Menu

Help Desk

Java: How to fix your biggest Internet security risk

javawarning.jpg

April 23, 2007: The Java logo is shown at Sun Microsystems' offices in Menlo Park, Calif.AP

The weekly -- sometimes daily -- security scares that occur with the Java programming language are starting to remind me of the old whack-a-mole arcade game.

Researchers or hackers discover a major flaw in Java. Java's developer, Oracle, whacks it with a patch. Another mole pops up. Oracle whacks it with a patch. Many experts say Oracle is losing this game, or isn’t trying very hard to win. And computer users are paying the price. 

When a vulnerable version of Java is active in a Web browser, visiting a compromised website is all it takes for crooks to sneak malware on to your computer. In most cases, you won't even know the site is compromised until it's too late.

Here's how to stay safe: Stop using Java -- or stay on top of the upgrades and use Java a lot more guardedly.

I'm going to help you do just that.

But first: What the heck is Java, and why is it capable of scalding your computer?

First developed back in 1995, Java became ubiquitous almost overnight because it allowed programmers to write one program and use it on Windows, Apple OS X and other operating systems.

Today, Internet browsers use Java for interactive Web content, such as popular online games. Computers use it to run useful programs such as the free Office alternative LibreOffice, and Adobe Creative Suite. And Java is pre-installed on most new systems. It's estimated that Java is running on 850 million computers around the world.

It's no wonder Java is a major target for hackers. It doesn't help that users frequently don't know it's installed and run outdated versions.

Java's security holes woke up Apple users last year when more than 600,000 Macs became infected with the Flashback malware that targeted Java.

Since then, moles have kept popping up through other holes. In response to the most recent exploit, the Department of Homeland Security a couple of weeks ago recommended that all Internet users disable Java in their browsers.

Apple and Mozilla have turned off Java plug-ins automatically in the latest editions of the browsers Safari and Firefox, respectively. But it doesn’t hurt to double-check that Java is turned off.

Fortunately, the latest version of Java has a one-click button just for that purpose. That's handy because disabling it manually was a hassle, especially in Internet Explorer.

First, make sure you have the most recent version of Java from Oracle's site. The latest release as of this writing is Version 7 Update 11.

To bring up Java's new security settings, go to Start>Computer and type "Javacpl.exe" in the search bar.

If it doesn't appear, you may have to find it manually. Go to Start>Computer and open your Local Disk (C:). Go to Program Files (x86)>Java>jre7>bin and scroll down until you see "javacpl.exe". On 32-bit computers, the file is in Program Files>Java>jre7>bin.

Run javacpl.exe to load Java's control panel and select the Security tab. Uncheck the box that says "Enable Java content in the browser." Then restart any browsers you have running.

Mac users can find the setting by going to System Preferences and clicking on the Java icon -- it looks like a steaming cup of coffee.

This will disable Java in your browser, but still let you use it for desktop programs.

Warning: If you do head into your browser settings to check that Java is disabled, you might see something called JavaScript. Don’t disable JavaScript! It's a different animal and has no security issues.

Although it's safer to run Java for a desktop program, it's best to get it off your machine if you don't need it.

In Windows, go to Start>Control Panel and click the Uninstall a program link. Find Java on the list of programs -- you might see multiple installations of Java 6 and 7 -- and uninstall any versions you see.

In OS X 10.7 and 10.8, go to Macintosh HD/Library/Java/JavaVirtualMachines/ and remove the 1.7.0.jdk file. Older versions of OS X might be running Java 6.

Even if you're keeping Java, you want to make sure you only have the latest version installed. Older versions leave your system vulnerable. Follow the steps above to remove the older versions.

If you need Java for a website or two that you know are absolutely trustworthy, you can enable Java briefly using the security control panel and then disable it again. Just make sure you stay on the trustworthy site while Java is enabled.

Copyright 2013, WestStar Multimedia Entertainment. All rights reserved.

Kim Komando hosts the nation's largest talk radio show about consumer electronics, computers and the Internet. To get the podcast, watch the show or find the station nearest you, visit: http://www.komando.com/listen. To subscribe to Kim's free email newsletters, sign-up at: http://www.komando.com/newsletters.