(coincidentally in a story about getting viruses from Java)
Just as a PSA, if you have Java on your system, you need to either uninstall it, or at the very least, make sure it's disconnected from your web browser. Skip to the bottom for instructions or read on for the full story.
The past six months have shown Java to be the biggest security disaster in personal computing right now. Really, though, we've known this for a while now. A 2010 report by Microsoft showed that having Java was by far the most common reason users got malware on their computers:
|(via Ars Technica)|
But in the last six months in particular, we've seen an exceptional level of security incompetence from Oracle, the developers of Java. In late summer, a series of very bad vulnerabilities came to light. Oracle already knew about some of them, but didn't act on them until they became actively exploited by malware authors. And at the end of September, Oracle decided they weren't going to act on the latest discovered vulnerability until February.
Now, in January, we're seeing a total repeat of the free-for-all at the end of the summer. I can't confirm that the vulnerability that Oracle scheduled for February is one of those in the news recently, but regardless, there are plenty that are now being used by malware. And just like in September, Oracle released a security patch, only to see a new vulnerability pop up soon thereafter. As of this writing, even a fully up-to-date version of Java is vulnerable.
And the complete tragedy of this saga is that having Java installed as a browser plugin is useless. When is the last time you saw a Java applet in a webpage? Java applets are a dead technology, and for good reason. Do you remember how terrible they always were? Java applets are why I still recoil whenever I see the Java logo.
So unless you're one of the 0.1% of people who still use Java applets and can't live without a critical one, you lose nothing by removing it from your browser. Yet the majority of the public are unknowingly browsing around with a giant, exposed malware target in their browsers for no reason. Java desktop applications are also rare these days, so if you uninstall Java from your computer entirely, you'll likely never miss it. (Oh, and just to answer a widespread misconception, you don't need it for LibreOffice/OpenOffice anymore.) The benefit to uninstalling completely is that Java has a habit of sneaking itself back in your browser every time you update it, so removing Java entirely avoids that headache.
Anyway, enough talk. Time for action:
- To uninstall Java, which I recommend (but only if you're sure that you don't use any programs that rely on it):
Windows 7: Start Menu > Control Panel > Programs > Uninstall a Program (Programs and Features) > select any program with Java in the name > Uninstall
- To remove it from your browser, follow instructions at disable-java.com.
Firefox: Ctrl+Shift+A > Plugins > every plugin with "Java" in name > Disable
Chrome: Go to "chrome://plugins" (enter in address bar) > Java(TM) > Disable