Some security problems are really hard to fix. But the one you’ve been reading about for the last few days is not. Java, a programming language used by most computers and browsers, is about as secure as a paper mache bank vault and it acts as an open door into your computer. My solution: Throw it overboard and don’t give it a second thought.
The bad guys have found a way to exploit various holes in Java that allow them to gain access to a PC running Windows or Apple’s OS X. This has happened a number of times, and Oracle, which inherited Java when it acquired Sun Microsystems a few years ago, keeps patching the holes. But new ones pop up with alarming frequency.
The latest incident came to light last week. Even after Oracle fixed a serious security flaw in Java over the weekend, the Department of Homeland Security warned that the fix was not sufficient and urged users to disable Java on their Web browsers.
"Unless it is absolutely necessary to run Java in Web browsers, disable it," DHS said in an updated alert on Monday. "This will help mitigate other Java vulnerabilities that may be discovered in the future."
Java is widely used by businesses to run proprietary software, and heavy duty applications from companies like Oracle and SAP. But it turns out that very few programs (some multi-player Internet games are an exception) that consumers run need Java to function. So why take chances with security? Just banish the damn thing from your browsers and your operating system.
"I think there is a lot of sentiment toward not using Java at all if you can avoid it," says Stephen Cobb, security evangelist for anti-malware firm ESET."That is what I would say, and I'm not the first to say that, and I'm not alone in saying that," he told InfoWorld, our sister publication.
Plenty of other security pros say the same thing. "Users should simply disable it," H.D. Moore, chief security officer at the security firm Rapid7, told Forbes.
That seems like strong medicine, but Java has been blamed for security problems for some time. In a report by Kaspersky Lab, a Russian antivirus company, said that half of all cyberattacks last year were caused by Oracle’s Java software.
"While we called 2011 the year of the vulnerability, 2012 can justifiably be described as the year of the Java vulnerability, with half of all detected exploit-based attacks targeting vulnerabilities in Oracle Java," Kaspersky Lab said in its security bulletin.
It’s not at all clear how much blame should be directed at Oracle. There have been reports that the company was aware of problems some time, and there is some feeling that because its business is enterprise focused, issues that affect consumers get short shrift.
Ultimately, though, what matters is keeping your system safe. And that's a decision you can make.
Disabling Java in Windows is tricky, but there’s a very simple solution. Simply delete the way you’d delete any other program. You know the drill: Control Panel, Programs, let it populate and when you see Java, simply click Uninstall.
Disabling Java in your browser is easy. Here's how to do it:
- If you’re using Mozilla Firefox, or close cousins like Pale Moon, simply go to tools > addons > plugins and "disable" Java.
- Chrome users should simply type “chrome://plugins” into the location bar and look for Java -- then disable it.
- If you’re using Internet Explorer it’s a few more steps, but no big deal. Press Alt+T; Internet Options, Programs, “Manage Add-ons” and then disable Java.