To me, the worst thing about Windows computers is updating software. While Microsoft does a good job keeping the operating system updated, other software inevitably falls through the cracks. Without a single update mechanism that works for all software (which will never happen) Windows users will forever be at risk.
Java, a new version of which was released today, falls through the cracks far too often. Like any large application, it needs a constant stream of bug fixes. Without frequent updating, old versions of Java are ripe for attack. Today's update*, to version 6 Update 22, begs the question: should you update an installed copy of Java or just remove it and get off the update treadmill?
A report today from Brian Krebs indicates that many people are not keeping their Java software up to date. As a result, bugs in the older versions are a very popular way for malicious software to install itself. According to Krebs,
"attacks against Java vulnerabilities have fast emerged as the top moneymaker for authors of the best-selling exploit kits ... Java vulnerabilities continue to give attackers the most mileage and profit, and have surpassed Adobe flaws as the most successful exploit vehicles."
Apparently for people to whom Java is a type of coffee rather than a piece of software, the update process is too difficult.
To see which version of Java your web browser is using, you can go to my JavaTester.org site.
DO YOU NEED IT?
Whether to keep Java (technically the JRE, Java Runtime Environment) or not, is debatable.
Certainly if you don't use it, the Defensive Computing thing is to remove it. But, you can also remove too much software. I got burned recently removing software from a new Windows XP machine. In my zealousness I removed a Visual C++ product. Then, when I went to try and burn CDs for the first time on the machine, two different burning applications both failed with unknown errors. Turns out they needed the removed software but nothing in Windows indicated this.
One way to tell if a website uses Java is to look for the Java icon in the system tray/notification area/lower right corner. Unfortunately this is not reliable, as the displaying of this icon can be disabled.
Another approach is to open the Java Control Panel (click on Java in the Windows Control Panel), go to the General tab and click on the View button to see Temporary Internet Files. Websites that use Java probably stored some files there.
While there, you may also want to also click on the Settings button, to check on the maximum space that Java can use to store temporary files on your computer. You may find, as I did on two machines, that the maximum value was a gigabyte. Seems a tad excessive.
Or, you can just un-install Java and see what, if anything, breaks.
But be aware that Java can also be used off-line. Open Office, for example, needs it for some features.
UPDATE MORE OFTEN
If you do need Java, you will be safer having it check for updates every day rather than the default of once a month. To change this, open the Java Control Panel and go to the Update tab. You will need administrator rights to modify the schedule.
But, it's not clear that you can depend on Java's self-updating.
Today, on a Windows 7 machine with Java 6 Update 20, a manual check for updates (clicking the Update Now button on the Update tab in the Java Control Panel) said the latest version was installed. This was not true, as Update 21 was released well over two months ago and Update 22 was released today. On the other hand, two XP machines, both also running Java 6 Update 20, did report that Update 22 was available.
If you do need Java, one Defensive Computing tactic is to keep it disabled in your web browser, and then enable it only when needed. The procedures below were tested with Windows 7 and XP.
In Firefox 3.6.10, you can control Java with Tools -> Add-ons -> Plugins. There are two Java entries: Java Deployment Toolkit and Java Platform. If they are both enabled, Java should work. If they are both disabled, Firefox will not run Java applets. Firefox users can get more granular control over Java (and other software) with the NoScript extension.
In Chrome version 6, enter "about:plugins" in the address bar. There is a single entry for Java identified as "Java 6" that can be easily enabled or disabled. You may want to bookmark the about:plugins page.
Under Windows XP, Internet Explorer 8 users can control Java with Tools -> Manage Add-ons -> Toolbars and Extensions. There should be two entries from Sun Microsystems, the Web Browser Applet Control (an ActiveX control) and Java(tm) Plug-In 2 SSV Helper (a Browser Helper Object). Enabling and disabling both of them, determines if Java applets will run.
If you go this route, my JavaTester.org site can be used to verify whether Java is functional in your web browser.
Under Windows 7, I was not able to prevent IE8 from running Java applets by disabling the Java Add-ons. IE7 had a checkbox in the Advanced options for Java, but this no longer exists in IE8.
The big hammer here is in the Java Control Panel, where Java can be disabled either system wide or for the current user. While this works, it caused IE8 under Windows 7 to hang.
Still not sure? Considering the stats cited by Krebs, the safest approach is to remove Java.
*New versions of Java are released by Oracle (formerly Sun) for Windows and Linux. Mac users have to wait, sometimes a very long time, for Apple to release a new copy of Java that incorporates the updates first made available to Windows and Linux users.
Update October 14, 2010: Someone gave me an infected Windows XP computer the day after I wrote this blog posting. It was infected with a few malware programs, one of them was "Java/TrojanDownloader.Agent.NBU trojan" according to ESET's online virus scan. Go figure. The computer had, not just one, but two, old versions of Java installed.
Update October 16, 2010: I forgot to mention, that after installing a new version of Java, Windows XP users can shut down and disable the Java Quick Starter Service (Control Panel -> Administrative Tools -> Services). Java applets in web pages run just fine without this and the less software running on a computer the better.
Update October 18, 2010: For more on this, see my next blog, Java: use it or lose it.