Tech Made Simple

Hot Topics: How to Fix Bluetooth Pairing Problems | Complete Guide to Facebook Privacy | How to Block Spam Calls | Snapchat Symbol Meaning

author photo

Critical Java Security Risk Requires Immediate Action

by on January 13, 2013
in Computers and Software, News, Computer Safety & Support, Blog :: 68 comments

Techlicious editors independently review products. To help support our mission, we may earn affiliate commissions from links contained on this page.

Security experts have identified a serious security flaw in Java that allows hackers to execute almost any type of malicious activity on affected computers, whether Windows, OSX or Linux. Worse, this flaw was identified because it has already been integrated into commonly used commercial hacking software.

According to the Computer Emergency Response Team at Carnegie Mellon University:

This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available. We have confirmed that Windows, OS X, and Linux platforms are affected. Other platforms that use Oracle Java 7 may also be affected.

We are recommending that everyone, whether you use a Mac or Windows PC, follow the steps below to protect yourself immediately.

UPDATE 1/14/13: Oracle released a patch, Java Version 7 Update 11, to address the security hole and change the default security setting in Java to "High", requiring users to confirm an applet is safe before running. However, our advice remains the same—all users should disable or uninstall Java as soon as possible unless you require it to run a specific application. Java has been a constant source of security exploits and there is no guarantee that the current fix actually fixes the problem (this issue was supposed to have been fixed with a patch released back in August). And, while the security setting change is welcome, many users are too accustomed to hitting the "confirm" button to run applications without really considering the potential risk, or they may easily be tricked into thinking an application is safe when it really is not.

Who is impacted by the Java security flaw?

Anyone who has Java Version 7 installed is vulnerable to being exploited. According to Oracle, the makers of Java, Java is installed on as many as 850 million personal computers worldwide.

Some reports have suggested that earlier versions of Java may be impacted as well. However, the well-respected security expert Brian Krebs says this is not the case. Until this question is resolved, it is safest to assume that all versions of Java could be vulnerable.

Java is used to run various types of local and web applications, and many of us may have knowingly or unknowingly installed it at some point in the past. Because Java is its own separate application used by programmers for cross-platform compatibility, the flaw affects all major operating systems and all browsers. (Note the risk here is specifically with "Java", not the more commonly used "Javascript", which is a completely different application.)

Some sites have suggested that Mac users may be protected with a security update Apple released on Friday to block Java applets. However, if you do not have automatic updates turned on or the fix turns out not to be complete, you may still be at risk.

Victims can be infected when they visit a compromised website and load a malicious Java applet. Depending on your browser settings, you may or may not see the option to block the applet before loading. Since any website with poor security can be compromised by hackers, don't assume that a site is safe just because it is "legitimate."

How do I know if Java is installed on my Computer?

Follow this link to check if Java is installed on your PC and what version you have.

UPDATE 1/14/13: We have determined that this method from Oracle is not reliable. It may tell you that you do not have Java on your computer even if you have the plug-in installed on your browser. The most certain may to determine if you have Java is to follow the steps below to check for the plug-in in your browser.

I have anti-malware software, am I safe?

The answer to this question is not clear. Even if you have anti-malware software installed on your PC, we recommend following the steps to disable Java below.

How to disable or uninstall Java

The easiest and most certain way to protect yourself is simply to uninstall Java, as you would any other other program. If you don't need Java, and most people do not, this is the safest course. If you encounter a program in the future that requires Java to run, you will be prompted to reinstall it, and you can decide whether or not to do so.

UPDATE 1/14/13: Uninstalling Java may not remove the plug-in from your browser. After the uninstall, we recommend you check your individual browser settings as outlined below, as well.

For Windows users, the latest version of Java, Version 7 Update 10, also allows you to disable Java in all of your browsers through the Java Control Panel. Find the Java icon from within the Windows Control Panel, go to the Security Tab and uncheck "Enable Java content in the browser"

Disable Java from the control panel

Mac users and Windows users with earlier versions of Java who wish to disable Java should follow the instructions below for individual browsers.

Internet Explorer

  • Click on the Tools dropdown menu, then Manage Add-ons.
  • Find the Java Plug-in under Toolbars and Extensions (it's listed under Oracle America), highlight it and click Disable.

Chrome

  • Click on the Chrome menu, and then select Settings
  • At the bottom of Settings window, click Show advanced settings
  • Scroll down to the Privacy section and click on Content Settings
  • In the Content Settings panel, scroll to the Plug-ins section and click Disable individual plug-ins.
  • Find the Java plugin and click Disable

Firefox

  • Click on the Firefox tab and then select Add-ons
  • Select Plugins, find "Java (TM) Platform plugin" and click Disable (a of 1/11/13, Firefox has automatically disabled the Java plugin, but you should check to verify this has been done for your browser).

Safari

  • Choose Safari Preferences
  • Choose the Security option and uncheck Enable Java

What if I need to use Java?

Java custom security settingsUse of Java on websites is becoming more rare and most users will never need to use it. However, there are certain applications that do require Java (such as the online trading app I use for Schwab). If you need to use Java, you can set your Java security settings to require a prompt before running any Java apps. You can do this through the custom security setting from within the Security tab in the Java Control Panel.

Alternatively, you can turn off Java in your standard browser (e.g., Chrome), but keep it turned on in an alternative browser (e.g., Firefox) that you only use to access those sites where Java is required.

 


Discussion loading

First of all, thank you

From JeannieN298 on January 18, 2013 :: 1:45 am

First of all, thank you for such a quick response on my question with using Java to print grocery coupons. But, how do I use a separate browser with Java enabled to ONLY browse sites that I know are safe but require Java?

Reply

You're welcome

From Josh Kirschner on January 18, 2013 :: 2:22 am

Use your favorite browser (e.g., Firefox) for normal browsing with the Java plug-in disabled. When you want to print coupons, open up another browser (e.g., Chrome or IE) with the Java plug-in enabled.

Alternatively, you can go in and re-enable the Java plug-in when you want to print coupons. Just remember to disable it again when you’re done!

Or, if you really trust yourself and want the least hassle, keep the plug-in enabled but make sure the security settings are on high so that you are prompted whenever a site wants to run Java, and only click “Yes” on sites you trust. I would test the prompting mechanism first on the coupon site to make sure it works properly in your browser (i.e., it prompts you before running). And I’m not 100% certain that there isn’t malware that could get around that restriction.

Reply

Thank you so so much.

From JeannieN298 on January 18, 2013 :: 3:38 am

Thank you so so much.  I will do the seperate browser. I have only used Internet Explorer in the past so now I will only do coupons on Safari to which I will have Jave installed.  I don’t have Firefox listed in my Programs. One more question…you seem to like Firefox more than Internet Explorer, agree? If yes, is there a way I can install this on my ASUS pc?

Reply

More a matter of personal preference

From Josh Kirschner on January 23, 2013 :: 9:26 pm

Actually, my usual browser is Chrome. It’s easy to download and install Firefox or Chrome to your computer from https://www.google.com/intl/en/chrome/browser/ or http://www.mozilla.org/en-US/firefox/new-b/?utm_expid=65789850-8.

Safari would actually be my last choice of the four.

Reply

More Than 1 Java Update?

From Boris C. on January 21, 2013 :: 5:16 pm

Thanks for informing about Java and risks associated. I have just checked my installed programs and noticed that I have 2 Java versions installed:

“Java 7 Update 11” and “Java(TM) 7 Update 4(64-bit)”

Does that mean I can delete older version or better not touch anything here?

Reply

Not sure why you're seeing that

From Josh Kirschner on January 23, 2013 :: 9:30 pm

You shouldn’t have two versions. Though perhaps you installed the 32-bit version of Update 11 and, for whatever reason, that wouldn’t remove the earlier 64-bit version. I would uninstall the earlier one and, if you have issue, uninstall them both and then reinstall Update 11.

Reply

What about Java programs? not browsers

From Natanz Loetawan on January 23, 2013 :: 6:13 am

What about non-browser programs that use Java, like jdownloader and games?

Reply

Disable in browser, ut don't uninstall

From Josh Kirschner on January 23, 2013 :: 9:32 pm

If you need Java to run local programs, don’t uninstall it, just disable it in the browser. There’s likely no security risk from having it installed on your PC just for local apps.

Reply

JDownloader

From Frobie on January 25, 2013 :: 5:59 pm

I find the only time I need Java is running the Windows application JDownloader. It requires Java to run apparently although it easy enough to uninstall Java and reinstall it whenever JDownloader is needed.

Reply

can't uninstall java

From Luke Thornton on May 14, 2013 :: 5:38 pm

I have windows 7.  Went to control panel, found java, clicked uninstall.  waited and waited while it tried to uninstall… looked like it went through but still have java listed in the programs list.  i disabled the java in firefox and explorer.  can you help?

Reply

Try restart?

From Josh Kirschner on May 15, 2013 :: 8:31 am

It may be that the system requires a restart to completely remove it. Try that and see what happens. It’s also possible to have multiple versions of Java installed. So go back to the programs list and try uninstalling again.

In any case, having Java on your computer isn’t where the big risk lies - it’s having it enabled in your browsers. So if you’re having trouble doing a full uninstall, I wouldn’t worry too much as long as you have it disabled in Firefox and IE.

Reply

Java for coupon printer

From Susan Middleton on May 25, 2013 :: 7:24 am

I have Windows XP & use Internet Explorer 8 as my regular browser.  My system won’t support IE9.  Under Manage Add-On’s the following 4 items are listed under Sun Microsystems Inc.:
SSVHelper Class
Java(tm)Plug-in 2 SSV Helper
JQSIEStartDetectorImpl Class
Sun Java Console
Do I Disable all 4 of these or can I Delete all 4?

For whatever reason (I have been unable to figure it out), I have been repeatedly unsuccessful at downloading coupon printers to IE.  They did download to Firefox.  So, I use Firefox to print coupons.  It is the only time I use Firefox.  From reading previous comments, I see Smartsource requires Java to print coupons.
Since I only use Firefox to print coupons, do I need to make any adjustments here?

In my Control Panel/Add or Remove Programs, Java (TM) 6 Update 37 is listed.
Do I Remove this version and while I have Firefox open, download the newest version?
As you can tell, I am not computer savy.  Any help will be greatly appreciated.  Thank you.

Reply

It's a little tricky

From Josh Kirschner on May 27, 2013 :: 9:57 am

IE works a differently than other browsers for disabling Java. Instead of doing it through IE, you’ll need to do it in the Java control panel.

Open the Java control panel and launch the Java applet (if you can’t find it, click the Start button and search for it in the search box). Click the “Advanced” tab and expand the item “Default Java for browsers”. Un-check the boxes for Microsoft Internet Explorer.

You should be fine on Firefox if that’s all you use it for.

Reply

Update required?

From Marv A on May 31, 2013 :: 3:16 pm

My Java Control panel shows version 7 Update 9.  I do not show the “Enable Java content in the browser” option on the security tab.  Do I need to update to update 10?  Where and how do I do this?
I have disabled the Java Development Toolkit 7.0.90.5 10.9.2.5 found in my Firefox and have also disabled it in IE.
I am running Win 8.

Reply

Yes, that's an old version

From Josh Kirschner on May 31, 2013 :: 3:26 pm

Java version 7 update 9 is an old, insecure version of Java that is vulnerable to the security flaws described in this article.

The latest version is update 21, so you should update your Java immediately. You can do that here: http://java.com/en/download/index.jsp

You may want to consider uninstalling Java entirely if you don’t need it. It’s not a safe program to have on your PC if it’s not being kept up to date.

Reply

Will not uninstall

From Marvin Adler on May 31, 2013 :: 6:16 pm

When I went to Control Panel and tried to uninstall the two programs shown, nothing happens.  Is a special utility needed to remove the program?

Reply

A bug with some versions of Java

From Josh Kirschner on May 31, 2013 :: 6:49 pm

Others have reported similar issues with Java. There is a third-party program people recommend for uninstalling programs called Revo Unimstaller that you can download here: http://www.revouninstaller.com/revo_uninstaller_free_download.html.

I haven’t used this program, but it seems to be pretty commonly recommended in forums on this issue.

Search found 10300 'Java' files

From Judy on June 05, 2013 :: 12:54 am

Search found 300 + files ‘java’ on my computer and that was without searching hidden files.

Many programs included Java, like Quick Time, ATI Technologies,Avast,HP, Adobe Reader11,Service Pack Files/i386, C:\Windows\Java. 

Yet I cannot find it on the Program Files list or in the Add Remove program list.

So How do I delete, remove the Java program?  Will the programs mentioned above that have Java integrated still work if I am able to uninstall it?  Please help!
Thank you. Judy

Reply

Read More Comments: 1 2

Love getting helpful tech tips? Subscribe to our free newsletter!

Home | About | Meet the Team | Contact Us
Media Kit | Newsletter Sponsorships
Accessibility Statement
Terms of Use | Privacy & Cookie Policy

Techlicious participates in affiliate programs, including the Amazon Services LLC Associates Program, which provide a small commission from some, but not all, of the "click-thru to buy" links contained in our articles. These click-thru links are determined after the article has been written, based on price and product availability — the commissions do not impact our choice of recommended product, nor the price you pay. When you use these links, you help support our ongoing editorial mission to provide you with the best product recommendations.

© Techlicious LLC.