Sun Oracle has been giving us a few reasons to get rid of the Java Runtime Environment (JRE) from end-user machines for a while now.
I’ve been struggling with this decision, as I need Java for my favourite mind mapping software but I don’t want it to be used against me by Internet criminals.
My initial reaction was to remove Java completely and just keep the installation package around, for whenever I needed to do mind mapping. This soon got ridiculously cumbersome, so I’m now on to the next model:
Keep Java for local use, but disable Java for the browsers.
This still allows local applications to use Java, but stops Web-borne remote exploits from being delivered to my machines.
First of all: Get the latest Java
First things first. Always ensure you run the latest software. Visit http://java.com/en/download/installed.jsp?detect=jre&try=1 to verify that you have the latest version (currently 1.6.0_24)
If you haven’t got the latest version, download and install it from http://www.java.com/
Then verify that auto-update it turned on and frequent enough. For Windows users, go to Control Panel -> Java. Switch to the “Update” tab of the window that comes up and then click the “Advanced…” button. This should show you something like this:
The default is to check for updates once a month, which is a bit pathetic. Change this to weekly at the very least, or daily if you’re serious about your computer’s security:
Then click “OK” to save & close this dialog and “OK” again to save & close the Java settings window.
Now, onto the browsers:
Go to Tools -> Add-ons and you see something similar to this:
Click on “Disable” for both Java extensions, to get this result:
Don’t restart Firefox just yet! Now, onto the “Plugins” tab of the same window:
Click on both Java entries and on the corresponding “Disable” button of each entry, until the window looks like this:
Now it’s time to hit that “Restart Firefox” button in the Add-ons window to restart your browser.
After you’ve restarted, visit http://java.com/en/download/installed.jsp?detect=jre&try=1 with Firefox to verify that Java is disabled.
You should get the following result:
Congratulations – Java has been disabled in Firefox!
Note: Some people may point out that using the NoScript plugin achieves the same goal in a more elegant way – i.e. it allows one to selectively allow the execution of Java code in Firefox. The problem here is that NoScript works on the premise that websites you trust will not deliver malicious code to your machine. Unfortunately there are reports that claim that up to 75% of websites serving malicious code are legitimate websites that have been compromised. Add to that the fact that malicious code can be delivered to your machine through ads served from trusted domains like google.com and yahoo.com.
The only way of protecting against this headache is really to keep all browser plugins updated and disable the ones you don’t absolutely need. Java is not the only culprit here, Adobe’s PDF reader and Flash plugin, as well as Microsoft’s DirectShow and Media Player are also repeat offenders.
If you’re forced to use Internet Explorer (e .g. because some luminary in your organisation had the brilliant idea that the “free” SharePoint server was a good developing platform for your corporate websites…), follow these steps:
First, make sure you have the latest version of the browser. Microsoft itself is begging people to stop using IE6, as it’s an open window for remote control of your machine by criminals. Download and install the latest version of IE.
Now, let’s disable Java in Internet Explorer:
Go to the menu “Tools” -> “Manage add-ons”.
(this example is from IE version 8 on Windows XP, your version might be slightly different)
In the “Manage add-ons” window, select “Show add-ons” on the left hand side pull-down menu:
Now you can see all Java add-ons listed. Select each of them with a single click and hit the “Disable” button:
The final result should look like this: (all Java add-ons disabled)
Now click the “Close” button on the bottom right and close your browser.
Annoyingly, I’ve found it necessary to also disable the Java plugin from the Java Control Center – as disabling it from IE only seems to not be enough…
Go to Control Panel -> Java and then to the “Advanced” tab. Make sure the options look like below:
Save & close with “OK” – you will get a popup similar to this:
Click OK and then fire up Internet Explorer to visit http://java.com/en/download/installed.jsp?detect=jre&try=1 to verify that Java cannot be executed in IE.
You should get one or more of the following popups:
(this means you disabled the add-on in IE but not in the Control Panel. Unfortunately this seems to result in Java code somehow getting executed regardless!)
(surreal web page, telling you both that Java *is* and *isn’t* working, but there you have it)
If you’ve disabled everything appropriately you should see the following:
Clicking “OK” will eventually land you in this page:
…which is lying to you. You don’t have an old version of Java. You just have a disabled installation.
If you need to use Java for local applications, that’s the best place to be.
Otherwise, if you’re tired with all this faffing about, just uninstall Java completely to get it over with and have one less thing to worry about.