Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is having java installed safe?


  • Please log in to reply
31 replies to this topic

#1 Hermesx

Hermesx

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 05 February 2014 - 05:23 PM

I would like to play a computer game that requires java with some of my friends but the security of Java the last time I had used it is concerning me and causing me to delay installing it.

 

My general question is: Is having java installed safe?

 

I am very vigilant with keeping software updated but am still concerned with the overall security of Java after the big security thing last April. I did not have java turned off and may have gained an infection from that which is why I'm so wary about it.

 

More specific question: If I were to install java on to my computer and disable it in my main browser and only enable it in another browser that was specifically dedicated to playing the game, would I still be risking it?

So pretty much, even if I only use it on one certain thing, will having it installed on my computer still be cause for concern and pose security risks?

 

Or, in your opinion am I over thinking this greatly and should just not worry about it. :P

 

Thanks, Hermes


Edited by Hermesx, 05 February 2014 - 05:24 PM.

I appreciate all the help that anyone ever provides me with. Thank you to everyone that has assisted me in the past. :)


BC AdBot (Login to Remove)

 


#2 Netghost56

Netghost56

  • Members
  • 973 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:11:17 AM

Posted 05 February 2014 - 05:28 PM

It's as safe as being on the internet... :P



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:17 PM

Posted 05 February 2014 - 05:43 PM

Using Java is an unnecessary security risk...especially using older versions which have vulnerabilities that malicious sites can use to exploit and infect your system.Although, Java is commonly used in business environments and many VPN providers still use it, the average user does not need to install Java software.
* Why You don't need Java
* W3Techs usage statistics and market share data of Java on the web
* Java: should you remove it?

I recommend just uninstalling Java if you don't use it.

If you're going to use Java, many security researchers and computer security organizations caution users to limit their usage and to disable Java Plug-ins or add-ons in your browsers.
* How to disable Java Plug-ins or add-ons in common web browsers .
* How to turn off Java on your browser

Also make sure you are using the most current version. Older unpatched versions of Java and other popular software like Adobe (Reader, Flash Player, Shockwave Player) Apple iTunes, Quick Time, VLC Media Player all are vulnerable to exploits and require frequent updating with security patches or you increase the risk of system infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Hermesx

Hermesx
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 05 February 2014 - 06:15 PM

Quietman I appreciate the information but you seem to have missed my question and closing statement 

 

More specific question: If I were to install java on to my computer and disable it in my main browser and only enable it in another browser that was specifically dedicated to playing the game, would I still be risking it?

So pretty much, even if I only use it on one certain thing, will having it installed on my computer still be cause for concern and pose security risks?

 

Or, in your opinion am I over thinking this greatly and should just not worry about it.  :P

 

Could you elaborate a little on this? I appreciate that you have given me some info, but if you would consider my idea on only using it with a single browser and only using that browser for one thing, would it still pose security risks to my computer even if I kept it up to date and used it exactly as I previously mentioned?

 

Thanks Quietman, Hermes :)


I appreciate all the help that anyone ever provides me with. Thank you to everyone that has assisted me in the past. :)


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:17 PM

Posted 05 February 2014 - 07:06 PM

You would still be at some risk of an exploit while using Java on the one browser and need to be careful of fake updates.

With that said, the risk would be minimal as you intend to use it because you are limiting it's usage as recommended.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Hermesx

Hermesx
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 05 February 2014 - 07:09 PM

When you are saying "fake updates", can you explain and possibly elaborate a bit more on that part?

 

Glad to hear that I would be greatly decreasing my risk by doing that though. :)


I appreciate all the help that anyone ever provides me with. Thank you to everyone that has assisted me in the past. :)


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:17 PM

Posted 05 February 2014 - 07:19 PM


Microsoft warns users to be wary of fake Java updates
Malware Disguised as Java Update: Careful What You Download!
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Hermesx

Hermesx
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 05 February 2014 - 07:24 PM

Curious question regarding this.

If the user has avast which includes the software updater which automatically updates all software, should this concern me?

Also, doesn't Java come with an updater that is installed as a program?


I appreciate all the help that anyone ever provides me with. Thank you to everyone that has assisted me in the past. :)


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:17 PM

Posted 05 February 2014 - 08:10 PM

Yes Java has an updater. When I used it years ago...I did not allow it to update. In fact I do not allow any programs to automatically update on their own. I check regularly check Calendar of Updates daily so I know when updates are released for programs I use.

I have avast installed on my wife's computer and have the software updater disabled. Again I want to be in control of the update process. Further, that feature can be a nuisance and IMO it's essentially there for those don't pay much attention to security.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Hermesx

Hermesx
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 05 February 2014 - 08:16 PM

Taking that into account, but also reading the article that you have sent me about the fake updates,

 

Would you recommend that I use the Java updater (which ensures that I will indeed the legitimate update), over risking the chance of downloading a fake update or vice versa?

 

Also, may you please explain to me exactly how security vulnerabilities in Java would be exploited?

 

Example: If Java is installed on a computer but is never used, is it a security risk if it is just sitting there? Or, is it more like if I were to visit a malicious website, it could use the security hole as a way into my pc. Can you elaborate? :)


I appreciate all the help that anyone ever provides me with. Thank you to everyone that has assisted me in the past. :)


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:17 PM

Posted 05 February 2014 - 08:53 PM

When a browser runs an applet, the Java Runtime Environment (JRE) stores the downloaded files into its cache folder for quick execution later and better performance. Both legitimate and malicious applets (malicious Java class files) are stored in the Java cache directory and your anti-virus may detect them as threats. The detection can indicate the presence of malicious code which could attempt to exploit a vulnerability in Java which could be used to allow adware, phishing programs or other types of fraudulent software to be installed on a computer.

The Java Security Exploit in (Mostly) Plain English

Java Critical Patch Updates, Security Alerts lists and explains vulnerabilities and patches on a regular basis.

BTW, when I used Java and saw an update was released, I went directly to the Java web site and manually downloaded the new version from there so I could install it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Hermesx

Hermesx
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 05 February 2014 - 09:10 PM

Based on the information that you have provided me with, do you believe that if I am always on alert for new updates and only run Java in an alternate browser that is used for only one thing, do you believe that my risks/worries are very minimal/non-existent?

 

Please give your experienced opinion on why or why not. :)

 

So far the arrow for me is pointing to yes, because I will be using the precautions of using an alternate browser, keeping it up to date and disabling it on my main browser. But I value your opinion greatly over mine so I request that you would give your honest opinion on whether or not I should.

 

Thanks, Hermes B)


Edited by Hermesx, 05 February 2014 - 09:12 PM.

I appreciate all the help that anyone ever provides me with. Thank you to everyone that has assisted me in the past. :)


#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:17 PM

Posted 05 February 2014 - 09:53 PM

Yes the risks would be minimal. What you plan on doing is one of the recommendations for those who need to use Java.

If you need Java for a specific Web site, consider adopting a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site(s) that require(s) it.

KrebsOnSecurity: Oracle Ships Critical Security Update for Java

Doing that and manually downloading an update from the Java website when they are released is the best practice IMO.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 Kilroy

Kilroy

  • BC Advisor
  • 3,408 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:11:17 AM

Posted 06 February 2014 - 11:31 AM

What browser do you use?  Ideally you would use a script blocking add on like NoScript for Firefox which would block all scripts unless you enable them.  Right now Java and Flash are huge attack vectors and keeping up to date isn't enough. Zero day exploits appear on a regular basis leaving you at risk until the software is updated.

 

The chance of you getting infected due to Java are influenced by the type of web browsing that you do.  If you only go to a few well trusted sites you should be fine.  If you click on all of the link bait and practice other unsafe browsing habits you are more likely to have your machine compromised.



#15 Hermesx

Hermesx
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:17 AM

Posted 06 February 2014 - 03:07 PM

So RKilroy, what is your opinion on if I use the strategies I have mentioned a few times in this thread, do you agree with quietman that my risks will be minimal?

 

Strategy: 

 

 

because I will be using the precautions of using an alternate browser, keeping it up to date and disabling it on my main browser.

 

On that alternate browser that has java enabled I will only be visiting one site and will have Java disabled on my main browser where I visit any other websites.

 

I realize that I may be asking you to repeat your earlier statements with a small bit of variation which I apologize in advance for.

 

That being said, what is your opinion?

 

Also, Quietman I am glad to hear that you agree that my strategies are "the best practice IMO" and that you believe that my risks will also be minimal. Thank you for your time Quietman. :)


Edited by Hermesx, 06 February 2014 - 03:08 PM.

I appreciate all the help that anyone ever provides me with. Thank you to everyone that has assisted me in the past. :)





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users