Should You Jettison Java?

October 24, 2010

As I mentioned in my most recent post about Apple’s update of Java for OS X, the company has indicated that java is “deprecated” in the Mac environment.  This has sparked renewed interest in whether the typical end-user machine should have Java installed at all.  Brian Krebs, in his Krebs on Security blog, has for some time recommended that users remove the software from their personal PCs unless they require it for a specific purpose.  More recently, Rob Pegoraro of the Washington Post has, in two recent posts, has looked at getting rid of Java, and suggests that most users have no real need for it.  I’ve now been asked by a few people what I think they should do.

Before I get to a recommendation, it might be useful to review what Java is about.  The Java language and environment was originally designed by Sun Microsystems.  The idea, clever and elegant, was to provide a development tool that allowed programmers to build applications that were “Write Once, Run Everywhere”.  To accomplish this, Java development generates executable code that is not directed at a real hardware platform (like an x86 PC), but at a Java virtual machine, an idealized environment.  That environment, which has certain built-in features for security (the so-called “sandbox”), is provided by the Java run-time system, which emulates the Java virtual machine on each real hardware platform.  (This was not an entirely new idea.  In his multi-volume classic, The Art of Computer Programming, Donald Knuth devised a hypothetical machine called MIX, which he used for pedagogical reasons.)  The design of Java was an attempt to provide a tool through which Web sites could serve small applications to all comers, in a platform-agnostic way.  There are typically two parts of a Java installation: the Java run-time environment [JRE], which implements the Java virtual machine; and a browser plug-in, which handles Java applets served from Web pages.

The case for getting rid of Java is fairly easy to summarize.  There is no question that Java has been a major target for the developers of malware distributed over the Internet; furthermore, there is considerable evidence that these attacks are becoming more and more common.  Java, like Adobe’s Flash and PDF Reader software, is an attractive target for the Bad Guys because it is widely installed across PC and Mac platforms.  And one of the few unquestioned truths of system security is that the only kind of software that never creates security problems is the kind that is not installed on the machine.

So why keep Java?  For some users, who work in enterprise environments, the answer is easy.  Many organizations, especially large ones, have built significant applications using Java.   These users need Java, and presumably their organizations can provide support and update reminders to keep the Java installations up to date.  If you fall into this category, and need Java, then, obviously, you should keep it.

For average users, the picture is a bit murkier.  There may be specific Web sites or applications that you use that require Java.  For example, the on-line crossword puzzles at the Washington Post site are implemented using a Java applet.  The on-line version of Secunia’s Software Inspector, a service the Danish security company  provides to check for missing security patches, also uses Java.  I’m sure there are many other sites that use Java.  If you use these sites, but not too frequently, you might consider installing Java, but disabling the browser plugin except when you need it. (Most attacks are mounted via the plugin.)  In Firefox, you can disable the plugin by selecting Tools / Add-Ons from the main menu, then select the PlugIns tab.  Highlight the Java entry, and then click the Disable button.   To enable the plugin, repeat the process, and click the button (now labeled Enable) again.

Another application that uses Java is the productivity suite.  Java is used to implement a number of features of that package, but it is possible to install OpenOffice without Java.  (The OpenOffice site has a list of features that require Java.)   In that case, the features that require Java will not be available, but the package’s other capabilities can still be used.  As I mentioned earlier, most attacks, at least currently, are directed via the browser plug-in, so just having the JRE installed, which is what OpenOffice uses, is probably a tolerable risk.

The really important point, though, is the same for Java as for any other package.  Install it only if you need it; and if you do, take care to keep it up to date.   As always, I will try to post notices here when updates are released.

Update Tuesday, 26 October, 11:15

In Google’s Chrome browser, you can temporarily disable the Java plug-in by typing about:plugins into the URL box.  The resulting page will show you all the plug-ins that are installed.  You can click the Disable link under the Java entry to temporarily turn it off.

So far, I have not been able to find an easy way to temporarily disable Java in the Opera browser.

%d bloggers like this: