Disable Java? Here's how, after US agency warns of software 'vulnerability.'

To prevent cyber crime, the Department of Homeland Security advises Americans to temporarily disable Java 7 software, commonly used in Web-browser programs. 

Paul Sakuma/AP/File
The Java logo at Sun Microsystems' offices in Menlo Park, Calif. The U.S. Department of Homeland Security is advising people to temporarily disable the Java software on their computers to avoid potential hacking attacks.

(Updated Saturday, Jan. 12, at 3:30 p.m. EDT.)

With an eye on the security of millions of Internet users, the US Department of Homeland Security is advising Americans to temporarily disable Java, a software commonly used in Web-browser programs.

It’s not that Java itself contains a malicious computer virus. The problem is what the agency calls a software “vulnerability,” a kind of open door for hackers to infiltrate a computer. That can result in identity theft or other bad things happening on your computer.

The urgent warning, in response to known hacker activity, comes from the US Computer Emergency Response Team, or US-CERT, a part of the Homeland Security Department. [Editor’s note: This paragraph and the following contain corrected wording, to clarify the distinction between US-CERT and CERT.]

“We are currently unaware of a practical solution to this problem,” said a notice released this week by CERT, a group at Carnegie Mellon University in Pittsburgh, which often provides technical services to US-CERT.

The recommendation highlights the rising threat level in the realm of cybersecurity, and the growing efforts to make devices and networks more secure. The vulnerability in Java is just one piece of that puzzle, but it’s significant because the software is so widely used in Web browsing.

If you want to follow US-CERT’s advice and disable Java, how do you do that?

First, if you use a Mac computer from Apple, the answer appears to be simple. According to reports by technology websites including MacRumors.com, Apple has already moved to force a disabling of Java on Macs with the OS X operating system.

For other computer users, a first step may be to check what version of Java you're running. The US-CERT announcements focus on Java 7. Computer-security blogger Brian Krebs notes some uncertainty about whether other versions going back to Java 4 are affected. But he points to evidence suggesting the problem is limited to version 7.

Oracle, the owner of Java, said on Twitter that the problem is limited to "JDK7," or version 7, and that it hopes to have a fix available "shortly." (JDK stands for Java Development Kit.)

Mr. Krebs suggests that Internet users visit a Java Web page where they can confirm whether the software is running on their machines, and which version. Click the “Do I have Java” link, which is below a big red “download” button.

Now, if you have a version of Java you want to disable, here’s what US-CERT said Thursday: “Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet.”

Citing a document from Oracle (Java’s corporate owner), CERT describes the following steps:

1) Make sure you have Java 7 Update 10. If not, you can upgrade. (A quick reminder: As this story just noted, if you have version 6 or prior, you may not want to upgrade or disable Java for now.)

2) Go to the Java control panel.

3) In the Security tab, de-select “Enable Java content in the browser.”

If you can’t upgrade to Update 10, CERT says to see a different "vulnerability note" it wrote for browser-specific instructions on disabling Java.

Beneath the “solution” heading in that note, you can search for the name of the browser program you use.

The note says the process of disabling Java is “significantly more complicated” if Microsoft’s Internet Explorer is your browser. An expedient answer may be to temporarily use a different browser. Computer experts generally advise the less sophisticated among us not to try adjusting your computer’s registry, which is called for to implement some of CERT’s Explorer-related options.

CERT's security warning also includes some added advice and context that's helpful to keep in mind.

"An effective way of mitigating risk of web browsing is to use separate browsers for different activities online. For example, if you do online banking, choose a browser to use for banking and nothing else," the note says. "This can help minimize the risk of a malicious web page being able to interfere with the banking activity."

CERT says the same concept can be applied to Java. If you have a must-use website that requires Java for its functioning, then configure one browser to be Java-enabled, and only use that browser for accessing that trusted site.

Finally, blogger Krebs notes that the Java software in the news is distinct from something else, called JavaScript. But JavaScript has its own security gaps. For his part, Krebs suggests disabling JavaScript, and then selectively enabling it for use on specific websites where you know you want to use it.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.