Slaying the Java Beast

As you’ve probably heard by now, Java’s insecurity has been a vector for hackers’ to exploit and gain access to your computer through specially crafted malware that can hijack control over your machine. Even the Department of Homeland Security’s CERT team strongly recommends that consumers disable java on their computers.

While removing Java from your computer entirely may be one way to go, many require Java to run certain applications locally (which is fairly safe), the real problem lies in the browser itself — leaving the door open for “bad guys” to enter your system.

So how does one go about ‘slamming the door’ on these Java beasts? Here’s what I suggest:

Step 1: Which version of Java are you running? The easiest way to do this is through the Java control panel. Start by bringing up the Windows Control Panel (in Windows XP and Windows 7, choose Start, Control Panel; in Windows 8, right-click in the lower-left corner of the screen and choose Control Panel). If you see a Java icon, click on it. If you don’t see a Java icon (or link), in the upper-right corner, type Java. If you then see a Java icon, click on it.

Unfortunately, there’s a bug in at least one of the recent Java installers that keeps the Java icon from being displayed inside Windows Control Panel. If you can’t find the Java icon, go to C:\Program Files (x86)\Java\jre7\bin or C:\Program Files\Java\jre7\bin and double-click on the file called javacpl.exe. One way or another, you should now see the Java Control Panel.

Step 2: Update to the latest version of Java, version 7 update 11. In the Java Control Panel, under About, click the About button. The About Java dialog shows you the version number; if you’ve patched Java in the past few months, it’s likely Version 7 Update 9, 10, or 11. (Don’t be surprised if Java says that it’s set to update automatically, but doesn’t. I’ve seen that on several of my machines.) If you don’t have Java 7 Update 11, go to Java’s download site, and install the latest update. You have to restart your browser for the new Java version to kick in. Personally, I also reboot Windows.

Warning: Oracle, bless its pointed little pointy thingies, frequently tries to install additional garbage on your machine when you use its update site. Watch what you click.

Step 3: Disable the Java Runtime in all browsers. From the Java Control Panel, click or tap on the Security tab, then deselect the box marked Enable Java Content in the Browser. Click or tap OK, and restart your browsers (or better yet, reboot). From that point on, the Java Runtime should be disabled in all of your browsers, all of the time. To bring Java back, repeat the steps and select the box marked Enable Java Content in the Browser (the setting should, in fact, say “Enable Java Content in All of Your Browsers”).

Step 4: Turning off Java within each browser. In Internet Explorer 9 or 10, click on the gear icon in the upper-right corner and choose Manage Add-Ons. Scroll down to the bottom, under Oracle America, Inc., select each of the entries in turn; they’ll probably say “Java(tm) Plug-In SSV Helper” or some such. In the lower-right corner click the button marked Disable. Restart IE. At the bottom of the screen, you’ll see a notice that says, “The ‘Java(tm) Plug-In SSV Helper’ add-on from ‘Oracle America, Inc.’ is ready to use.” Click Don’t Enable. If you get a second notice about a Java add-on, click Don’t Enable on it, too. That should permanently disable Java Runtime in IE.

In any recent version of Firefox, click the Firefox tab in the upper-left corner and choose Add-Ons. You should see an add-on for Java(TM) Platform SE 7 U11. Click once on the entry, and click Disable. Restart Firefox.

In Chrome, type chrome://plugins in the address bar and push Enter. You should see an entry that says something like “Java (2 files) – Version: 10.7.2.11” Click on that entry and click the link that says Disable. Restart Chrome.

Step 5: Testing. Make sure the browsers are/aren’t running Java, by running each of them up against the Java test site. If you go to that site using Google Chrome, there better be a big yellow band at the top of your screen asking permission to run Java just this once.

Disabling Java in your browsers may seem like a real pain in the rump, but it is something that absolutely everyone must take seriously. Do it now!