No, Seriously, Just Disable Java in Your Browser Right Now

The Citizen's Guide to the Future
Jan. 14 2013 11:49 AM

No, Seriously, Just Disable Java in Your Browser Right Now

Java applet message
The annoyance of this occasional notification on websites that use Java is nothing compared to the misery of a malware infection, say security experts.

Screenshot /

The last time hackers found a hole in Java’s browser plugin so bad that it sparked a warning from Homeland Security—which was less than five months ago, mind you—I wrote that you should “probably disable Java on your browser right now.” If you read that post and took action, then you were free to breathe easy this past weekend, when yet another critical Java zero-day vulnerability left hundreds of millions of Internet users potentially vulnerable to malware attacks. If you didn’t, well, now’s your chance.

Will Oremus Will Oremus

Will Oremus is Slate's senior technology writer.

The latest security flaws, which were widely publicized last week, once again gave cyber-crooks the ability to use Java applications to take control of your computer if you visited a hacked website. Oracle—which inherited Java when it bought Sun Microsystems in 2010—issued an emergency update on Sunday that attempts to patch the holes.


That might sound like a prompt response, until you consider that security researchers allegedly notified the company about the bug months ago. Or that the patch apparently leaves in place weaknesses that criminals could still exploit. Or that this is just the latest in a long string of Java problems that have made the language the overwhelming top choice for software-based computer hacks. According to Reuters, the security firm Kaspersky Lab estimates that Java was used in 50 percent of all attacks in which hackers broke into computers by exploiting software bugs.

So while many media reports will direct you to the Oracle website to promptly install Java 7 update 11, there remains a far better option. Unless you’re one of the few Web users who regularly uses an important site that requires Java, take the advice of security experts like Adam Gowdiak of Security Explorations and H.D. Moore of Rapid7 and just disable it in your browser already.

As noted before, disabling the Java plug-in on your Web browser doesn’t require uninstalling it from your machine entirely, and it won’t prevent you from Java-based software outside of your Web browser. It just means that you’ll see an image like the screenshot above when you happen to visit one of the relatively few remaining websites that use Java applets. If you find you really need it for some sites, you can always disable it in your main browser but keep it enabled in a secondary browser that you use just for those sites.

Basic instructions for unplugging Java from your browser are below, and more comprehensive how-tos are available here and here. Note: Do not confuse Java with Javascript, which is unrelated and is essential to the proper functioning of far more websites. Disable Java, but leave Javascript enabled. If you have more questions, the blog Krebs on Security has an excellent FAQ here. (No, you aren’t necessarily safe just because you don’t visit sketchy websites, or because you’re using Linux or a Mac.)

Lest you think disabling Java in your browser is too extreme a step, consider that both Apple and Mozilla responded to the latest vulnerability by essentially doing just that. You can do the same. It's easy. And next time everyone is freaking out about a new Java hack, the only decision you'll face is whether to nod sympathetically or smugly.

To unplug Java:

  • In Firefox, select "Tools" from the main menu, then "Add-ons," then click the "Disable" button next to any Java plug-ins.
  • In Safari, click "Safari" in the main menu bar, then "Preferences," then select the "Security" tab and uncheck the button next to "Enable Java."
  • In Chrome, type or copy "Chrome://Plugins" into your browser's address bar, then click the "Disable" button below any Java plug-ins.
  • In Internet Explorer, follow these instructions for disabling Java in all browsers via the Control Panel. There is no way to completely disable Java specifically in IE.

Ryan Gallagher has more on zero-day exploits, how they work, and what could be done about them in a new Future Tense article available here.

Future Tense is a partnership of SlateNew America, and Arizona State University.



More Than Scottish Pride

Scotland’s referendum isn’t about nationalism. It’s about a system that failed, and a new generation looking to take a chance on itself. 

What Charles Barkley Gets Wrong About Corporal Punishment and Black Culture

Why Greenland’s “Dark Snow” Should Worry You

Three Talented Actresses in Three Terrible New Shows

Why Do Some People See the Virgin Mary in Grilled Cheese?

The science that explains the human need to find meaning in coincidences.


Happy Constitution Day!

Too bad it’s almost certainly unconstitutional.

Is It Worth Paying Full Price for the iPhone 6 to Keep Your Unlimited Data Plan? We Crunch the Numbers.

What to Do if You Literally Get a Bug in Your Ear

  News & Politics
Sept. 16 2014 7:03 PM Kansas Secretary of State Loses Battle to Protect Senator From Tough Race
Sept. 16 2014 4:16 PM The iPhone 6 Marks a Fresh Chance for Wireless Carriers to Kill Your Unlimited Data
The Eye
Sept. 16 2014 12:20 PM These Outdoor Cat Shelters Have More Style Than the Average Home
  Double X
The XX Factor
Sept. 15 2014 3:31 PM My Year As an Abortion Doula
  Slate Plus
Slate Plus Video
Sept. 16 2014 2:06 PM A Farewell From Emily Bazelon The former senior editor talks about her very first Slate pitch and says goodbye to the magazine.
Brow Beat
Sept. 16 2014 8:43 PM This 17-Minute Tribute to David Fincher Is the Perfect Preparation for Gone Girl
Future Tense
Sept. 16 2014 6:40 PM This iPhone 6 Feature Will Change Weather Forecasting
  Health & Science
Medical Examiner
Sept. 16 2014 11:46 PM The Scariest Campfire Story More horrifying than bears, snakes, or hook-handed killers.
Sports Nut
Sept. 15 2014 9:05 PM Giving Up on Goodell How the NFL lost the trust of its most loyal reporters.