Network News

X My Profile
View More Activity

Request for comments: Java considered harmful?

For years, my standard computer-maintenance advice has included this item: Make sure your PC's copy of Java is up to date.

But maybe it's time for a revision: Make sure you don't have Java on your PC.

java_icon.PNG

To refresh any faded memories: On a home computer, Java is the software developed by Sun Microsystems (now the property of Oracle, which bought Sun last year) that runs Java programs inside your browser.

Java's original promise -- still relevant in many business environments -- was that programmers could write one Java program that would run on any machine with a Java "runtime environment" such as the one available for Windows PCs on Sun's Java.com site.

But along the way, two things happened in the home market. Hackers began taking advantage of Java's near-ubiquity by launching exploits against the software. And Web sites started abandoning Java for more widely deployed (if not that much less annoying) alternatives.

My former Post colleague Brian Krebs has been doing an excellent job of noting Java's security risks on his own blog. On Monday, he repeated an earlier call for home users to dump Java, noting the popularity of Java attacks in commercial "exploit kits."

As for Java's legitimate, helpful uses at home, I have a hard time thinking of any. The last time I used Java on a Web page must have been when Facebook still used a Java applet for photo uploading. It retired that software earlier this year.

In June, PCMag.com's Larry Seltzer tried removing Java entirely from his PC -- a tricky operation, thanks to some stray Java plug-ins remaining in his Web browser -- and discovered that he didn't miss it.

In Windows, Java suffers an extra, self-imposed problem: the tacky habits of its update installer. (In Mac OS X, Apple provides the Java software and updates it automatically with the rest of OS X.) It's no longer so stupid as to leave old versions around, but it still pushes a Yahoo browser toolbar on users.

Seriously -- a Yahoo toolbar? In 2010? Do I get a free GeoCities account with that, too?

When a program stops being relevant in day-to-day Web use, still requires frequent security fixes and has a history of making a nuisance of itself, you should ask why you bother keeping it around.

(Update, 11:37 a.m. So about Java on the Mac... the system-level integration of the software Apple originally touted as one of OS X's core application frameworks means Java is not a pest to install or update. But as reader "teamn" noted in a comment, you can't uninstall it. You can disable it in Safari--open the Preferences window, click the Security heading and click to clear the checkbox next to "Enable Java"--but not, as far as I can tell, in Firefox.)

So: Have you dumped Java? How'd that go? If you haven't, what sites and applications still require you to run it?

By Rob Pegoraro  | October 13, 2010; 10:29 AM ET
Categories:  Security, Windows  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Patch Tuesday brings record harvest of security fixes
Next: Cease Mac laptop purchases until Oct. 20

Comments

Yes. I dumped it a few months ago after reading Brian Krebs. No issues yet. My home PCs probably haven't needed Java for years. And I haven't found a need for it on my work PC since I dropped it.

My only worry was that I thought I would need Java for OpenOffice. But you can install OpenOffice without Java which causes you to lose access to small number of features. So far, no problems on that front.

Posted by: kjhealey | October 13, 2010 10:47 AM | Report abuse

Rob,

Based on my limited understanding, Java cannot be removed from OS X. If that's true, then how can Mac users get rid of Java? Or, are we stuck?

Thanks!

Posted by: teamn | October 13, 2010 11:13 AM | Report abuse

Removing Java completely might not be practical for all, because there are some useful programs that make use of Java. However, selectively enabling Java when you need it is quite practical. Instructions on how to do this are at http://blog.zeltser.com/post/1299666302/java-browser-security-liability

Posted by: LennyZeltser | October 13, 2010 11:20 AM | Report abuse

Even if people use Java programs, they shouldn't use the browser plug-in. You can ditch that part without doing away with the usefulness it provides. jBidWatcher is great and java only, btw

Posted by: hesaid | October 13, 2010 11:39 AM | Report abuse

Well, SwellInfo still uses Java for its video streaming, though HTML 5 should take care of that. Otherwise I don't miss the Java plugin.

But if you do a lot with Oracle then Java is a necessity.

Posted by: wiredog | October 13, 2010 12:07 PM | Report abuse

The washingtonpost.com daily crossword puzzle (http://crosswords.washingtonpost.com/wp-srv/style/crosswords/daily/front.htm) is a Java applet. I go there every day.

Posted by: pkalina | October 13, 2010 12:20 PM | Report abuse

@pkalina: Well, that's a little awkward...

- RP

Posted by: Rob Pegoraro | October 13, 2010 12:43 PM | Report abuse

I had to re-install java because Merl Reagle's crosswords at sundaycrosswords.com needed it. That crossword also appears weekly on the WaPo site, where java is required, as the earlier poster noted. Because of my settings in the NoScript add-on, I am prompted to allow java whenever it is used; it happens from time to time but I usually don't allow it. However, crosswords are a different story!

Posted by: 5232news | October 13, 2010 1:09 PM | Report abuse

So I use Firefox and in the Tools, Options, Content tab I find the option to enable/disable javascript. if you disable javascript is that not the same result with the ability to enable as needed?

Posted by: blackbear336 | October 13, 2010 1:21 PM | Report abuse

@blackbear336
JavaScript is not Java.

http://kb.mozillazine.org/Javascript_is_not_Java

Posted by: wiredog | October 13, 2010 1:30 PM | Report abuse

Thx. No that you say that, I thought there was also a similar button to enable/disable java as well, but I don't see it anymore.

Posted by: blackbear336 | October 13, 2010 1:40 PM | Report abuse

I also do the occasional crossword on the Post's website. I'm sure there are other ways to scratch that itch, but I'm not very motivated to seek them out. If they did something other than a Java app, I'd be happy, especially if it didn't take so long to load.

On a nearly unrelated note, when I click the crossword link on the home page, it leads to the games page, with Sudoku highlighted. And yet, if I click the Sudoku link, it goes straight to the puzzle. This drives me nuts.

Posted by: tomsing | October 13, 2010 2:14 PM | Report abuse

I depend on Secunia OSI to keep up to date with patches. It requires a java applet. Doesn't anyone else out there use Secunia?

Posted by: wullman1 | October 13, 2010 2:21 PM | Report abuse

If you think Java has security problems, try comparing it with .NET. Oh wait, you can't because Windows doesn't publicly track .NET Security problems -- they just issue updates on patch Tuesday. At least you can uninstall Java -- don't even think about removing .NET from your Windows computer.

Posted by: washpost86 | October 13, 2010 3:56 PM | Report abuse

When I work from home, there are some corporate Web apps which require Java. As for the public Internet, one example is the TV Guide Web site, which requires Java to receive its full functionality for viewing channel listings.

What I find particularly annoying about Java (not a comprehensive list) is
1. There is no elegant way to get rid of older versions (e.g, 1.4.x, 1.5.x). Sometimes even an upgrade to 6.0.x leaves a legacy browser plug-in from an earlier version of 6.0. Sometimes our corporate Borg Drones install multiple versions on the same machine at work, which makes the machine very confused.
2. 64-bit versions of Windows — increasingly the new desktop standard — require special accommodation.

I’m sure that Larry Ellison’s brain trust at Oracle is looking for ways to monetize Java.

Posted by: 54Stratocaster | October 13, 2010 3:58 PM | Report abuse

What is a Java? I haven't used that junk since forever. Since the installer ballooned to 100s of MB, I stopped installing it on my computers and actually actively removed it. Haven't missed it.

Posted by: tundey | October 13, 2010 9:11 PM | Report abuse

I'm afraid to remove Java from my ThinkPad because I think it might be required for some of the pre-installed Lenovo utilities.

Posted by: bokamba | October 13, 2010 10:15 PM | Report abuse

I am far from a Java expert, but I have been using a "written in Java" application now for some time. The program was originally not in Java, but the author changed to Java in part because a crossword creation program which is based on something other than the English alphabet is so much easier for the users! It was quite difficult for me to save my work in different formats, depending upon the stage of the puzzle creation, export, upload and such.

I personally hope that Java can be "cured"--because as the world becomes (hopefully) more "one", the need to communicate across cultures will become stronger.

But I have been sorry to learn that many of the PC users I know cannot access my site, because they do not have Java installed.
No so the Mac folk.

Posted by: alindeO | October 14, 2010 12:59 PM | Report abuse

blackbear336 noted that, where Firefox has a checkbox to enable or disable Javascript, there used to also be a checkbox to enable or disable Java. That's right, but the Java option has moved.

In current versions of Firefox, you can disable Java by going to Tools | Add-ons | Plugins and selecting Disable or Uninstall for any Java plugins you see.

Btw, in addition to crosswords, I sometimes use Java at logmein.com to access client computers remotely. logmein.com has two implementations of their functionality — one using their proprietary plugin, and one using Java. My thought is that the plugin I know is safer than the plugin I don't know, so I always pick the Java option.

Posted by: pkalina | October 14, 2010 5:24 PM | Report abuse

You can get rid of Java on your PC, but you'll find it hard to get it out of your life. I was at JavaOne, and was amazed at how many things run on Java - Amazon Kindle, many TV cable boxes - particularly those with On Demand or Pay per View features, some Android apps, LiveScribe smart pen devices, and the list goes on.

Posted by: jcflack1 | October 15, 2010 4:16 PM | Report abuse

Post a Comment

We encourage users to analyze, comment on and even challenge washingtonpost.com's articles, blogs, reviews and multimedia features.

User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions.




characters remaining

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company