No, Seriously, Just Disable Java in Your Browser Right Now

Future Tense
The Citizen's Guide to the Future
Jan. 14 2013 11:49 AM

No, Seriously, Just Disable Java in Your Browser Right Now

Java applet message
The annoyance of this occasional notification on websites that use Java is nothing compared to the misery of a malware infection, say security experts.

Screenshot /

The last time hackers found a hole in Java’s browser plugin so bad that it sparked a warning from Homeland Security—which was less than five months ago, mind you—I wrote that you should “probably disable Java on your browser right now.” If you read that post and took action, then you were free to breathe easy this past weekend, when yet another critical Java zero-day vulnerability left hundreds of millions of Internet users potentially vulnerable to malware attacks. If you didn’t, well, now’s your chance.

Will Oremus Will Oremus

Will Oremus is Slate's senior technology writer.

The latest security flaws, which were widely publicized last week, once again gave cyber-crooks the ability to use Java applications to take control of your computer if you visited a hacked website. Oracle—which inherited Java when it bought Sun Microsystems in 2010—issued an emergency update on Sunday that attempts to patch the holes.


That might sound like a prompt response, until you consider that security researchers allegedly notified the company about the bug months ago. Or that the patch apparently leaves in place weaknesses that criminals could still exploit. Or that this is just the latest in a long string of Java problems that have made the language the overwhelming top choice for software-based computer hacks. According to Reuters, the security firm Kaspersky Lab estimates that Java was used in 50 percent of all attacks in which hackers broke into computers by exploiting software bugs.

So while many media reports will direct you to the Oracle website to promptly install Java 7 update 11, there remains a far better option. Unless you’re one of the few Web users who regularly uses an important site that requires Java, take the advice of security experts like Adam Gowdiak of Security Explorations and H.D. Moore of Rapid7 and just disable it in your browser already.

As noted before, disabling the Java plug-in on your Web browser doesn’t require uninstalling it from your machine entirely, and it won’t prevent you from Java-based software outside of your Web browser. It just means that you’ll see an image like the screenshot above when you happen to visit one of the relatively few remaining websites that use Java applets. If you find you really need it for some sites, you can always disable it in your main browser but keep it enabled in a secondary browser that you use just for those sites.

Basic instructions for unplugging Java from your browser are below, and more comprehensive how-tos are available here and here. Note: Do not confuse Java with Javascript, which is unrelated and is essential to the proper functioning of far more websites. Disable Java, but leave Javascript enabled. If you have more questions, the blog Krebs on Security has an excellent FAQ here. (No, you aren’t necessarily safe just because you don’t visit sketchy websites, or because you’re using Linux or a Mac.)

Lest you think disabling Java in your browser is too extreme a step, consider that both Apple and Mozilla responded to the latest vulnerability by essentially doing just that. You can do the same. It's easy. And next time everyone is freaking out about a new Java hack, the only decision you'll face is whether to nod sympathetically or smugly.

To unplug Java:

  • In Firefox, select "Tools" from the main menu, then "Add-ons," then click the "Disable" button next to any Java plug-ins.
  • In Safari, click "Safari" in the main menu bar, then "Preferences," then select the "Security" tab and uncheck the button next to "Enable Java."
  • In Chrome, type or copy "Chrome://Plugins" into your browser's address bar, then click the "Disable" button below any Java plug-ins.
  • In Internet Explorer, follow these instructions for disabling Java in all browsers via the Control Panel. There is no way to completely disable Java specifically in IE.

Ryan Gallagher has more on zero-day exploits, how they work, and what could be done about them in a new Future Tense article available here.

Future Tense is a partnership of SlateNew America, and Arizona State University.



Forget Oculus Rift

This $25 cardboard box turns your phone into an incredibly fun virtual reality experience.

Stop Panicking. America Is Now in Very Good Shape to Respond to the Ebola Crisis.

The 2014 Kansas City Royals Show the Value of Building a Mediocre Baseball Team

The GOP Won’t Win Any Black Votes With Its New “Willie Horton” Ad

Sleater-Kinney Was Once America’s Best Rock Band

Can it be again?


Smash and Grab

Will competitive Senate contests in Kansas and South Dakota lead to more late-breaking races in future elections?

I Am 25. I Don’t Work at Facebook. My Doctors Want Me to Freeze My Eggs.

These Companies in Japan Are More Than 1,000 Years Old

  News & Politics
The World
Oct. 21 2014 11:40 AM The U.S. Has Spent $7 Billion Fighting the War on Drugs in Afghanistan. It Hasn’t Worked. 
Business Insider
Oct. 21 2014 11:27 AM There Is Now a Real-life Hoverboard You Can Preorder for $10,000
Oct. 21 2014 11:37 AM What Was It Like to Work at the Original Napster?
  Double X
The XX Factor
Oct. 20 2014 6:17 PM I Am 25. I Don't Work at Facebook. My Doctors Want Me to Freeze My Eggs.
  Slate Plus
Tv Club
Oct. 20 2014 7:15 AM The Slate Doctor Who Podcast: Episode 9 A spoiler-filled discussion of "Flatline."
Brow Beat
Oct. 21 2014 11:34 AM Germans Really Are More Punctual. Just Ask Angela Merkel.
Oct. 21 2014 10:43 AM Social Networking Didn’t Start at Harvard It really began at a girls’ reform school.
  Health & Science
Climate Desk
Oct. 21 2014 11:53 AM Taking Research for Granted Texas Republican Lamar Smith continues his crusade against independence in science.
Sports Nut
Oct. 20 2014 5:09 PM Keepaway, on Three. Ready—Break! On his record-breaking touchdown pass, Peyton Manning couldn’t even leave the celebration to chance.