Java, once touted as the "write once, run anywhere" language, has been knocked around quite a bit these past few months. In theory, a single Java program could run on any Java-supporting platform. That dream never quite came to perfection, though, and these days Java is a favorite attack vector for hackers. The Flashback Trojan breached Macintosh computers via a Java vulnerability last year, for example. In August, researchers at FireEye reported another zero-day vulnerability in Java. In January, a Java vulnerability affected all versions of Java 7, and Polish security researches discovered two more zero-day bugs in late February.

Unless you absolutely need it, you should disable Java now.

Fortunately, Oracle offers a Web page with straightforward instructions on how to turn off Java.

Disable Java in All Browsers

Last month Oracle released a new Java version, Update 10, that includes a one-stop option for disabling Java in all browsers in the Java Control Panel. Open Control Panel and launch the Java applet. If you don't see it, switch to Classic View (in XP) or small icons (in Vista or Windows 7). Click the Security tab. In previous versions this tab just allowed advanced users to manage Java-related certificates. It now displays a security-level slider and, more important, a single checkbox titled "Enable Java content in the browser." Un-check this box, click OK, and you're done.

Disable Java in One Browser

For security's sake you really should be using the very latest Java version. If you're not, or if you need to enable Java in some browsers but disable it in others, you can do that too.

Using Chrome? Enter chrome://plugins in the browser's address bar. Scroll down to Java and click the link to disable it. That was easy, and a bit simpler than Oracle's recommended steps. The process is similar in Opera, which Oracle's page doesn't mention. First, enter about:config in the address bar. Click the Java heading to expand that section, un-check the checkbox, and click the Save button. In Safari, choose Preferences, choose Security, and deselect Enable Java.

The only way to disable Java in Internet Explorer is through the Java Control Panel. Launch it as described above, click the Advanced tab and expand the item titled Default Java for browsers. Un-check the boxes for Microsoft Internet Explorer. You may need to click the item and press spacebar in order to clear the checkmarks.

Firefox users can click the Firefox button at the top and choose Add-ons from the resulting menu. On the Plugins tab, click the Disable button next to "Java(TM) Platform." You can also disable Java for all Mozilla family browsers by un-checking the Mozilla family box in the Java control panel.

Stay Updated

When writing this article, I had a hard time viewing the new feature that Oracle added in Update 10. Why? Because I had disabled Java and figured I didn't need to update it. That was lazy thinking; I've reformed. At any time you might find you need Java, perhaps for a Web meeting, or a remote-control tech support session. If you don't want to let Java update automatically, you can check for updates from the Java Control Panel at any time.

Whichever method you choose, visit the Java test page at http://java.com/en/download/testjava.jsp to confirm that Java is disabled. Yes, you'll occasionally run across a website that relies on Java. If necessary, you can temporarily enable Java for those sites. But you may be surprised at how little you miss it.

Further Reading

Security Reviews