit of tweaking on Internet Explorer. Not impressed by the update !!

Reply

Try restarting Chrome

From Josh Kirschner on January 14, 2013 :: 6:30 pm

Try closing out Chrome and going back in and see if that works. If it doesn’t, can you describe the problem in more detail?

Reply

Help - I use Java daily for online games

From Lydia Montana on January 14, 2013 :: 4:08 pm

Help - I play online games daily, most all require
Java to run. I currently have an older version, Java 6, that I use in Chrome, & Firefox. I have Windows XP, with Norton Internet Security & Malware Bytes AntiMalware Pro installed. What do you suggest ?

Reply

First of all, I would

From Josh Kirschner on January 14, 2013 :: 6:39 pm

First of all, I would recommend upgrading to Windows 7 grin. Microsoft hasn’t been supporting XP for some time with security or any other updates.

On the Java front, you should upgrade to the latest release for the same reason. Oracle will not be supporting older versions of Java with security releases, leaving you potentially exposed.

The new version of Java will also default your security settings to “High”, so you are prompted before a Java program is able to execute in your browser. You can say “Yes” to sites you trust and “No” on sites you don’t. But be careful - online games and game downloads are one of the most popular entry places for hackers.

It’s difficult to say whether our anti-malware protection would stop a future Java exploit or not, so better to err on the side of caution. BTW, running Norton and Malwarebytes Pro at the same time could cause conflicts for you. Running one of two should be fine for malware protection.

Reply

No Support?

From Carroll Woodell on January 14, 2013 :: 9:06 pm

I too still use Windows XP.  The last security update I received was installed 5 days ago.  According to the MS web site security support for XP will continue until 8 Apr 2014.  However, I do believe I saw somewhere that they were only supporting SP3.

http://windows.microsoft.com/en-US/windows/end-support-help

Reply

You are correct

From Josh Kirschner on January 14, 2013 :: 9:20 pm

XP SP3 is still supported through April, 2014. Support for earlier service packs has ended. Apologies for the confusion.

Java - Restarting Chrome

From John Hopkins on January 14, 2013 :: 7:50 pm

Thanks for responding. I have uninstalled previous versions of Java, after a system restore to a known good configuration, and have downloaded Java (latest version) again. Have also uninstalled and re-installed Chrome. Also have disabled and enabled Java in the list of plug-ins for Chrome. Still does not work on Chrome but ok on IE.

Reply

Is there a specific error

From Josh Kirschner on January 14, 2013 :: 9:32 pm

Is there a specific error message that you’re seeing? I am able to install fine on Chrome. If you type this “chrome://plugins/” in the Chrome url bar, is the Java plug-in listed and is it enabled?

Reply

Java

From MARJ on January 14, 2013 :: 10:12 pm

I found I need Java for Wordle.

Reply

Java - Chrome

From John Hopkins on January 15, 2013 :: 6:39 am

Java(TM) - Version: 10.11.2.21
NPRuntime Script Plug-in Library for Java(TM) Deploy
Name:  Java Deployment Toolkit 7.0.110.21
Description:  NPRuntime Script Plug-in Library for Java(TM) Deploy
Version:  10.11.2.21
Location:  C:\Windows\SysWOW64\npDeployJava1.dll
Type:  NPAPI
    Disable
MIME types: 
MIME type   Description   File extensions
application/java-deployment-toolkit    
Disable   Always allowed

Thanks again for responding. Java appears in the list of plug ins. However when I try to load a web site which requires Java Chrome invites me to intall the Java plug in as it is ‘missing’.

Reply

What operating system are you running?

From Josh Kirschner on January 15, 2013 :: 1:31 pm

Windows or iOS? Which version (e.g, Windows 7 32-bit)?

Reply

Java

From John Hopkins on January 15, 2013 :: 1:41 pm

Hi. I am running Windows 7 64bit. I have installed both 32bit and 64bit versions of Java (as suggested on the Java website). It still asks me to install the plug in but it is obviously present on my computer and supposedly enabled.

One more idea...

From Josh Kirschner on January 15, 2013 :: 5:09 pm

You’ve tried most of the things I would have done, but see if this helps:

1) Go to the Java control panel (Click on the Start button, type Java in the search box and click on the icon to open the Control Panel)
2) In the Java Control Panel, under the General tab, click Settings under the Temporary Internet Files section.
3) Click Delete Files on the Temporary Files Settings dialog.
4) In the Delete Temporary Files dialog box, check all the boxes and click Ok.

Once that is done, restart Chrome and try again (it may ask if you want to reinstall the plug-in, so say “yes”).

Thanks to Krystal Mccollum for this solution found here: http://productforums.google.com/forum/#!topic/chrome/aIhTVjsJOkE

Reply

Re One more idea

From John Hopkins on January 15, 2013 :: 6:43 pm

Thank you for your efforts in trying to solve this problem. I have tried the above with no success. I guess I’ll just have to live with having Java only on IE. The only other idea that I have is to go back to a system restore point prior to the recent Windows Updates and start again with a clean install of Java. Wont do any harm anyway.

more Java

From Chris on January 15, 2013 :: 12:28 pm

I just got a notice from Java to install ‘justcheck,exe.’ Now what?

Reply

Can you confirm the spelling?

From Josh Kirschner on January 15, 2013 :: 1:38 pm

jucheck.exe is the Java updater program. However, there is also some malware that uses similar names, including justcheck.exe.

What exactly were you doing when that message popped up?

Reply

re More Java

From Chris on January 15, 2013 :: 3:07 pm

I was loading Firefox, and the message box popped up. You are right, it actually says jucheck.exe. But with the Java issues, should I run it, or ignore it? Thanks for your reply! smile

Reply

Probably fine

From Josh Kirschner on January 15, 2013 :: 4:52 pm

Most likely that is just the Java update program. If not, your anti-malware program should pick it up or you could download Malwarebytes from malwarebytes.org to give your system a scan (which is always a good idea to do, anyhow).

Firefox

From Aileen on January 16, 2013 :: 3:03 pm

Hello,
I did what was instructed for Firefox on my Mac but there was no “Add-ons” when I clicked on Firefox. I did go to “Tools”, “Add-ons”, then disabled “Java Applet Plug-in”.  I’m not sure if that’s the same thing?

Reply

Yes, that's correct

From Josh Kirschner on January 17, 2013 :: 11:42 am

Disabling the Java Applet Plug-in will disable java in Firefox.

Reply

Smartsource.com and Java

From JeannieN298 on January 17, 2013 :: 12:02 am

I would like to print grocery coupons from Smartsource.com but I am told I must download Jave.  Here is the message I received:

Java not installed
Browser-MS Int Exp 9
OS-Windows 7
Java/JRE Version-Java not detected
Supported Version-1.6.0_24

You must have Java installed in order to print your coupon(s). Click “Get Java” below to download and install the required version.
Our free coupon print applet requires that a secure version of Java is installed on your computer.Click the red Get Java button to install the recommended version of Oracle’s Java Client.
Click the button below to download and install the latest version of the Official Java Client. For a step by step walkthrough of the Java installation click the bar below.

Reply

That's not good

From Josh Kirschner on January 17, 2013 :: 11:48 am

They must be using Java to create custom coupons that allow them to manage and track what is printed. But as a business decision, requiring Java is not a good ideas, since more and more people will have it disabled on their computers. Hopefully, sites like these will act quickly to create new versions that don’t require Java.

In the meantime, you can do what we suggest and use a separate browser with Java enabled to ONLY browse sites that you know are safe but require Java.

Reply

The same?

From Kevin F on January 17, 2013 :: 12:21 pm

In Internet Explorer under manage add-on’s the Java plug-in’s are listed under Sun Microsystem’s Inc., not Oracle. Are these the same?

Reply

Yes, but old version

From Josh Kirschner on January 17, 2013 :: 3:54 pm

Oracle bought Sun a few years ago, so if you see the plug-in listed under Sun, you probably have a pretty old version. You definitely want to disable that.

Reply

Confused

From Lynda on January 17, 2013 :: 9:14 pm

Hello - I’m using Windows 7 Home Premium. Clicked on link to check and it says: Your Java version: Version 6 Update 37 and there’s a link to update to Java 7. Do I update?

Reply

Update orr uninatall/disable

From Josh Kirschner on January 18, 2013 :: 1:19 am

You have an old version of Java and, if you’re going to continue using it, you should update to the newest to ensure you stay current with future security releases.

However, if you don’t need Java, uninstall it and make sure that to disable it in your browsers if the uninstall didn’t remove it.

Reply

Read More Comments: 1 2

Love getting helpful tech tips? Subscribe to our free newsletter!

Home | About | Meet the Team | Contact Us
Media Kit | Newsletter Sponsorships
Accessibility Statement
Terms of Use | Privacy & Cookie Policy

Techlicious participates in affiliate programs, including the Amazon Services LLC Associates Program, which provide a small commission from some, but not all, of the "click-thru to buy" links contained in our articles. These click-thru links are determined after the article has been written, based on price and product availability — the commissions do not impact our choice of recommended product, nor the price you pay. When you use these links, you help support our ongoing editorial mission to provide you with the best product recommendations.

© Techlicious LLC.