Everyone should heed the Klaxon calls to turn off Java, but it isn't as simple as you might think. This step-by-step guide will help
The latest spate of Java insanity has prompted calls from all quarters to get rid of the beast. Galen Gruman, in "How to kill Java dead, dead, dead," takes the entire computer industry to task for perpetuating Oracle's malware breeding ground. Almost a year ago, I made the case for disabling Java in your browser. Now the Department of Homeland Security's CERT team has jumped into the fray and recommends that consumers disable Java on their computers.
Several people have written to ask me how to disable Java on their Windows computers. As it turns out, it isn't quite as simple as you might think. Here's what I recommend:
Step 1: Find out which version of Java you're running. The easy way to do this is through the Java Control Panel -- if you can find it. Start by bringing up the Windows Control Panel (in Windows XP and Windows 7, choose Start, Control Panel; in Windows 8, right-click in the lower-left corner of the screen and choose Control Panel). If you see a Java icon, click on it. If you don't see a Java icon (or link), in the upper-right corner, type
Java. If you then see a Java icon, click on it.
Unfortunately, there's a bug in at least one of the recent Java installers that keeps the Java icon from being displayed inside Windows Control Panel. If you can't find the Java icon, go to C:\Program Files (x86)\Java\jre7\bin or C:\Program Files\Java\jre7\bin and double-click on the file called javacpl.exe. One way or another, you should now see the Java Control Panel.
Step 2: Make sure you have Java Version 7 Update 11. In the Java Control Panel, under About, click the About button. The About Java dialog shows you the version number; if you've patched Java in the past few months, it's likely Version 7 Update 9, 10, or 11. (Don't be surprised if Java says that it's set to update automatically, but doesn't. I've seen that on several of my machines.) If you don't have Java 7 Update 11, go to Java's download site, and install the latest update. You have to restart your browser for the new Java version to kick in. Personally, I also reboot Windows.
Warning: Oracle, bless its pointed little pointy thingies, frequently tries to install additional garbage on your machine when you use its update site. Watch what you click.
Step 3: Decide if you want to turn off Java in all of your browsers. That's certainly the safest choice, but some people have to use Java in their browsers from time to time. Personally, I don't disable Java in all of my browsers (more about that in a moment).
Step 4: To turn off the Java Runtime in all of your browsers, from inside the Java Control Panel, click or tap on the Security tab, then deselect the box marked Enable Java Content in the Browser. Click or tap OK, and restart your browsers (or better yet, reboot). From that point on, the Java Runtime should be disabled in all of your browsers, all of the time. To bring Java back, repeat the steps and select the box marked Enable Java Content in the Browser (the setting should, in fact, say "Enable Java Content in All of Your Browsers").
Step 5: If you don't want to turn off Java in all of your browsers, choose the one browser you wish to leave Java-enabled. For me, that's an easy choice: By default, recent versions of Chrome prompt before running Java on a specific page, so I turn off Java in all of my browsers except Chrome. That way I can use any of my browsers for general Internet work without fear of getting Javanicked. If I absolutely have to go to a website that requires Java, I'll fire up Chrome specifically for that purpose.
Step 6: If you haven't turned off Java in all of your browsers, turn off Java in each of your selected Java-free browsers. In Internet Explorer 9 or 10, click on the gear icon in the upper-right corner and choose Manage Add-Ons. Scroll down to the bottom, under Oracle America, Inc., select each of the entries in turn; they'll probably say "Java(tm) Plug-In SSV Helper" or some such. In the lower-right corner click the button marked Disable. Restart IE. At the bottom of the screen, you'll see a notice that says, "The 'Java(tm) Plug-In SSV Helper' add-on from 'Oracle America, Inc.' is ready to use." Click Don't Enable. If you get a second notice about a Java add-on, click Don't Enable on it, too. That should permanently disable Java Runtime in IE.
In any recent version of Firefox, click the Firefox tab in the upper-left corner and choose Add-Ons. You should see an add-on for Java(TM) Platform SE 7 U11. Click once on the entry, and click Disable. Restart Firefox.
In Chrome, type
chrome://pluginsin the address bar and push Enter. You should see an entry that says something like "Java (2 files) - Version: 10.7.2.11" Click on that entry and click the link that says Disable. Restart Chrome.
Step 7: Test. Make sure the browsers are/aren't running Java, according to your wishes, by running each of them up against the Java test site. If you go to that site using Google Chrome, there better be a big yellow band at the top of your screen asking permission to run Java just this once.
Selectively disabling Java in your browsers isn't particularly easy, but it's a worthwhile step that everyone -- absolutely everyone -- should undertake. Right now.