Java is a nearly-ubiquitous technology that has played an important role in the development of the Internet and cross-platform applications. It has offered a mature, net-savvy development framework for everything from high-end server applications and desktop applications (like OpenOffice) to mobile phones and interactive applications embedded in Web pages.
However, in recent months Java has come under fire. Java was once a fundamental technology included with almost every computer; however, Apple stopped shipping Java by default on new Macs almost two years ago, most Linux distributions don’t include Java by default, and even the latest versions of Windows don’t come with a stock Java installation. Why? Because, despite being a mature cross-platform technology, Java never really took off for desktop applications.
Worse, Java’s stature has been further cut down by a series of high-profile security exploits: the Mac-specific Flashback trojan relied on Java to spread itself, and (after months of apparent foot-dragging) database giant Oracle has just released a new Java update to patch multiple vulnerabilities currently being exploited by cybercriminals. Most recently, Java may also have been an attack vector in the 12 million iPhone and iPad device identifiers allegedly stolen from an FBI agent’s notebook earlier this year.
Is it time for everyday computer users to finally say goodbye to Java on their systems? How is that done? And what about people who have a legitimate need to use Java?
Nature of the beast
The Java situation is complicated — and is made more complicated by terminology. The security issues making headlines this week concern only a small part of the broader Java universe: It’s important not to paint with broad strokes and label everything related to Java as a massive security risk.
First, there’s confusion about what exactly is Java. Java is a programming language, like BASIC, Pascal, C, and C# (originally from Microsoft, now an open standard) and Apple’s Objective C. Programmers use Java to write programs, just like they’d use any other language. Java has actually been around more than 20 years, although it first started getting a lot of attention in 1995 when Sun released its first Java platform. Java is hardly a new kid on the block.
The idea behind Java was to create a high-level language with no platform-specific implementation dependencies. Rather than compiling to native code (say, for Windows, Mac OS or Unix) Java compiles to “bytecode” that runs on virtual machines. All JVMs are designed to run the same Java bytecode the same way, regardless of platform. That means a programmer can write a Java application that program should run on any platform with a compatible Java virtual machine. Voilà The Holy Grail of modern computing: a program that runs the same on every platform.
To put a Java application (or applet, as they’re called) into a Web browser, you need a third item: a Java browser plug-in. Like other plug-ins, a Java browser plug-in executes within a Web browser application and generally acts like an intermediary between the Java virtual machine available on the computer and the Java code on a website. Java plug-ins run applets in a security “sandbox” that’s supposed to prevent applets from doing anything harmful on a user’s system. However, the Java VM is a complicated system, plug-ins can be complicated, and Web browsers are enormously complicated. The interaction of these three Java components plus Web browser applications can have security implications — and that’s where we’re seeing the current spate of problems.
Notice what’s not a part of Java? JavaScript. Despite the unfortunate name similarity, the JavaScript client-side scripting engines built into modern Web browsers have nothing to do with Java. JavaScript has had its own share of security gaffes over the years, but turning off JavaScript will do nothing to protect users from security issues in Java — and vice versa.
Unplugging versus uninstalling
Complex modern software applications can have security issues at any step along the way. Java applications aren’t immune to security problems any more than applications written in other languages. No matter what language an application was written in, you need to hope that the developer updates its software promptly to close off security holes when they’re found. As development platforms and frameworks go, Java is actually in relatively good shape on the security front: After all, it’s had the better part of two decades to get its act together.
However, the so-called “drive-by” exploits involving Java that can compromise a person’s computer just by automatically loading a Java applet on a website rely on the Java plug-in. Plug-ins have long been popular targets of malware authors: Adobe’s Flash and Acrobat Reader plug-ins are also very common sources of security issues.
The good news is that these drive-by exploits can all be foiled by disabling the Java plug-in in your browser — no need to uninstall the Java runtime (or virtual machine). That’s handy if you do Java development or use one of the mainstream applications that do rely on the Java runtime:
- Adobe Creative Suite 5.5 and 6
- OpenOffice (and descendants like LibreOffice)
- CrashPlan Pro
- Wuala
- Vuze (a BitTorrent client)
- Runescape
- Minecraft
That’s not counting specialized applications used by banks, universities, and corporations that rely on Java. For instance, anyone who runs software from Oracle probably needs Java.
Disabling the Java plug-in in browsers
You can disable the Java plug-in in every major Web browser without removing Java from your system.
Internet Explorer
Disabling Java in Internet Explorer is unnecessarily difficult. The United States Computer Emergency Readiness Team (US-CERT) offers detailed instructions for (mostly) disabling Java in Internet Explorer; however, they are not for the non-technical or faint of heart. A safer recommendation is to remove Java entirely (if you don’t need it) or switch to a different browser (like Chrome or Firefox) if you do.
To remove Java from Windows, go to Control Panel then Programs, find “Java” in the program list, and click Uninstall.
Firefox
- Choose Tools > Add-ons (or, in Windows 7 and Vista, click the Firefox button and choose Add-ons).
- Select the Plug-ins tab
- Find the Java plug-in in the list (it’ll have a name like Java(tm) Platform SE with version numbers).
- Click Disable.
Google Chrome
- Type
chrome://plug-ins
into the location bar and press Enter - Locate the Java plug-in
- Click the Disable link
Safari (Mac OS X and Windows)
- In Safari, go to Preferences > Security
- Uncheck the Enable Java checkbox
Opera
- Type
opera:plug-ins
into the location bar and press Enter - Locate the Java plug-in and click Disable.
Other options
This is all fine and dandy for folks who don’t need Java on their systems, or who never need to use a Java applet on a Web page. However, if your situation or job makes Java impossible to avoid, here are some other options:
Use a second browser solely for Java
If you absolutely must use Java in a browser, consider dedicating a browser specifically to that task, and use another browser for all your other Web tasks. If you’re on Windows, you could use Internet Explorer for your Java-specific site(s) or pages (since Java is so fiendishly difficult to disable in IE), but install and use something like Firefox or Chrome (with Java disabled) as your primary browser for everything else. Similarly, there’s no reason you can’t run (say) Safari and Chrome side-by-side, one just for your Java needs, and the other for everything else. Be sure to set the browser with Java disabled as your primary browser, so it’s what opens when you click a link in email or a friend’s Facebook page. This setup isn’t ideal, but with a little care it can insulate you from risk without ripping Java out of your system.
Mac OS X
In Mac OS X, you can prevent Java applets from loading in all your Web browsers. Go to Applications > Utilities > Java Preferences, select the General tab, and uncheck “Enable applet plug-in and Web Start applications.” (Note: if you don’t have Java installed on your Mac, opening Java Preferences will prompt you to install it. Click “Not Now” to exit.)
Mac OS X is unique in that it will automatically disable Java applets in all browsers if users go 35 days without loading one. It’s a security measure Apple introduced for Mac OS X 10.6.8 and later in the wake of the Flashback trojan.
Is Java’s time done?
Java isn’t going to be going away anytime soon. It’s still used by some mainstream desktop applications, as well as a number of specialized apps, particularly in science and medicine. Moreover, Java is very much a leading technology for server software and mobile phones. Although Apple’s iOS doesn’t rely on Java, Google’s Android certainly does, and there are even hundreds of millions of feature phones in the world running it.
However, Java’s days as a de facto part of every major operating system seem to be over. Mainstream operating systems have stopped including Java by default, offering it only as an optional add-on for folks who need it.
Perhaps the saddest thing is that, for all of Java’s potential, few mainstream computer users will notice when it’s gone.