Bad guys frequently attack Java* because it's widely installed and buggy. Java's self-update procedure has historically been poor, resulting in many computers with old versions just ripe for attacking. And, it doesn't help that most computer users think Java is a type of coffee.
Java has also been an accident waiting to happen to Mac users because Apple has poorly handled their responsibility to keep the software up to date. Bad guys finally took advantage of the opening Apple left for them back in April when hundreds of thousands of Macs were infected with malware that installed itself by exploiting a bug in Java.
If ever a computing technology needed Defensive Computing, it's Java. With that in mind, here are some suggestions.
The first issue is whether you need Java at all. Sadly, this is not an easy question to answer.
For one thing, Java is used both online and offline. That is, some web pages include embedded Java programs (called Applets) and some application software also depends on Java.
In the case of application software, I know of no way to learn which, if any, currently installed applications require Java.
Some help is offered by Ed Bott in his article How big a security risk is Java? Can you really quit using it? which lists a number of popular Java based applications. I have listed some other applications that require Java on the home page of my JavaTester.org site.
Perhaps the only way to determine if installed applications require Java is to un-install Java and see what breaks.
In the case of web pages, the Chrome browser is your best friend. By default Chrome warns of any web page that contains a Java Applet (below) and lets you decide whether to run the Java program or not. Thank you Google.
Considering its high profile, patches to Java should be installed as quickly as possible.
On Windows, Java can be configured to automatically check for updates daily, weekly or monthly. The default is monthly; daily is best. To configure this, logon as an Administrator, go to the Control Panel, open the Java applet and click on the Update tab, then the Advanced button, as shown below.
You can also check if the latest version of Java is installed either at my JavaTester.org site or at a pair of Oracle pages (Oracle is the company behind Java).
Oracle's How do I test whether Java is working on my computer? page reports the currently installed version of Java. However, it only sometimes includes an indication of whether this is the latest version or not. The screen shots below show what it looks like when Java is up to date ...
... and when it needs updating.
The other Oracle tester page, Verify Java Version, consistently reports whether the latest version is installed. Just click the big red button to see if the "recommended" version of Java is installed.
Note that Java is unlike the other popular browser plugin, Flash, in that there is normally only one copy installed and it's shared by all browsers. In contrast, Windows users that run Internet Explorer, Firefox and Chrome, and want Flash available in each, end up with three separate and distinct copies of Flash installed (and perhaps one in the Adobe Reader too). It is possible to install multiple versions of Java, and in the old days this was a huge problem, but current versions of Java remove any older copies of the software they encounter.
But is the latest version necessarily the best version?
One tenet of Defensive Computing is avoiding new software. Not only is it likely to be buggy, there are also going to be incompatibility issues with other software that has to interact with the new code.
I mention this because Windows users now have a choice of Java versions. Oracle is maintaining both version 6 and 7 with the latest bug fixes.
Last week Oracle updated Java 6 to Update 33 and Java 7 to Update 5. Last month, version 7 became the default version installed on Windows computers. Java 6 is scheduled to be retired this coming November.
While version 7 is far from new (it was first released July 2011) it is still newer than version 6 and only recently became the default version for Windows. Thus, it's more likely that there will be an incompatibility issue with Java 7. So, sticking with version 6, for now, seems to be the safer approach.
Windows users can download Java 6 update 33 from this Java 6 Downloads page. Look for the 32 bit version, even if you are on a 64 bit version of Windows 7. It's the safer play, and chances are you are using a 32 bit browser anyway. I always opt for the "Offline" download. The specific file to download is jre-6u33-windows-i586.exe.
UPDATE: The Java 6 Downloads page will always have the latest edition of Java 6, but the file name will change with the release. As of Oct. 18, 2012, the latest edition of Java 6 is Update 37.
New versions of Java can be installed on top of older versions, but I always feel safer un-installing the prior version of Java before installing a new one. The downside, however, is that tweaking of the update checking schedule will need to be re-done.
Speaking of tweaking, Windows XP users can disable the Java Quick Starter service (Control Panel -> Administrative Tools -> Services). The service is not necessary for Java to function correctly and the less work a computer does at startup time the better. This too, may need to be re-done after installing a new Java.
And, if Firefox asks about installing the Java Quick Starter plugin, don't agree to it. Java works fine in Firefox without it.
Finally, if you need Java for just one or two websites, then consider disabling Java in the browser you normally use and have it enabled in a second web browser, one that you only use on the websites that require Java. Taking this to the extreme, if Java is only needed offline (that is, for an installed application), then disable it in all browser(s).
Below are instructions for disabling Java in assorted browsers under Windows. Instructions for disabling Java in assorted Mac browsers can be found on the "Version" page of JavaTester.org.
Tools -> Add-ons -> Plugins. Disable the plugin whose name starts with "Java (TM) Platform SE " by clicking on the disable button. This takes effect immediately, there is no need to restart Firefox.
Enter "about:plugins" on address bar (without the quotes), then click on the "disable" link for Java. Like Firefox, it too, takes effect immediately. I find it helpful to bookmark the about:plugins page.
Internet Explorer 8 on Windows XP
Tools -> Internet Options -> Advanced tab -> Java section. Turn off the check-mark in the box for "Use JRE 1.6.0_33 for <applet>" and restart Internet Explorer.
This only works when logged on to Windows as an Administrator. Limited/restricted XP users see the option and can turn off the checkbox, but it is ignored - the checkbox gets turned back on immediately. The good news is that after an Administrator turns this off, then it is also off for limited/restricted users.
This works identically with Java 6 and Java 7 although, obviously, the version number will vary.
Internet Explorer 9 on Windows 7
The situation with IE9 is a brutal mess.
To begin with, Java can not be disabled by tweaking the browser itself. Like IE8, there is an Advanced tab in the Internet Options window and it still has a Java section. But, with IE9, it does nothing.
Configuring add-ons also fails. You get to the settings via Tools -> Internet options -> Programs tab -> Manage add-ons button. There you will see two Java entries, each with its own Disable button.The buttons are a sham, disabling the Java add-on does nothing.
A good writeup on this from last November is available at techlogon.com. They also tried configuring the Internet Zone to not allow "Scripting of Java applets," but to no avail.
Finally, they discovered that Java could be disabled in Internet Explorer 9 using the Java applet in the Control Panel. On the Advanced tab, there are checkboxes in the "Default Java for browsers" section as shown below.
But that was then; it no longer works. I tested this on two Windows 7 Professional 64 bit machines. One had Java 7 update 5 installed, the other was running Java 6 Update 33.
On the Java 7 computer, I was logged on as a restricted/standard user. Although I could turn off the checkbox for Microsoft Internet Explorer, it was immediately reset back to on. Logging on as an Administrator, surprisingly, changed nothing.
On the Java 6 computer, while logged on as an Administrator, turning off the checkbox resulted in the error below.
Bottom line: As far as I know, Java can not be disabled in Internet Explorer 9.
Yet another reason for Windows users to avoid Internet Explorer, an opinion I offered back in June of last year (see 12 reasons not to use Internet Explorer, ever).
To verify that Java is, in fact, disabled in a web browser, try either my JavaTester.org site or one of the Oracle sites mentioned previously that reports on the installed version. The only gotcha here is at my site, where Firefox reports that Java is disabled even when it is not installed at all.
*The part of Java that resides on your computer, and offers a runtime environment to Java programs, is the Java Runtime Environment or JRE for short. It is also referred to as the JVM or Java Virtual Machine.