Here comes more Java confusion

I wish I could find a plain language, simplistic and PRACTICAL solution for this Java security mess. I want to be able to advise my family and friends because as things are now, disabling Java in a browser is almost the same as saying just don't use the internet anymore.

I know this is as long as the ocean is deep, and the internet is wide....oh, well.

...in plain language: turning off Java is NOT realistic....​

I use Chrome on Win 7x64 and now have set Java in Chrome to ask/nag me ~"if I really wanna"~ allow Java(script?) to run each time I visit a website with Java info/scripting/content on it. Sure, it sounds great on paper.

Here's another one I've read: just "use another browser" to access internet sites with Java...that'd be IE for me, but it seems that ~every~ site I go to including Yahoo, Gmail, YouTube, almost every news site, Intellicast, this site...almost all the sites that show up in a search engine search....dare I say "everything"? (almost) requires Java for a complete experience? --like if you want to see embedded video..or just about anything...Am I missing something here? Really, what sites DON'T use any Java?

Someone recommended changing banks if the bank uses Java. {laugh} I do not do banking all day long and have not investigated if my Credit Union is a non-Java site; whatever bank I use takes a few minutes, not all day. I spend FAR more time surfing and learning! Unless Java is disabled, then I might as well read a book! What am I missing here?

It also seems odd to me that there are only two pop-up Java options within Chrome: enable www.xyz.com permanently, or not. How about just this one time??? {<--rhetorical Q}

I wish I understood this better. I have read enough now to know that Java is to Javascript like Ham is to Hamster and Car is to Carpet...and have read awesome, direct, simple statements/explanations which still leave me in a fog.

Here's one...

* Java is an object-oriented programming (OOP) language while JavaScript is an OOP scripting language.
* Java creates applications that run in a virtual machine or browser while JavaScript code is run on a browser only.
* Java code needs to be compiled while JavaScript code are all in text.
* They require different plug-ins.
​

Well great then. Except, hmmm, OOP? scripting? VM? compiled? plug-in? ...now I'd have to learn a bunch of new terminology in order to understand the significance and how what connects to what and why...or is it who? whatever.

Some have said that the recent update to Java did not go far enough and it'll be a couple of years until the hole is patched. Great. Someone else goes on and on about the difference between Java (a local installation which more home users don't need) and Javascript (running in the browser without which the internet is essentially useless) and then recommends disabling Java in the browser! Which is it, Java or Javascript? Am I just being lysdexic? (OK, "in the browser"...that makes it Javascript, right? even though it's called Java...at least I know the difference between a browser and a local installation). Reminds me of someone who once said: "It depends on what your definition of 'is' is". Then they say, "turn it off for 4 months"? Yeah, right!

I went to "add/remove" in Win7 and removed all the Javas...ver 6, ver 7 and something else. Did the CCleaner thing, and the Glary Utility cleanups, too. Then Acrobat Pro 8.3 broke with "acrotray" and "Acrobat" both returning error messages. After installing Acrobat X Pro everything seems to be OK since I can read a .pdf for more than 45 seconds and acrotray appears to be humming along smoothly (thank you Task Manager). I wonder what broke them so I don't break 'em again? I guess that's not a priority because it's working now. Oh, while trying to fix acrotray/Acrobat, I re-installed Java 7 update 11 (and have disabled Java in Chrome).

I re-activated my UAC (User Account Control) to nag me for permission to install things I already know I am installing as well as other system changes I make. I know, yes, now I'll know about the nasty surprise ones, too. It appears to be a REALLY needed/useful feature now.

I have also created another user named "WWW" who does NOT have Administrator privileges because that seemed like someone's good idea. Then I imported my bookmarks and continued learning about how incredibly integrated everything is; one task almost always takes me back to another page or site, or to an icon on the other desktop, or somewhere online for more information or an answer to something, so it's VERY cumbersome to have to switch between user accounts...if that's even a correct solution...and, having to allow Java on every site seems to defeat the purpose of disabling Java.

However delusional, I think we ought to be able to create our own environment so that we can visit the nastiest porn and other infected sites whenever we want to without risk. All the mainstream sites are almost as risky if their security policies are not maintained...and now, maybe, even if they are!

Here's a question: If I/we surf in a sandboxed browser like Chrome under SandboxIE, or GesWall, or Returnil System Safe Free, can malicious code, say, on my favorite porn site, get out of the sandboxed browser and into my OS and beyond, or not? I have read that one of the features of the new Java exploit is its ability to get out of the sandbox. Which sandbox? SandboxIE's or some sandbox buried within one of the Javas? If learning how to use a sandbox is the solution, then I'll teach my family (and friends) about it. Looking for simple here.

Thanks to the brilliance and persistence of the evil-doing cretins, I have already years ago resigned my careless freedom to the idea that security policy development and implementation is a never-ending personal responsibility. Still, I seek the simplest REALISTIC solution so that I can share a little and teach others. I believe I have to sometimes help THEM be safe to keep ME safe. Silly, I know.

Help? Disable Jave in the browser se we can allow it everywhere we go? Run under a thrird-party sandbox? What is the simple solution here? (in plain language, please)....so I can tell my classmates, some friends, my sweetheart partner, and my relatives including my 82 year old mom what to do...

TIA ~ drcarl

 

So many points, I'll try to share my experience with you...

I have NO JAVA on my machine, none. I use gmail, youtube and all are still full featured. I run some high end PDF software, I write a little code, and use all the normal type apps one would expect. Zero impact for me since dumping Java...

I don't know what it is you are missing without Java, could you give some details please?

Javascript is NOT Java. Caliban expalined this very well in:
http://forums.majorgeeks.com/showthread.php?t=272044

As a "Best Practice" you should always be using your computer in a non-admin account. The UAC (User Account Control) is your best option here, it will prompt you when something you're doing needs elevated rights. Also "run As Administrator" from the context menu is good. If a few seconds to input a password is the price for increased security, I say fine, so be it...

There have been rare instances I've read of where malware escaped from a sandbox, but that's what patches are for. No software is perfect, there are no guarantees. Firewall/Anti Virus/Anti-malware and safe surfing will keep you as clean as you can be. Safe surfing cannot be understated...

There is no way that I know of to "create our own environment so that we can visit the nastiest porn and other infected sites whenever we want to without risk." You also have no control of what your bank is doing for security, it is a tough hard world, if you get hit, you get back up fix it and plod on.

 

drcarl...

You're probably doing better than you seem to believe you are doing.

I have Java 6 Update23. That was the last time anyone told me there might be a problem with it, so I updated it. I read about 7.10 and the problems that could be coming, but I have a VERY high confidence level that it won't affect me.

Just put the health of the PC first and teach those who use your PCs to do so, too. Require them to or take away their privileges. It will all start to happen your way once you do.

I agree with you about the user account set up in Windows. I haven't ever set up and account, and I have no plan to. I'll pay the price for security.

The biggest problem is that the business and account interfaces and tools are more or less unusable to a serious employee of a major company. The whole groups thing is basically impossible to work with.

None of the incarnations of Windows are designed with anything serious in mind in a business sense. That doesn't mean there aren't workarounds for companies willing to pay for them. Still, my expectations of Microsoft for its OSes of the last 18 years have been far higher than the standards MS have set for themselves. They had the momentum to accomplish alot more than they have in my opinion. It's really a shame to me (in spite of the positives there are to say about MS products...a few positives) that we aren't 10 years ahead of where we are today with PC software...

 

Cipher - thanks for the reflections...I have read Caliban's post many times. I have read the top portion of the two Wikipedia pages he referenced. On the "Javascroipt" page, it says:

"JavaScript (JS) is an open source client-side scripting language commonly implemented as part of a web browser in order to create enhanced user interfaces and dynamic websites."

Maybe it's that reference to browser that's throwing me...? OK, I'll try for literal...:major

(1) Is this Javascript mentioned in bold, above not the "Java" that gets disabled in Chrome? {sorry if that seems like a really moronic Q}

I get it that Java and Javascript are different. Perhaps I have their location backwards or something.

(2) What am I disabling when I go to Chrome > Settings > show advanced settings [link]> Privacy-content settings [button] > JavaScript > Do Not Allow Any Site to Run JavaScript [radio button] ??? (JavaScript, I bet) - and what does that actually do? (in lay terms, please)

(3a) What am I disabling when I go to Chrome > Settings > show advanced settings [link] > Privacy-content settings [button] > Plug-ins > Disable individual plugins [link]> (scroll down to...) Java(TM) 2 files??? (Java, I bet) - and what does that actually do? (in lay terms, please)

(3b) Are these two files the Java(s) that need disabling? One is Java Deployment Toolkit 7.0.110.21, and the other is Java(TM) Platform SE 7 U11

(4) Are any of these responsible for breaking my internet experience? If so, which?

(5) Might any of these be responsible for breaking Acrobat/acrotray - is Acrobat dependent on any of these?

(6) Is there a "sandbox" within Java or Javascript? (completely separate from anything I might install or use)

I'll stop here - I know I am too verbose - sorry, and...:confused

THANK you for considering these.

~drcarl

 

That'd be nice - lol

Add/Remove says I have Java 7 update 11. I, too read that Java 6 might be OK; it's "gone" now.

OK - I'll have a conversation with myself about that as I am self employed at home, allow no outside (in-home) access to my machine, and allow NObody to even touch my keyboard...I sometimes ask anyone who wants to touch it "what the P in PC stands for?" - lol

I actually think it's needed now...so I'm using it.

It's just me



And...On the actual "internet" since 1986 (Medline)(Holy $4!# - 27 years), I do agree that MS could have us a lot further down the road than we are. Like some say, "there is the MS way; then, there is the right way." lol

Still, I give thanks to them, to MG, the WWW and to you!

:cool

 

How to disable Java in most common browsers.

Note that manually disabling Java in IE is very tricky, I guess in part because IE is tied into Windows.

The current security vulnerabilities being exploited via Java plugins in browsers are not confined to MS Windows.

Java in the browser is rarely needed by Joe Public, I'd advise everyone to uninstall Java until it's proven that it's really needed. Even then, disable it in the browsers by default and only enable it for the duration of the actual need.

Over the last year or so, Java has allowed in ~50% of malware on infected systems, Adobe's Reader ~28%!

Java 6 is not affected by the current wave of exploits, you could install that instead, if you need Java. Guess what the bad guys will concentrate on if everyone drops Java 7 though, it's 'invulnerability' is not likely to last long!

 

Satrow...thank you for your comments....still.....

Thank you. I have been there, --done, and un-done, and re-done that...I wish I understood why I need to do this and what the effects are. I have enumerated specific questions in post number 4. Most of these questions, although perhaps familiar to people who understand these things like you, remain unanswered to me.

So many protest that Java is typically not needed and not missed...I assume this: if done right ... if the right Java is disabled in the right place using the right steps, a user can be relatively safe. The link you shared is straight-forward; thanks. This appears to address number (3b) in that these two instances should be disabled. Done. Is that it?

What about all the other questions?

How is Java uninstalled? (without breaking Acrobat and the rest of the Adobe Creative Suite? I ~live~ in Photoshop! well....I could...)

OK, even though I can be pretty tricky myself and have no problem making registry changes/edits, I'll leave Java alone for IE and plan to use IE if, and only if, Java, somehow, is needed. What about my question (2)? Enabled? disabled?

I understand this. It's a browser thing, not an OS thing. Does Joe need it for Adobe Creative Suite? Even though I'd likely go the Wordpress route, might I need it if I get back into building a website or two?

How? Add/remove? Will this break Acrobat/actotray? (see questions (2) & (5), please....I broke it before and spent the day finding a fix...that's why I ask for the expert advice here...I assume this to be faster and better than me figuring these things out for myself.

Is this different from watching a vid on YouTube, asking for a lost password, and doing just about anything online? As thing in Chrome are set now (and per my non-numbered comment in post number one (1), paragraph 7. How can I enable it just for the duration of a need? I must have something set incorrectly because it seems that every site I visit need to be enabled - and it's appears to enable the site permanently. Must I go to Manage Exceptions after enabling for every website visit? I must be over-complicating this.

I'm glad I don't own their stock; an abysmal record...and...drum-roll....that's why I am here!

I could install 6, I suppose, if I knew how to, and once all my other relevant (to me) questions have answers. I'd prefer to go with 7 update 11 and make myself otherwise safe....AND, learn how to communicate this to others.

How does one uninstall Java without breaking stuff? Oh, I asked that already

thanks for your input, really!

~drcarl

 

The question really is: do you have any Java applications? You mention Acrobat earlier in connection with Java: Acrobat does not use Java.

Some applications that may require Java: OpenOffice, LibreOffice. I write "may" because only some components make use of Java.

On the Internet: I know only very few sites that require Java. Some are banking sites, some are voting sites. Secunia OSI also uses Java, I believe.

If you completely uninstall Java, an application or website that requires it will tell you so. Most likely you will not encounter this at all.


JavaScript: most browser allow to disable JavaScript. I do not see any reason to do that; in fact I believe that most websites will no longer function correctly if you disable JavaScript.

 

The effects of your computer becoming infected by malware are that you lose control over your computer and your data.

To uninstall Java: http://java.com/en/download/uninstall.jsp or use JavaRa.

Acrobat, Reader, Photoshop, CSx etc. do not use Java.

Java is not needed for writing HTML/creating websites.

Watching online video requires HTML5, Flash and Silverlight - not Java.

If you were to downgrade to Java 6, after next month's final patch update, Oracle will no longer support it.

 

I allow javascript. It is needed for many websites, things from online calculators of all types to drop down menus, etc.. Javascript is not the problem. If you are seeing sites not functioning as expected, allow javascript.

These are the two you should disable/remove. They are Java.

I'm not sure what part of your internet experience is being broken by disabling Java. A specific site may require it, I haven't run into any as yet. Disabling Javascript will break most people's internet experience, that's why I allow it...

I use Acrobat Pro Extended 9 and Acrobat X, I see no changes or loss of functionality since I removed Java. I am not aware of any need for Java with Adobe products. Unsure as to what is breaking Acrotray for you, I don't use that...

No, there is no built-in sandbox in Java or Javascript. They are programming languages. Sandboxie is a program written in a programming language, C++.

Installing/using either java or javascript in any implementation, i.e. plugins or allowing the browser engine to run them, allows web sites that have embedded code in their pages work properly. Javascript should be allowed, you will need it. Java plugins, IMO, should be removed or disabled at a minimum.

Hope this helps.

 

As a side note on this: I just ran Libre Office thru the paces of my normal workflow and saw nothing impeded. The database requires Java and breaks without it, the rest of the suite works fine...

I read somewhere recently that LO's devs are working to cut Java loose in favor of another solution.

 

Good morning...

Just a quick followup to everyone's excellent advice on this subject:

For anyone wishing to patch/update their Java 7 please be advised that cybercriminals are now attempting to exploit the current Java scare in many ways. There are several fake Java update variations floating around the internet. For example: Trend Micro is reporting a "BKDR_ANDROM.NTW" trojan masquerading as a Java 7 Update 11, and HOTforSecurity has found an "extremely contagious" trojan ("Backdoor.IRCBot.ADEQ") disguised as a Java update.

Bottom line: if anyone wishes to update the Java 7 on their machines instead of deleting, then only reputable update sites should be used. MajorGeeks or Oracle are the only two repositories that I would recommend in light of the recent spate of exploits and fake downloads.

 

Nice catch! Thanks...

 

That is true. However, so far they have not reached a decision what SQL engine to use in future. And Java will still be required for backwards compatibility.

 

Everyone: thank you for your answers.

I feel/believe I should reply to some comments.

First, I want to get/take the time to re-read the last couple of posts until I firmly "get it." Then, I want to re-read the steps outlined here to verify that the article referenced with this link makes total sense.

Finally, I'll put together a simple, straight-forward email for friends and family - attempting to save them from some confusion which I am probably guilty of generating by over-complicating a simple thing.

Chrome: Javascript-enabled; Java-disabled (two instances)

Again, Thanks.

~drcarl

 

That article wasn't 100% correct when published, check the comments there, mine included.

 

Wow - gotta get back tomorrow and read the article and comments slowly.

Does not using IE at all have a benefit?

Not uninstalling; I know that's almost impossible as it's a part of Win. Just not ever lighting it (IE) up (unless there is no other way) - so to speak.

 

Here's a thought:
Before you send that email, make those settings your settings. Close Chrome and restart it. Test. if you use web based email, send one to yourself, cc someone, put it thru its paces.

Visit the web sites you mentioned in a previous post - YouTube, Yahoo, etc. Again, run them thru the normal actions you would take on those sites.

When you're confident that all works as before, send the email...

 

Thanks. Another good article where one opinion has it that oracle may be 2 years from totally fixing this:

http://www.theregister.co.uk/2013/01/18/fake_java_update/

Sumatra not only reads PDF, but EPUB, MOBI, CHM, DJVU, CBR, CBZ files as well. A nice app to have...

I discovered this when looking for a better reader for my, ahem, Graphic Novels.

 

Rest assured I'd test after I think I understand what's going on before offering any kind of advice.

The only problem is the other half of the test (besides the online mail, etc.) has to do with testing all possibilities of the Java exploit. I don't know how to perform those tests and is a BIG reason why I am so thankful for those who take the time to reflect and post here!

Sometimes it's a purely academic vulnerability that has to be prepared for or fixed before an actual attack!?! Smart and experienced people here help with that preparation.

Thanks!