How to Unplug Java from the Browser

Java is a huge backdoor to anybody's system.

How to Unplug Java from the Browser  

From: http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/ 

Below are instructions for unplugging Java from whatever Web browser you may use to surf the Web. These instructions were originally posted as a how-to in response to this piece: Attackers Pounce on Zero-Day Java Exploit. 

For Windows users: 

Mozilla Firefox: From the main menu select Add-ons, and then disable any plugins with the word "Java" in them. Restart the browser.

Google Chrome: Click the wrench icon in the upper right corner of the browser window, then select Settings. In the search results box to the right in the next screen, type "Java". A box labeled "Content settings" should be highlighted. Click that, and then scroll down to the Plug-ins section. Click the "Disable individual plug-ins" link, find Java in the list, and click the disable link next to it.

Internet Explorer: Apparently, getting Java unplugged from Internet Explorer is not straightforward. The U.S. Computer Emergency Response Team (USCERT) lists the following steps, which may or may not completely remove Java from IE:

In the Windows Control panel, open the Java item. Select the "Java" tab and click the "View" button. Uncheck "enabled" for any JRE version listed. Note that this method may not work on Vista or newer systems. As an alternative, you may use one of the following techniques:

Click the start key and type "regedit" in the search box. Double-click the regedit program file when it appears.

- Change the HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\\UseJava2IExplorer registry value to 0, where is any version of Java on your system. 10.6.2, for example. 

If you are running a 32-bit version of Java on a 64-bit platform, you should set the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in\\UseJava2IExplorer registry value to 0. 

- Run javacpl.exe as administrator, click the "Advanced" tab, select "Microsoft Internet Explorer" in the "Default Java for browsers" section, and press the space bar to uncheck it. This will properly set the above registry value, despite the option being greyed out. 

For Mac users: 

Safari: Click Preferences, and then the Security tab (uncheck "Enable Java").

Google Chrome: Open Preferences, and then type "Java" in the search box. Scroll down to the Plug-ins section, and click the link that says "Disable individual plug-ins." If you have Java installed, you should see a "disable" link underneath its listing.

Firefox: Click Tools, Add-ons, and disable the Java plugin(s). 

Mozilla has taken the bold step of telling all Firefox users to disable Java while Oracle casually develops its fix, with the Firefox maker working on adapting its code so that all users running the exploitable version of Java will have the plugin automatically disabled for them.

By default, Firefox allows Java applets to launch automatically. However, you may decide that you do not want Java applets to run. To disable Java applets in Firefox:

At the top of the Firefox window, click on the Firefox button (Tools menu in Windows XP), and then click Add-ons. The Add-ons Manager tab will open.

In the Add-ons Manager tab, select the Plugins panel.

Click on the Java (TM) Platform plugin to select it.

Click on the Disable button (if the button says Enable, Java is already disabled).

Java applets will no longer be permitted to launch in Firefox.

You can go to http://www.isjavaexploitable.com/ to see if Java is enabled in your browser. And to test what version of Java you are using, you can go here:
http://javatester.org/version.html

There is one other way to insulate your computer from this Java exploit not mentioned in the article above. You can use HIPS programs like DeepFreeze (not a freeware) and Sandboxie (a freeware).

In Chrome you can also make it "click to play", meaning when a website wants to use Java (you can also do it for Flash) it just displays a grey box where it says "Click to run plugin". So if you are on a trustworthy site that requires Java you can just click and use it. To enable "click to play" go to chrome://plugins/ and uncheck "Always allowed" but don't disable Java.


If you are really security-conscious, you can set your web browser to only run plugins on your click.
In Firefox: Open a new tab, type this into address bar:

about:config?filter=plugins.click_to_play

Click "I'll be careful, I promise!"...
Double click the line to set the value to TRUE.
NOTE: If you want to automatically enable plugins for a certain domain (such as http://youtube.com ), follow this.

In Chrome: Open a new tab, type this into address bar:
chrome://chrome/settings/content
Scroll down to the bottom and click on "Show advanced settings".
Go to Privacy -> Content Settings button.
Scroll down to Plug-ins and select "Click to play" radio button and press OK.
In Opera: Press CTRL + F12
Go to Advanced -> Content.
Tick the box that says "Enable plug-ins only on demand" and press OK.

You could use NoScript extension for Firefox or similar addons and block Java on every site except the sites that you trust. OR...you can install the QuickJava extension to quickly enable Java when you want to go to a trusted site that uses Java or play RuneScape and disable it when you are done. A caveat on using NoScript -- it also blocks Javascript.

This solution was also suggested in Krebs on Security: 

If you primarily use Java because some Web site, or program you have on your system — such as OpenOffice or Freemind — requires it, you can still dramatically reduce the risk from Java attacks just by disabling the plugin in your Web browser. In this case, I  would suggest a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it.

Chrome has a builtin sandbox. However Chrome's sandbox does not stop this Java exploit.

Java is very widely used on the server side by tech companies like Google, Linkedin, Twitter as well as for web-facing business applications. Google does not use Java exclusively, in fact, every one of their services uses different tools to tackle the purpose. When you're a huge company, you have that luxury. Twitter is actually transitioning to Java. 

Java applications have the ability to examine and change properties about itself. If you load a page that uses a java app, it is installed on your system. You think it has limited access and no ability to alter or create important files. A baddy app can change its permissions so that it can write, create and delete files. And that means all files on all the drives you can connect to.

Javascript isn't Java. One is a browser scripting language while the other is a programming language which can be used within the browser when enabled with a plugin. You need Javascript for many websites to function properly. Java is used less frequently now and so it is safe to block it. The main idea behind Java was to create a language that would be "portable". In other words, a program written in Java can be distributed to people running different operating systems including Mac OS, Windows, Linux and others. It does this because another piece of software, known as the Java Virtual Machine, or JVM for short, sits between your operating system and the application. JRE stands for Java Runtime Environment and includes the JVM. The vulnerability in question seems to concern the Java applets. An applet is a Java program that runs in your browser to make web pages interactive. You need the Java plugin enabled in your browser for it to work. There have been many security complaints about them over the years. I hope I'm not wrong on this. But if I am do correct me for everyone's benefit.