Computer Help forum

General discussion

Java: What is it? Do I really need it? Is it safe?

by Lee Koo (ADMIN) CNET staff/forum admin / April 12, 2013 8:49 AM PDT
Question:

Java: What is it? Do I really need it? Is it safe?


I have been reading from one source that Java is losing the battle with the security "holes," and the recommendation was to disable it or "unload" it from the computer completely. So that's what I did. I have not noticed any problems with not having it. I do understand it could interfere with some things when surfing in browsers. And that some of the free "word" programs won't function without Java. So what to do? Bottom line, do I need it? Is it better to be without it? Is it safe? And are there alternatives? Nowadays security is very important. Thanks.

-- Submitted by Jean
Discussion is locked
You are posting a reply to: Java: What is it? Do I really need it? Is it safe?
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Java: What is it? Do I really need it? Is it safe?
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
HTML5 is not more secure
by verdyp / April 19, 2013 2:05 PM PDT
In reply to: A necessary evil

HTML5 will not magivally be more secure, simply because it will use Javascript instead of Java.

All Javascript engines also have their own bugs. However they are simpler to manage by users of web browsers because this engine gets updated along with the browser (it's more complicate for IE users, so users of IE will be targeted now by bugs or loopholes in IE's Javascript engine).

There are now other excellent languages similar to Java, but not as strong as it is in terms of security. Just look at Javascript : it has absolutely no security model to enforce, so as a consequence, there's no security loophole in these security mechanisms that simply don't exist. Java tries to enforce a lot of additional constraints and this is effective in blocking many security attacks at many points (there's not a single point of failure but many to break simultaneously).

Seriously, malware authors have always had difficulties to exploit the security holes in Java, simply because there were wtill many other barriers to cross.

The force of Java is its extreme stability (now challenged by the stability of scripted languages like Javascript, Python, Pearl and Lua), and its very strong datatype model (enforcing many verification of code at compile time, before the code is deployed and not at runtime where programmers may forget many cases, something that exist now as well in C#). Today most bugs occur in programs natively written in C/C++ or some assembly language, because they don't have any isolation sandbox mechanism.

Java has alsway been FAR better than Flash in terms of security (Flash is a nightmare because even if it runs in a VM, that VM is shared across all instances started from different websites, and Flash can leak data from one instance to another).

If something must be removed from PCs, it's not Java first, but Flash. Flash is already scheduled for death, simply because everything it does can now be written in Javascript within the HTML5 DOM, and Javascript is now far better, faster, more portable, and offers a musch stronger isolation mechanism (but not as powerful as what you'll find in Java).

Java is also reknowed for its excellent portability, including across versions : many complex softwares are written in Java using very string construction patterns that are extremely resistant to bugs made by programmers.

But the recent developments of scripting engines can now offer some similar isolation mechanisms (e.g. in Javascript/ECMAScript since its update last year). Other languages are now developed using Javascript as a model (this includes now Lua, and now even Pearl, PHP is very late and suffers from a very bad initial design and compatibility problems to enforce new mechanisms).

Anyway Java's force is its incredible library of high-quality packages, that have been reviewed by many, experimented, tuned for performance. Nothing is better today than the existing garbage collector of Java (garbage collectors are essential components of ALL modern languages, forget C/C++ malloc/free and strcpy !). I have proofs that even Java-written programs will be faster than C/C++ written programs (simply because C/C++ programs cannot be safely optimized for a wide range of target platforms without introducing severe bugs or limitations in deployement).

Collapse -
reply to verdyp
by edwardsmark / April 19, 2013 3:59 PM PDT

interesting read ! thank you.

what i desperately need is the functionality of h5 getUserMedia(), something that both flash and java have had for years. but it appears we are still at least a year away from anything close to it. i have seen it supposedly implemented, but you have to either download a highly experimental browser version, or tweak your browser, neither of which i would ever ask anybody to do.

i was happy using java until the USA dept of homeland security recommended it be removed a few months back, on the evening news! for the past several months i have had dozens of worried people asking me about java, and i had no good answer for them. believe me, it broke my heart to move to flash (see occupyflash-dot-org).

however, i have seen many computers corrupted during the rather difficult process of the java install. and even the biggest flash-basher will admit to us that flash is a far FAR easier install. and then there is the subject of java on the mac... but i wont go there (it gives me nightmares).

anyways, i was hoping something like google-go or dart would have taken over. Lua - interesting - and this is the first i have heard of it. i wonder if any browsers support it natively, since unfortunately its the browser side that is the headache.

Collapse -
curious ...
by tumbleweed_biff / April 19, 2013 4:46 PM PDT
In reply to: reply to verdyp

I have been using Java heavily since the late 90's and I have never had a problem with an install/uninstall. This includes dozens of personal installs as well as a multitude of them on client/corporate machines. Difficult to install? It is something like three, maybe four, mouse clicks to install, with but two options: where to install it if you don't take the default install path and whether or not you allow Ask to be installed ...

Collapse -
reply to tumbleweed
by edwardsmark / April 20, 2013 1:28 AM PDT
In reply to: curious ...

well tumbleweed - you got me there... java is not difficult, except maybe when compared to the flash install. and to be fair, i have not seen a java problem-install in quite a few years. however, java does seem to make its presence known in the registry (every version). and chrome seems to have its own special java hooks.

and do we REALLY need the 'ask' toolbar? really now!

but tumbleweed&verdyp, lets just set all this aside and push for a secure scripting language that runs on both the server and all browsers, does not require any major plug-in to work, and has the power of java with the animation & media capabilities of flash. then throw in overseas troop withdrawals, world peace, intelligent republicans, and for good measure, include former NBA stars (preferably ones that were married to Madonna) acting as unofficial ambassadors to Asian communist isolationist nations, and i will be happy.

Collapse -
do we need Ask?
by tumbleweed_biff / April 20, 2013 4:09 AM PDT
In reply to: reply to tumbleweed

No, we do not need Ask, and I have never opted to allow it to be installed with a Java installation and it is not installed on the corporate/enterprise Java images with which I have worked.

You have to realize that Java is far more than a scripting language. As I said before, it is a programming language as well as an environment. While there are flaws in every environment, Java was designed from the outset to provide an environment where code from an external site can be safely executed on the local machine and prevent malicious code from accessing data/hardware on the local machine. As with all things computer, it isn't perfect in this, but it is far more secure than every other technology used to execute remote code on a local machine of which I am aware. It is also the only fully cross-platform full development environment of which I am aware. Mind you, a scripting language is not a full development environment.

Collapse -
reply
by edwardsmark / April 20, 2013 10:48 AM PDT
In reply to: do we need Ask?

tumbleweed - any thoughts on the future of java? i only got a couple of 'hello world' programs working and that was the extent of my java experience.

i was only kidding on the ask toolbar. but just about everybody i work with who installs java on their own somehow ignores the ask toolbar part and ends up with it. and lately some toolbars and search-engine plugins have not been that easy to get rid of.

Collapse -
Future of Java
by tumbleweed_biff / April 22, 2013 11:58 AM PDT
In reply to: reply

I expect that Java has a very long future. Even if it falls out of popularity as a primary means of development, I expect it will be something like Cobol where systems will continue to use it for decades because the programs work and rewriting them will cost huge dollars to corporations who would rather leave the things that are working alone and focus on new projects.

Personally, I don't use any tool bars add-ons. I hate the loss of screen space.

Collapse -
Dump Java
by Doh_1 / April 19, 2013 11:25 AM PDT

It'll be around for a long time, but once you remove it you find you don't need it. None of the 3 desktops in my house has had Java installed for some months now, and nobody's missing it.

If you really really really need it, you can re-install it then remove it again *smile*.

But I wouldn't keep it around any more, it's too well exploited now.

Collapse -
Java updates
by jim7davis / April 19, 2013 12:42 PM PDT

I have a Mac and have my computer set to check for updates on a weekly basis from Apple. Of the various updates that frequently come from Apple most of them are for Apple programs such as Safari, Mail, iTunes, Garageband, and so forth. But Apple also supplies Java updates which are fairly frequent and often quite large. I have always installed these updates under the assumption that if Apple thinks they are important enough to send to me, I guess I should install them. I further assume if there was a downside to installing these updates, Apple would let me know.

Collapse -
why are Java updates so large?
by tumbleweed_biff / April 19, 2013 4:50 PM PDT
In reply to: Java updates

The reason they are so large is that an update isn't just a patch applied to the currently installed version, it is a complete replacement of the previous editions. Therefore, each installed version you have will be taking up somewhere around 100 MBs of space - and will download that much data each time it updates.

Collapse -
how safe is it to run programs on your computer?
by fluffylucy / April 19, 2013 12:56 PM PDT

As already stated, Java is a programming language. The difference from most other languages, is that in order to allow for multi platform development, it splits the execution into two stages. Whereas most programs just take control of your machine and do their stuff, Java programs send commands to an intermediary (Java virtual machine) that does this for them. This was done in order to allow the same programs to run on many different operating systems. All you need is to have the JVM on your machine and it allows any Java app to execute. This JVM is what people are talking about installing and uninstalling. The question of safety can likewise be split into two questions. Is the JVM safe? and are the individual Java programs safe?

The answer to the first is relatively simple, Java is about as safe as any programming language/environment/operating system. holes exist and are patched and new ones are discovered on a regular basis. As long as you keep updated, you can avoid most pitfalls.

The second question has no one answer. Malware programs are written in many different languages and their effectiveness relies on getting you to run those programs. Running a Java applet is as safe or as dangerous as running any other code. Where exactly to operate on the risk/convenience vs safety/inconvenience spectrum is up to each individual. needless to say that running code (in any language) from hackers anonymous is probably more risky that using a program from a trusted stable source.

There are lots of useful java apps and some websites that use it. If however, you don't use any of them, by all means get rid of the JVM (Java runtime). As others have said, removing Java will give you a good idea of whether you use it or not.

Collapse -
Do i need Java?
by pauly1651 / April 19, 2013 2:33 PM PDT

I drink it every morning, it gives me a boost. Yes, I really need it. Yes, it is safe. I take my Java with natural raw sugar or honey. It tastes better that way. I don't put milk or creamers in my Java, that just spoils the taste.
Opps, sorry, I guess we are talking about Java that is used on computers and stuff. Oh, I don't know, I have it on my PC's, and I haven't noticed any problems. I keep my anti virus software updated and scan a lot.

Collapse -
Do you still have it?
by KPACOTKA / April 19, 2013 2:43 PM PDT

Oh man, I am wondering what for? Java is used only by application software vendors who didn't switch to Python yet. So remove Java from your computer now, and have less headache and happy life.

Collapse -
only by [those] who didn't switch to Python?
by tumbleweed_biff / April 19, 2013 4:54 PM PDT
In reply to: Do you still have it?

As so many posters in this thread, you don't know what your are talking about. Java does far more than Python. I have been an IT professional for 20 years and I have yet to have a headache related to Java - other than ones where I was trying to figure out how to do something I needed to code ...

Collapse -
Python?
by markfilipak / April 20, 2013 11:15 AM PDT
In reply to: Do you still have it?

Very, very few Windows PCs have python installed so I don't know of what applications you speak. Python is mostly used only by servers whereas many Internet games, for example, are written in Java and require the JRE.

Collapse -
Java: What is it? Do I really need it? Is it safe?
by tumbleweed_biff / April 19, 2013 3:16 PM PDT

Java is a combination of two things: a language and an environment.

Java applications execute in a "sandbox", something like a virtual machine which makes it an inheritently secure and safe environment. Generally speaking, applications which run or events which occur within Java are unable to affect anything outside of the Java environment - your machine. This is by design.

However, as in all things computing, people have found ways to use Java to cause you/your computer harm, such as the most recent event in February. When these events occur, just like any other language/technology, a solution is found and an update/patch is released. Most Java updates are not security fixes, but are a combination of bug fixes, enhancements, security updates, and other such miscellany. So yes, it is, generally safe, exponentially safer than Microsoft's ActiveX and has been historically safer than ANY Microsoft technology to date.

Do you need it? Many programs, especially web programs, are written in Java. In some cases, certain things on web sites won't work. In others, wise developers have written their sites so that if Java isn't available, some other technique is used to provide a similar result. In some cases, this means that the developer has code which runs on the server instead of your local machine, consuming valuable server resources, where having it run in a secure sandbox on your machine performs the actions locally and cheaply.

Java has a further advantage for the software developer. You can write an application in Java and it will run on any machine with a Java runtime. So the same exact program will run on a PC, a Mac, a Unix/Linux server, or any other device running Java, without having to be rewritten/recompiled. This is a huge cost saving advantage to developers since they don't have to worry about what machine/operating system the program will run on, which is also why Microsoft hates it so.

Java is a bit slower than a precompiled program written in something machine/OS dependent like C/C++/etc. but as in all things, it is a trade off.

As I said, Java is safe, inheritently more safe than most other environments. There will be occasions when it becomes vulnerable to attacks, but that is why you MUST have the automatic updates turned on and accept any updates released, just like you have to for Windows, or any other environment.

It is, in my experience, better to have it installed than not. As a sometimes Java programmer, I do have a certain bias ...

It has been years since I have had a machine infected by anything untowards, and that was only because I connected a client's device to my network without scanning it first - I forgot my own protocols. I always have an updated antivirus program running (I use Panda Cloud Free), I always access the internet from behind a hardware firewall (your home router usually does this) and I always practice safe Hex: I don't open attachments in emails unless I know what it is and I scan them with at least two virus scanners (I use Malwarebytes as my backup/on-demand scanner).

Most malware comes from one of three sources: Porn sites, on-line gambling, and so-called file-sharing services. In the case of the last, think about it: if someone has hacked the license controls of a program to share it free, what else did they do to the program as well? Do you really think they did it out of the kindness of their hearts to help everyone steal software or do they have some other agenda? Don't engage in any of these three activities,and keep your software up to date, and you will have few problems.

Collapse -
java is everywhere
by sagarubhare / April 19, 2013 3:29 PM PDT

Java is used in all the basic mobile phones even today. Most of the applications on the internet still use java as a plugin if you remove it might cause some applications to run improperly.
Apart from this i don't think there will be any issue if you remove java from your system.

Collapse -
Beef up your security
by chrisallenealing / April 20, 2013 12:12 AM PDT

Java isn't needed most of the time but sometimes you will find that some features of a website will not work without Java. There seems to be a new vulnerability in Java discovered on a regular basis. This isn't much of a problem if:

You keep your system patched and up to date and remove old versions of unpatched software.

Keep an eye on and be informed of the latest vulnerabilities.

Run more than one browser. For regular browsing use a browser without Java enabled. Then when you visit a site that requires Java, switch to your Java enabled browser. That is if you can trust the website!

Beefing up security:

If you've got a compatible firewall you can install Exploit Shield. It will prevent most exploits. You can get it from here:

http://www.zerovulnerabilitylabs.com/home/exploitshield/browser-edition/

However it is a beta product and might flag up a false positive detection from time to time. It doesn't work well alongside some security products. You can find a list of those here:

ExploitShield Compatibility List - Other Security Software.

http://www.zerovulnerabilitylabs.com/forum/viewtopic.php?f=2&t=173

Personallly I make use of Microsoft's EMET to harden internet facing applications. You can find it here:


Download Enhanced Mitigation Experience Toolkit v3.0:

https://www.microsoft.com/en-us/download/details.aspx?id=29851

A decent guide on how to set it up can be found here:

Protecting your Windows PC with Microsoft EMET 3.0

http://www.rationallyparanoid.com/articles/microsoft-emet-3.html

If you decide to use it it's important to remember to add any additional internet facing applications in the "Configure Apps" section that you subsequently install at a later date.

However these solutions are not entirely bullet proof although they do offer decent protection when you're running a vulnerable application. You might have forgotten to update or perhaps a vulnerability exists when there is no patch available from the manufacturer. This seems to happen about 10 times per year with Java.

Hope this information helps!

Collapse -
Forensic Advice
by JohnCPR / April 20, 2013 3:01 AM PDT

It is pointless to argue yes or no to a computer program safety question. Some are safer than others.

According to a forensic specialist who presented information at a Microsoft user group, no program can be guaranteed 100% safe. That includes any program including Java. There are hackers who continually try to defeat security, even to the point of disabling a virus program from functioning. Security updates are evidence of hackers getting lucky. There is no point in being paranoid over this because life is full of potential threats. We do the best we can, get on with our lives, and be on the lookout. The advice to go to the web site to download and install an upgrade is a better solution until a hacker gets lucky.

I use two virus programs, one continually in monitor mode, and the other on standby. As was recommended at the forensic presentation, if one fails to find the virus, the other is likely to. I have an experience that when one anti-virus program failed to find the threat in full scan mode, the other did and removed it. When I detect an abnormal performance with my PC, I use full scan mode for both virus programs. If the problem is not solved, I go to the Operating System associated forum for help. It is important to explain the problem as fully as possible.

Collapse -
JohnCPR is correct!
by Glenn51 / April 22, 2013 1:11 AM PDT
In reply to: Forensic Advice

He is 100% right!! There is no 1 program that is impervious to "ANY" type of attack! A hacker will spend weeks/ months trying to
invade your computing space, stealing your data, your money, whatever! PERIOD!!!

I don't care if you're running MS XP, ME, Vista, Win 7, Win 8, Apple, or any of the Linux variations. How long did the Apple brag and crow about how secure Apple was???? Only to get one or several hackers to successfully infiltrate their Apples!! Not once but 3 times if I'm not mistaken!!

"Regardless" of what many say, it all boils down to "MAXIMUM" impact! I don't know the exact breakdown of market share so don't crucify me for the percentages I'm about to put forth. "Assuming" MS etal has 75%, Apple 10% Linux 10% etal, and Chrome 5%, again assuming my guestimates are even remotely(?) close, other than MS the rest are somewhat secure by nature of least users! I know I'll get drawn over the coals but to bad!

You are secure more by obscurity than programing worth! PERIOD! Even bank robbers go after the main branch rather then the local corner banks! Why??? Because the locals don't have near the cash on hand as the main bank!

Keep bragging, crowing and tooting your horns and maybe several hackers will take you up on your dare and penetrate your "Fort Knox" OS just to shut you up! It happened to Apple! Next??????

Update or at least check for updates to ALL of your programs at regular intervals! Use a good firewall and anti virus programs! I even use a third party program called Malwarbytes Anti Malware! Am I paranoid?? I don't think so!

Collapse -
Two anti-virus utilities...
by JCitizen / April 22, 2013 9:06 AM PDT
In reply to: Forensic Advice

I shall repeat your last statement information using slightly different terms for the benefit of other CNET members who may not be experienced; and I will try to simplify also. There are a few ways to run more than one AV product:

1. As you describe - turn the real time protection mode off on one or the other.

A. One anti-virus monitors system to help prevent infections BEFORE you need to scan.
B. The secondary AV can be used to manually scan your hard drive without real time protection.


2. Use one standard and one other AV that is designed to run concurrently with another AV product.

A. The 1st AV can be any of the well behaved popular anti-viruses, that are not known to be belligerent.
B. The 2nd AV can be a cloud based AV that depends primarily with the cloud based analysts for detection.
<div>
</div>

Collapse -
Woops!..
by JCitizen / April 22, 2013 9:29 AM PDT

Hit submit before I was ready - I apologize! Blush

At any rate, I've only tested two AV that I know for a fact work well together, and that is Avast and Prevx. Other combinations may work as well or better. I've not tested Panda's solution yet.

I do not recommend removing viruses with Prevx - if you are logged in as a restricted user, as you should be, simply running CCleaner will remove the attack package from your temp files. Otherwise use the resident AV to scan and remove the virus. Prevx will usually block the attack in the 1st place.

If you are a FaceBook member you can get a free version of Prevx with more of it's real time protections available - this is called Safe On-Line, I believe, if my memory is correct. It has been awhile but I think the free version of Prevx has enough real time capability to make it worth using it, if necessary.

Immunet is another cloud AV that is gaining a reputation in professional circles - I've not tested it as yet.

And of course there is always the online scanners by all the best companies - you can always invoke one of those to double check the effectiveness of your resident AV product.

Collapse -
You don't need it unless you need it.
by liguorid / April 20, 2013 8:49 AM PDT

There are business applications, for example, that companies presumably pay a good deal of money for, that rely on Java. The one I work for is unfortunately in that situation.

I don't think Libre Office does per se. There may be features that use it, but I don't think basic document creation does. Since Libre Office derives from Open Office, which derives from Star Office, which was a Sun product, it wouldn't surprise me that Java is used. But by "free Word programs" I think the writer was referring to Cloud-based applications (one more reason Cloud apps aren't going to take over any time soon).

If you're certain there isn't anything you need Java for, or that there is a non-Java way of doing everything you need to do, the safest thing to do is probably remove it. If it turns out you do need it (you can always reinstall it if needed) I would echo others in saying absolutely the worst thing you can do is ignore the nags for updates. The more security holes that are popping up for an application the more important it is to keep it patched to the latest updates.

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?