NPR : News

Filed Under:

Java Security Flaw Is Repaired; Experts Still Recommend Disabling It

Days after the Department of Homeland Security said computer users should remove the latest versions of its Java software, Oracle Corp. says it has fixed the flaw, in a new update released Monday. As we reported Friday, hacking groups included the Java 7 vulnerability in new "exploit kits" this year.

Oracle provides instructions for updating to Java 7, update 11 on its website, saying the update raises the default security level for Java applets from Medium to High — which means that "the user is always warned before any unsigned application is run to prevent silent exploitation," the company says in its release notes.

But the experts who highlighted the Java 7 flaw say that even though it's fixed, users should beware, as other security problems could arise in the software.

"Unless it is absolutely necessary to run Java in web browsers, disable it... even after updating," recommends Carnegie Mellon University's CERT computer security site.

News of the Java 7 flaw, which can allow hackers to take over a computer, worried many of the millions of people whose computers use the software. It also set off confusion, and calls for Oracle to "rewrite Java from scratch," as PC World reports.

Even as the U.S. Computer Emergency Readiness Team recommended updating Java 7 to combat the flaw, the agency also said Monday that "new Java vulnerabilities are likely to be discovered" — and people should still consider disabling Java in their browsers. Some experts say you should simply remove it entirely — or perhaps keep Java on only one browser, for use on specific sites.

Here's a quick reference of options, from disabling to uninstalling, and other factors:

Disable Java In Browsers

  • Oracle has full instructions for those with Java 7 on PCs, Macs, or Linux.
  • Disable Java in Firefox - instructions from Mozilla recommend clicking on the Firefox button (or "Tools" in Windows XP) and selecting "Add-ons." Click on "Plugins" and then Java (TM). Select "disable" (or un-click "enable").
  • Disable Java in Chrome - Type or paste chrome://plugins/ into your browser's window. Scroll to Java (TM), and click "Disable." Be sure to disable all versions.
  • Disable Java in Safari - instructions at Apple. Select Preferences, and then the Security tab. Un-click the checkbox labeled "Enable Java."
  • Disable Java in Internet Explorer - instructions at Microsoft's site. Java 7.10 and 7.11 (the newest versions) allow users the easiest path to turning Java off. But fully disabling Java on Explorer can be complicated, leading many experts to recommend removing the program entirely.

Uninstall Java Completely

Many people say they can disable or delete Java completely, and not miss it. One of them is security expert Brian Krebs, who Monday praised Oracle for acting quickly — but still recommended uninstalling Java.

Oracle has instructions for doing that on computers that run Windows XP, Vista, or Windows 7. On a separate page, it addresses uninstalling Java on a Mac — specifically, taking Java 7 off of a machine running OS X.

if you're unsure of whether your computer is running Java, Oracle has a page specifically meant to "test whether Java is working." Another website,, can help you figure out which versions of Java you have.

What About Older Versions Of Java?

Oracle says you should uninstall older versions of Java, as keeping old versions "presents a serious security risk." Because of the way updates were once handled, you might have several out-of-date versions of Java on your machine.

Oracle has a webpage with instructions on uninstalling old versions.

That might present a problem to some folks, especially if they sometimes use business software that requires an older version. This situation most often leads people to keep one browser specifically for Java.

Java vs. Javascript: The Java 7 security flaw does not affect JavaScript. While they're both programming languages, they're not as closely related as their names imply.

Java, developed by Sun Microsystems, is far more complex and independent — and thus poses more risk if hackers find a way to misuse it. By contrast, JavaScript, developed by Netscape, is used mostly within HTML to make web pages more interactive.

Copyright 2013 National Public Radio. To see more, visit


Out Of Juvenile Corrections, Poems Of Fury, Loss — And Lingering Beauty

Over 1,000 students submitted their work for Words Unlocked, a poetry contest for juveniles in corrections. Two young poets split the top prize — and they've shared their poems with NPR.

Farmers Wait, And Wait, For Guest Workers Amid H-2A Visa Delays

For the third year in a row, the H-2A visa program is running behind. That's left farmers waiting for planters and pickers even as the harvest season is well underway.

Guns Strike Emotional Chords For People On Both Sides Of The Political Debate

Both Donald Trump and Hillary Clinton have been talking a lot about guns recently. But how much will that issue matter with voters in November?

After Breast Cancer Diagnosis, She Channeled Her Ups And Downs Into Texts

NPR's Scott Simon talks with Natalie Sun about her project, The website won a Webby award, and documents her pessimism and optimism while undergoing chemotherapy.

Leave a Comment

Help keep the conversation civil. Please refer to our Terms of Use and Code of Conduct before posting your comments.