Java Runtime Environment (aka Java, Java RE, Java SE, JRE) is a common plug-in in all web browsers. Sadly, it has become a major target for malware, surpassing even Adobe's infamous Flash Player and Reader. It is mainly because older versions are still installed on users' computers, and slow automatic updates.
The first cause is often not even users' fault as Java installer does not remove most older versions automatically. Yep, that's right - many computers have 5 or more versions of Java installed! And that's what makes these PCs an easy target for hackers.
The second cause is again really strange. The automatic updates schedule of Java is like Brainiacs' episode of "Things... but very slowly". The default schedule activates the updater only once a week, and if your computer is not turned on at that time, there will be no checks at all! Hey Oracle, fix this now (not very slowly)!
To keep Java and many other important programs updated automatically, it is best to use the free program called Secunia PSI. You can also visit the Browser and Plug-in Check page to see if the installed version is up-to-date.
To easily protect your Windows PC from hackers that try to exploit bugs in Java, learn about free Microsoft EMET.
To get the latest version of JRE, go to Java download page and click the Windows Offline (32-bit) link.
Please note that even on 64-bit Windows (x64 editions), installing only the 32-bit JRE is recommended: most web browsers and plug-ins/add-ons support 32-bit (x86) only. If you do have both 32-bit and 64-bit Java installed, you must download and update these separately.
After download is complete, launch the setup program. Click Install.
Now that's what I like - no series of Next buttons! Just click Close after the install is complete.
Cool, you now have the latest version of Java installed! Continue with next very important steps below.
Until Java Runtime Environment 7 update 10 there were no really usable security settings available in Java's Control Panel applet, but since that version Java allows prompting or blocking apps that are not digitally signed. Generally, only the latest version of Java is now considered secure and all older ones result in prompts each time a browser tries to load some Java content.
To configure Java security settings, open Control Panel and double-click Java. On 64-bit Windows, the applet is named Java (32-bit) or Java (64-bit), and you might see both listed. This also means that you have to configure both separately.
Windows XP users might have to click the Switch to Classic View link on the left to see it listed. Windows Vista, 7 and 8 users can simply type "java" (without quotes) into Control Panel's Search box.
Java Control Panel window opens. Open Security tab and make sure that Security Level slider is set to at least High (minimum recommended).
Since Java 7 update 21, a prompt appears even if Java is up to date (considered secure) and the applet is properly signed - but you can use a check box to trust the applet. If Java version is out of date, a prompt for each Java app appears, and multi-click prompts for unsigned Java apps are used.
By the way, the first check box - Enable Java content in the browser - allows completely turning off Java support in all installed web browsers. Some programs, such as Freeplane, OpenOffice.org or LibreOffice require Java for some functionality. Now you can install Java without worrying about possible security holes - just clear the check box and Java support in web browsers is gone. You still need to restart all browser windows if any of these were open.
Click OK to apply changes and close the window.
Since Java 7 update 51 you can manage Exception Site List. This means that Java will run on these sites after appropriate security prompts even if Java is outdated.
You should be extremely cautious about adding non-corporate sites to this list, though: your computer might get infected with malware while using outdated Java!
Please click Edit Site List and double-check that the list is empty.
Another usable button in Java Control Panel (JCP) is Restore Security Prompts. This allows resetting trust (unhiding security dialogs) for all sites where you already ticked the Do not show this again for apps from the publisher and location above check box.
Here's an example of Java warning for a properly signed app. If you trust the site, you can tick the Do not show this again for apps from the publisher and location above check box. This will prevent the warning from appearing again.
Please note that you might see additional warnings for signed apps, such as the one below. Here the app contains both signed and unsigned code and Java asks whether to block potentially unsafe components from being run. Clicking Don't block is recommended only if you are 100% sure you are on a safe site.
The second example shows a signed Java application with expired digital signature. You can still tick the box if you really-really trust the site, but notice how yellow warning signs are shown.
And finally, here's an example of multi-click prompt for an unsigned Java app with a red "Running this application may be a security risk" warning. You must enable the I accept the risk and want to run this app option and click Run to let the program start. But please make sure you really are on the correct web site first. Ticking the Do not show this again for this app check box is not recommended for unsigned apps.
As Java installer does not remove older versions of JRE, most computers have several versions of JRE installed as in the example below:
And that is not the worst case I've seen! You could now remove all these old versions by clicking Remove or Uninstall buttons (depending on which version of Windows you have), but this can be really slow and might require several restarts. And then there are those uninstallers that just fail...
Luckily, Oracle has created a small and simple Java Uninstall Tool for Microsoft Windows users. Just browse to the uninstallation tool page, wait for a while until the applet loads and click the big red I Agree to the Terms and Want to Continue button. Oh, Java must be enabled in your browser for this tool to work!
The version detection will take some time.
After the detection is complete, click the red Uninstall Selected Versions button.
Oracle warns you that some older Java programs might not run after removing the outdated installations. Click the Continue to Uninstall button - home users normally do not have corporate applets that date back to prehistoric ages when security was all about locking your front door. You know, like the times when Aqua's "Barbie Girl" was hot. Just kidding! Or am I?
And then, after some time (depends on the number of outdated installations), old versions of Java are gone! The success page also includes links on how to restore old versions in case you really need it.
Your Java Runtime Environment is now up-to-date and all older versions of it have been removed!