US-CERT Alert (2013-01-10) : Disable Java for web browsers

Thanks for the info.

I've disabled java now and will watch over the next couple of days to see if I've lost any functional use of my browser.

I shut Java down in my browser this morning. Then found that I had lost the ability to navigate most of the sites I normally visit. Re-enabled Java.

that's the problem with just shutting JAVA down.

Just to be clear, the CERT alert is about Java, not JavaScript. They are very different things. A very small percentage of websites use Java. (JavaScript, on the other hand, is used by a rather large percentage of sites.)

My Firefox had automatically blocked it in Oct 2012.

I'm on Win 7. How do I disable Java?

As posted in the link from the OP, the latest Java (Version 7, Update 10) has a very easy way to disable Java. And for folks using earlier Java, an update to 7,10 is probably a good idea in and of itself. So far, I haven't come across any web sites that fail to run with Java disabled.

I disabled Java on three PC (Win7-64, Win7-32, and XP). On one PC, the option to disable all Java appeared as expected. On the other two for some reason, I had to find and run javacpl.exe to get to the Security tab allowing for the easy disabling feature.

Once again, thanks, VG.

Solution

Disable Java in web browsers

This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available. As with any software, unnecessary features should be disabled or removed as appropriate for your environment.

Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. From Setting the Security Level of the Java Client:

For installations where the highest level of security is required, it is possible to entirely prevent any Java apps (signed or unsigned) from running in a browser by de-selecting Enable Java content in the browser in the Java Control Panel under the Security tab.

Check your current enabled Java, if installed:

http://java.com/en/download/installed.jsp

Disable Java:

http://java.com/en/download/help/disable_browser.xml

Install Java:

http://java.com/en/download/manual.jsp

Seems that I'm on Java 6 so I guess I should be okay.

Phil

http://nakedsecurity.sophos.com/2012/08/30/how-turn-off-java...

My Java didn't look like the one in the disable link.
I had Java 7 9 so I updated to Java 7 10 and I still don't have that.??

Ha, I had the same issue on two of my three PCs. Apparently, it's some kind of a bug that prevents it from being easily run from the java icon in Control Panel.

The solution is to run javacpl.exe (which is probably in your computer's C:\ProgramFiles\Java\jre7\bin folder).

Run this file and you should see the appropriate Security page allowing you to uncheck "Enable Java content in the browser" and this will disable java in all browsers on your computer.

My thanks to VersatileGuy for advising us and to CraigW for providing the links.

I am Running XP SP3 with Internet Explorer 8 and Firefox V 17.01.
I checked CraigW's link and it showed nothing was installed on either IE8 or Firefox
"Check your current enabled Java, if installed:
http://java.com/en/download/installed.jsp

To double check I ran a search on XP and the file
"javacpl.exe" was not present so it appears I'm OK.

Once you've disabled Java in all browsers, you can confirm it by clicking the big red "Verify Java version" button in:

http://java.com/en/download/installed.jsp

and receiving a message stating "No working Java was detected on your system. Install Java by clicking the button below."

...it's strongly recommended that older versions (currently, pre-version 7, Update 10) be uninstalled:

http://java.com/en/download/faq/remove_olderversions.xml

Run a different browser than IE, such as Chrome or Firefox.

With Firefox, adding NoScript and AdBlock Plus lets you control java/javascript use by websites as well as cross-scripting and other attacks (NoScript), and filters out ads and other nasties (AdBlock Plus).

Are you saying that Verison 7 update 10 is ok?

Thanks for all the help

No, we're hearing that v7u10 is still to be disabled according to CERT and many tech web sites this week.

But besides the issue now present that brought this big warning, earlier versions of Java had other security issues--and for folks still using the older versions, these other older security issues remain.

In my life, CERT = Community Emergency Response Team.

Stupid government...

http://ask-leo.com/should_i_disable_java_and_if_so_how.html

Thanks.

Given what I've read there, rather than just disabling Java, I'm going to uninstall it and see how things work without it.

This worked.
How will we know when there is a fix for Java?
Thank you very much. Nice to have all of this information on here.

How do I disable (not uninstall) Java 6? The examples all show Java 7.

Phil

I took a look at my computer and played with the different links that are listed here. I wanted to see what I had and how correctly things were displayed.

The "check this version" states that there are no versions installed.

The Java control link in control panel shows I have version 7 update 10. That is confirmed in the add/ remove control panel. That makes no sense. I then unchecked the "disable in all browsers".

I also used a program called javara to get rid of all old versions. It will get rid of all old versions and keep the latest.
Javara is here: http://sourceforge.net/projects/javara/

Bottom line is that you may think you don't have any installed, but you are being lied to. I would also recommend you check in the add/remove programs.

This is on a XP pro with SP3.

Me too!

From the way I understand the article you can not disable any version of Java except the latest version, 7.10

You'd have to uninstall version 6, install version 7.10 then disable java.

http://www.pcworld.com/article/2025171/oracle-says-java-upda...

That's good news. I have seen some blog posts saying that Oracle intended to release a patch sometime in mid-February. Maybe the US-CERT advisory and the attendant publicity got them moving a bit faster.

I'm afraid that I must accept some of the blame since I was sloppy in choosing the original title for this thread. US-CERT is run by DHS. The CERT Program is run by the Software Engineering Program at CMU.

CAM? ITS.

("Clear As Mud? I Thought So.")

Thanks, soberbyker, that's exactly the precise answer I was looking for.

Phil

Government needs an agency to oversee acronyms to prevent duplication/confusion.

What would be even better would be multiple overlapping agencies, e.g., one in each of...

- the Department of Commerce,

- the Department of Homeland Security,

- the Department of Defense (man, they would have a field day!)

- etc.

...and they could all be coordinated by the Department of Redundancy Department.

When using acronyms I try to always follow one with its full definition the first time it is used. Other wise I get confused myself.

Java SE 7 Update 11 is available on the Java website and addresses the security vulnerability.

Java SE 7 Update 11 Released:
https://blogs.oracle.com/java/entry/java_vulnerabilities_add...

It's good to know there's now a fix.

But for now, I've uninstalled my Java and haven't seen anything not working, so I won't install the new version unless I find that I need it.

I tried looking but didn't find any list. Does anyone know what common web sites or software requires Java (not javascript) to work?

I'm also trying to remember--does Java pretty much come on Windows PCs or did I think I needed it and therefore manually installed it to my PCs at some point in the distant past?

I am very reluctant to follow any advice given by your "Homeland" agency.

I have yet to see any adverse effects on my laptop, but then I am using "Firefox" and NOT Internet Explorer.

They also advise against travel to and into Mexico. I, as well as hundreds of thousands people spend their winters or vacations in Mexico without any incidents.
I have been in Mexico since October the 29th.

There's a list of "Popular sites using Java" at...

http://w3techs.com/technologies/details/pl-java/all/all

...but that list includes LinkedIn.com and PayPal.com -- both of which I use -- so I don't fully believe it. It may be that those sites used to use Java, or perhaps they have specific features that can use Java if it is available, but it certainly doesn't seem to be an absolute requirement.

Plain installs of Windows do not include Java. IIRC, years ago Microsoft used to bundle its own version of Java with IE but (mercifully) that stopped.

Beware

Suit yourself, I guess. BTW, it's not my "'Homeland' agency"; I'm a Canadian too.

The U.S. Department of State (not DHS) has issued warnings about travel to certain areas of Mexico, but so has the Government of Canada. Some parts of Mexico are very dangerous places right now.

NOT TRUE! It only addresses two of the many vulnerabilities, and experts still advise removing Java from your system despite this update:
http://www.msnbc.msn.com/id/50453720#.UPQRZoaKWSo

One effective way to remove all versions of Java from your system is to go to Control Panel in Start and Add or Remove Programs and nuke each version of Java from there.

Then open each web browser you use and go to http://javatester.org/version.html and make sure it does not show Java as still working.

Thanks. I agree with you. I routinely use three sites listed as Popular sites using Java and all work fine with Java fully uninstalled.

Rev 11 is out today.

New stuff from Oracle on Java, but as others have said, if you don't need it, don't install it.

Also an update from Microsoft fixing some current issues with one of their programs, explorer or some such.

We would love to go to Mexico again some day but have been told not to.
Where in Mexico do you go and how safe is it?
Thanks

I use e-bay a lot. I went to my account and see everything.
Has anyone tried to buy somehting since they disabled Java and did it work?

Also logged into Pay pal and it worked also.

It should be fixed soon, too bad SUN MS doesn't see the need to rush so who knows. IE is always going to be a target, I rarely use it. Stick with Firefox or Chrome.

If you have a problem installing 7u11, uninstall (using add/remove programs) the old JavaFX. It's obsolete and useless and interferes with the new plugin installation.