General discussion

Java: What is it? Do I really need it? Is it safe?


Java: What is it? Do I really need it? Is it safe?

I have been reading from one source that Java is losing the battle with the security "holes," and the recommendation was to disable it or "unload" it from the computer completely. So that's what I did. I have not noticed any problems with not having it. I do understand it could interfere with some things when surfing in browsers. And that some of the free "word" programs won't function without Java. So what to do? Bottom line, do I need it? Is it better to be without it? Is it safe? And are there alternatives? Nowadays security is very important. Thanks.

-- Submitted by Jean
Discussion is locked
Reply to: Java: What is it? Do I really need it? Is it safe?
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: Java: What is it? Do I really need it? Is it safe?
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -

Got rid of it during the February debacle and haven't noticed any different.


- Collapse -
I got rid of it in February also

and everything works just fine for me . I noticed the OP said "some of the free "word" programs won't function without Java", I use LibreOffice and have no problems....Digger

- Collapse -
I didn't realize the Linux distro

does have Java

- Collapse -
Java and Jean - supplementary question

I use an application provided by the Australian Taxation Office to digitally submit business tax data monthly. I would simply not want to have to do this any other way. The ATO application and the digital signature that secures it rely on Java, and the ATO insist that users do not update the version of Java that is running on their PC. Consequently, I have been running Java V6 Update 22 since Bill Clinton was in short pants and still learning to dry behind his ears.

So my supplementary to Jean's is... are there any consequences for my PC and myself of this, and if so, what might they be?

I have to say though, I have noticed none.

- Collapse -
Only use apps that have no higher priviledge.

If you follow this then even on a Swiss cheese OS like Windows, java is not an issue. Many blame the java RE however this is not the problem. The problem is because Windows is run mostly by users that expect to click on crap to give the program elevated privileges and run essentially as an admin. Malware can target any programming language and runtime environment.

The big problem with runtime environments is that users have been made security stupid by Windows and fail to see the real causes of security issues.

Java is perfectly safe if you do not randomly allow apps to run. Same thing goes for .net apps.
Microsoft's answer to their dumbing down of the user is to require only signed apps that are passed by a bios signed and Microsoft approved checksum.

Well guess what all this does is make certain that Microsoft is in control of all applications that receive certification and a coded cert.

To run anything that is not certified you will need to give it elevated privilege. Instead of the sensible way of doing things and running at a user level with no access to modify the core system wide the way a real operating system needs to be constructed.

So Windows programmers who are used to having to modify the registry and even .sys files to make their programs even work are now in a pickle unless the user allows system wide modification or they pay the ticket to get their software "Microsoft Approved".

POOR security design by Microsoft in the first place is the problem guys and gals, not userspace java apps that should never require elevated privilege to do anything.

Like I said if you see a program in any language or runtime whether it be VB .NET Python Perl etc it does not matter if the OS is not designed with a protected core in the first place! Clicking an OK button and getting hosed should never ever happen in the first place, PERIOD

But keep bashing Java it will Microsoft to finally kill it off once and for all since they failed in replacing it completely with .NET, VB, C# and all the other clones that they push. If you really look into the configuration files used by all these languages they are all principally <xml> java clones.

But the largely FUD from Microsoft and their .NET nuts has managed to muddy the waters heavily enough to keep the general user completely ignorant of what is really going on. GRRRR!

- Collapse -
That's great..

if you can afford to hire someone to code for you.

Since Adobe is going the HTML-5 route as announced; I wonder what Oracle's plan for the future of Java is?

- Collapse -
Coldboots is a Microsoft bigot

Coldboots -
It would be significantly more helpful if you would just provide advice and leave your unprofessional and biased comments where they belong - in your head. Just because you have some technical accumen, you believe that this justifies your ranting and demeaning of Microsoft. Personally, I am in favor of Open Source, however I would not consider it professional to randomly bash other OS' or manufacturers in a public setting.

Please consider using your knowledge for positive influence and keep the inuendos and opinions for another time.

- Collapse -
Get a clue

bobo_boy, Coldboots is merely providing a rationale for dumping Microsoft so people have concrete reasons for taking his advice. He didn't just rant. He provided evidence. Who's the Microsoft bigot here?

- Collapse -
Get a clue yourself!

You're right, coldboots didn't just rant, he/she showed his/her own ignorance and stupidity by insulting windows and its users for no other reason than we are windows users. Coldboots could have made their point without the insults. Therefore, coldboots opinion of the matter is worthless.

- Collapse -
bobo_boy, It would help if you.........

<span id="INSERTION_MARKER">It would help if you keep your preaching to yourself.



- Collapse -
Eventually --- You May Need Java -- But Not All of the Time

Hi Jean,

Before I get started, I'd like to post a link with the answers to a lot of the questions people have about Java, What it Is, Why you Need it, etc.... This is directly from the Java website:

Java was originally developed by Sun Microsystems in 1995. Simply stated, Java is a programming language. You may have heard of other programming languages like C++, Fortran, BASIC, Pearl, and a host of others. Java is designed to "autostart" when you encounter a program written in the Java Programming Language. Essentially, it turns your computer into a "Java Virtual Machine" by taking control of the Java based program until you're finished with it.

Many people have removed Java from their computers with no negative effects. By that, I'm simply saying that these people don't use or need any of the products that integrate Java into their applications. As soon as they do chance upon such an instance, they will be promptly notified that a certain Version of Java is required to accomplish the task they're attempting to do, usually accompanied by a link to the Java site containing that code for download and installation.

Most people dislike Java because of the frequent updates. If you want Java to stop searching for updates and bugging you to install them all of the time, then turn off the update feature. It's located in the MSCONFIG STARTUP area --> Start -->type "msconfig" --> Select the Startup Tab --> Uncheck the box for Java autoupdate feature. Click on OK and then restart your computer. The Java will on longer prompt you to update.

As a programming language, I'm told that Java is clean and fast. It really shouldn't slow your computer down since it's not running until you chance upon a routine that requires it. If that happens, you're going to need it anyhow.

As browsers advance, they are becoming less and less dependent on Java and perform most tasks with the code written directly for the browser. To answer your question about safety, I'd say the Java program itself is completely safe. In fact, many security features are actually written in Java language. But there is always the potential of someone creating a pop-up that looks like the real Java update message in an attempt to infect your computer with a virus or malware. To prevent this, if you see a prompt (pop-up) for a Java Update ignore it, log onto your preferred Browser and go to and download the latest version. There is no need to delete the older version as since Java is designed to run multiple versions simultaneously. When you restart your computer the prompt should disappear.

- Collapse -
Do not disable updates

Do NOT follow the advice to disable checking for updates. Promptly installing updates for all software, Java and otherwise, is critical. Disabling updates is one of the worst things you can do for security.

- Collapse -
Don' t forget to explain why...

since Java is - what? - 2nd behind flash as the most attacked vector by crackers in people's(victims) computers, and if you don't have java updated, the criminal code can take over you administrative control and trash you system, and leave you at their mercy. In my honey pot lab, I've experienced attacks from these top three products that experience vulnerabilities quite often; I get them in this order of priority:

1. Adobe Reader - my top attack target by experience
2. Adobe Flash player - no body I know uses Shockwave anymore
3. Java runtime environment JRE.

Even if you run as a restricted user with limited rights, keeping a vulnerable copy of any of these three is just like hanging you butt out in the wind for all to see. It is not that hard to keep them all updated - especially if you use Avast. Even if the auto updater for Adobe or Java fails, Avast has a software updater that will work without fail.

For even more range in updating you can use FileHippo's Update Checker to remind you of needed updates, and/or Secunia PSI for an even more thorough check of vulnerable, out of date, or no longer supported programs and applications on your computer. Secunia has been experimenting with updating your stuff for you automatically, but when it can't, it pops up and tells you that you need to do it manually. When I get that pop-up on my limited user account, this is a flag to action - and I prefer to log off and log on as Administrator to run these various programs. When it comes to browsers - however - I find it is better to simply update the browser using its own updater. It works much faster and more smoothly that way.

Most of the time Avast, MBAM Pro, or the Windows UAC will stop attackers in their tracks; but in my experience only keeping the entire computer up to date will save you in the end. Anti-malware can only go so far to protect you with today's threats.

- Collapse -
2nd most attacked vector?

"2nd behind flash as the most attacked vector by crackers?"

According to whom?

You are spreading FUD and are flat out wrong, wrong, wrong.

According to InfoWorld (citing NSS labs): "Although drive-by downloads remain the most common attack vector, about 15 percent of attacks are delivered via email with a malicious attachments, such as a PDF document."

Another item from this article:
"But one attack {vector} where most security companies are still lacking is detecting malicious payloads that are written only to memory, also known as single-use malware. Malware can, for example, masquerade as a permitted DLL (Dynamic Link Library), which skirts around DEP (Data Execution Prevention) security features in OSes." [these do not exist in Java]

According to "In 2011, search engine poisoning asserted its dominance as the leading
attack vector for web-based threats."

According to a poll on LinkedIN, the three most common vectors are:
• Cross Site Scripting attack in Ajax calls..
• XPATH injection
• XML schema poisoning

As a final reference, I point you to a blog written by a McAfee security expert and a number of her articles:

Take a look at ActiveX exploits. Microsoft macro exploits. Microsoft e-mail exploits, Phishing (social engineering) ...

In conclusion, Java did not make ANY of the lists of top attack vectors I was able to find. Java is relatively low on the attack vector list because of its innate secure design - running code in a "sandbox" or virtual environment.

- Collapse -
I'm going primarily by MY tests...

Your and other's mileage may vary - I'm not criticizing your data at all - I'm just relating my policy, and I'm not wavering from it until my lab proves other wise. Thanks for the technical details, but I'm not sure how many of my clients are interested in that science. I try to use the KISS principle as much as possible.

Your linkedIN sight is correct but those don't work with my security in depth defenses. At least they never do when I test them with malware rated for those vectors. I don't want to list all of my passive and otherwise defenses here, I don't feel like going that far off topic. Thanks for posting! Happy

- Collapse -
Your tests vs. real world

Your tests are limited to your experience. The things I cited are what groups actually researching attack vectors for viruses, including one specialist from McAfee. You made a specific statement that Java was one of the top 3 attack vectors. Your first statement didn't have any context to even hint that you were speaking from just your personal experience. Quite to the contrary, your comment was a straight out statement as to what is instead of a very limited scope.

- Collapse -
Yes - all true...

but I still stick with it, and I believe what I see with my own eyes - it is just a habit of mine; and it works very well with my clients. I'm sure the other researchers have a different average experience to contend with, but I can't help that.

I was using the tactic of visiting sites that I knew were popular, and also the kind of sites that most folks go to for everyday computing. These were being compromised at an accelerated rate, as the criminals got better at spiking what were other wise perfectly legitimate sites to serve up malware to the masses. As time went on Microsoft made its NT4 kernel more and more resistant to manipulation, and by the time NT5 and NT6 arrived, my previous approach was not snagging any effective attacks. So I started using the same sites techs in my circle use, to test for live zero day malware samples. Buy the time IE8 arrived, and of course IE9 on Vista/Win7, the browser was getting pretty good at resisting most drive by attacks, and in fact was blocking, in one form or another, about 85% of the malware visited on the ********.

Eventually this became a waste of time, and I now use junk email accounts with spam and attachments for threats that are vigorous enough to make my time worth while. I always run with all Windows built in security enhancements in force, like limited accounts, and parental application control, and test a variety of freeware security tools to fight malware in my lab. I don't use Virtual Machines or anything my clients refuse to adopt; the reason being is that it has paid off better to find ways to mitigate the threat using methods that I could implement without much effort on their part, and also that they would actually use. Most of them are on a tight budget, and use almost all free ware or other Microsoft enhancements to security. Several posters here already covered that facet of the subject better than I - so I was just trying to keep it short and sweet - and relating what I see in my own observations.

I actually should have put FaceBook as the fourth worst source of attacks in that list, but it is a site, and not a particular application.

- Collapse -
Identifying Tor Users Through Insecure Applications
- Collapse -
Can someone explain the downvotes?

Can someone explain the downvotes?

Once a vulnerability becomes known, the number of active exploits of it quickly increases. In many cases security researches publish PoCs (proofs of concept) after patches have been released, or sometimes before if they are trying to push a reticent vendor to fix a problem. Additionally there is more chance for people to discover the vulnerability even if it is not initially clear where it is. And, when updates are released, people can figure out what the original vulnerabilities were even without a disclosure from the vendor or PoC because you can simply diff (i.e., compare) the new files with the old ones to see what changes. In open source projects such as OpenJDK this is particularly easy, but even for proprietary software like Windows it is possible to disassemble the files.

By continuing to use outdated software, you are putting yourself at a grave security risk. Granted, nobody likes being bothered with updates, but it is just foolish to use software containing known vulnerabilities.

Now, some software vendors may require you to use an older version of Java. That should be very rare, because Java updates are highly backward-compatible. But if a vendor does require you to use an older version, Java has controls where you can use an older version for a specific program but use the latest version for anything else. In any case, if you are using software that requires a particular old Java version, it is poorly written software and the vendor is being irresponsible to not fix it. If at all possible, switch to a program from a competent vendor.

- Collapse -
Can someone explain the downvotes?

My best guesses on why the negative ratings to that post:

Ignorance of the truth and sheer foolishness.
Poor reading skills (misunderstanding what the writer intended).
Rating the wrong response? - Should be applied to the one to which it was written perhaps?

- Collapse -
Watch for unwanted "extras"

When installing Java updates, by default you will also be installing the Ask toolbar and making Ask your default search engine, unless you untick the check box. I intensely dislike this underhand and sneaky way of getting unwanted software on to people's systems. I can't understand why the likes of Oracle can't see what an irritation it is to users. I can only think that they are paid to do this.

But as RocketMotorTest says, you should enable updates for security reasons. Just make sure you don't get an unwanted installation as well.

- Collapse -
Petition Oracle to stop bunding Ask toolbar
- Collapse -
Some Java updates will not continue without 'Ask Toolbar'

I have been getting notification of Java updates that have no way to continue unless you check the 'Install Ask Toolbar' option. I cancel the install and soon after it comes back again. My first thought was Malware/virus but Malware checks do not indicate anything so far.

- Collapse -
Ask Toolbar

My preference has always been to check for updates to Java using other methods, either a manual check or else via a third part software update checker. I also prefer to fully remove any trace of Java from my machine before installing a new version of Java. I know that they've cleaned up their act and old versions are now removed by the Java installer. Old habits die hard I suppose.

As for the Ask Toolbar - I spend a lot of time trying out newly available free software and sometimes I will end up accidentally installing the Ask Toolbar or other unwanted toolbars/ browser hijackers in spite of being careful when installing new programs. I've now started using a program called Image Hijacker. It requires some setting up and knowledge of toolbar executable file names. Basically you can use it to automatically block the installation of unwanted toolbars that come bundled with programs. Ironically a quick search for Image Hijacker from Fahmy Corporation is likely to lead the user to a download page which will attempt to trick the user into installing further unwanted toolbars/ spyware or adware!

However the program itself is perfectly safe to use if you can find a safe download link! It's a stand alone program that will run without installation.

It will allow programs that attempt to install toolbars to install cleanly without the toolbar and without aborting the installation.

- Collapse -
Image Hijacker
- Collapse -
Fahmy Corporation

Yes it does and all of the download links are misleading. You'd be better off looking here:

How to use?

It's portable and must be run with admin rights.

Set up any executable file name for unwanted toolbars and set the program to hijack the process with a fake message when it tries to run. It will block toolbar installers completely even if run with admin privileges.

I've tested Image Hijacker against a couple of programs that come bundled with toolbars and they installed with no problem - and without the toolbars even when the installer is run with administrator privileges. Yes - you can rely on your security software to block toolbar installation in some cases but in most cases it requires the user to make a choice and to block the installation which usually results in the entire program failing to install.

Examples of some toolbar installer names to block:

I've tested Image Hijacker against a couple of programs that come bundled with toolbars and they installed with no problem - and without the toolbars even when the installer is run with administrator privileges. Yes - you can rely on your security software to block toolbar installation in some cases but in most cases it requires the user to make a choice and to block the installation which usually results in the entire program failing to install.

I've tested Image Hijacker against a couple of programs that come bundled with toolbars and they installed with no problem - and without the toolbars even when the installer is run with administrator privileges. Yes - you can rely on your security software to block toolbar installation in some cases but in most cases it requires the user to make a choice and to block the installation which usually results in the entire program failing to install.


If you ever have problems with another toolbar - just add it's name to the list then remove the toolbar!

- Collapse -
Some Java updates will not continue without 'Ask Toolbar'
- Collapse -
Why does the petition request so much personal Info?

I would have signed this except that it asks ENTIRELY too much information to submit this. I can understand E-mail and maybe a user name, but address and first and last names is going a little too far into the realm of 'Phishing' sites. I already get enough spam mail and telemarketer calls to stay away from this one.
If it is legitimate, then I hope it succeeds as I WOULD like to see the 'ASK Toolbar' go away, but with only 15K signed, when the goal is 250K signatures to submit is very unlikely to me.
Thanks but no thanks

- Collapse -
Installation of ASK with Java

I suggest you remove all traces of Java, (remove via control panel) including deleting the directories if anything is left behind and download the full install file (30 some megs) rather than the online installer. (Bottom of the Java installation page -> select option to see all Java installs and download the full installer) Run the installation. By default, ASK is checked so be sure to uncheck that when you install it. I can think of no reason for it to fail to continue without ASK being checked. I have never seen that behavior occur and I cannot begin count the number of installations of Java I have done.

- Collapse -
This time it had the option and the 'next' button, however..

On several previous update attempts, I had to cancel the installations because there was no 'next' or 'continue' button after unchecking the 'install ASK toolbar' box. I did not imagine this and remember it very well because it continued to happen again and that aggravation was what prompted me to start this thread in the FIRST place. Thank you for the information about doing a clean install. I may try that on the next (all too soon) update.

CNET Forums