Site search is available on home page

Securing Java

By , Last modified: 2015-03-04.

How to improve Java security in Windows XP, Vista, 7, 8 and 8.1

Java Runtime Environment (aka Java, Java RE, Java SE, JRE) is a common plug-in in all web browsers. Sadly, it has become a major target for malware, surpassing even Adobe's infamous Flash Player and Reader.

Please bear in mind that Java and JavaScript are totally different things - JavaScript support is included in every modern web browser, but Java needs to be installed (or uninstalled) separately.

To keep Java and many other important programs updated automatically, it is best to use the free program called Secunia PSI. You can also visit the Browser and Plug-in Check page to see if the installed version is up-to-date.

To protect your Windows PC from hackers that try to exploit known and unknown bugs in Java, learn about free Microsoft EMET.

Downloading and installing the latest version of Java Runtime Environment

To get the latest version of JRE, go to Java download page and click the Windows Offline (32-bit) link.
Please note that even on 64-bit Windows (x64 editions), installing only the 32-bit JRE is recommended: most web browsers and plug-ins/add-ons support 32-bit (x86) only. If you do have both 32-bit and 64-bit Java installed, you must download and update these separately.
Java download page. Click the 'Windows Offline (32-bit)' link.

After download is complete, launch the setup program. Click Install.
Java Setup, Welcome page. Click Install.

Now that's what I like - no series of Next buttons! Cool
Version 8 or Java installer finally starts uninstalling out-of-date versions. Click Uninstall if your PC has one.
Java Setup - Uninstall out-of-date versions. Click Uninstall.

The removal takes a few minutes, click Next after it finishes.
Java Setup - Uninstallation Complete. Click Next.

Finally, click Close after the install is complete.
Java Setup, install Complete page. Click Close.

Cool, you now have the latest version of Java installed! Continue with next very important steps below.

Configuring Java security settings

Until Java Runtime Environment 7 update 10 there were no really usable security settings available in Java's Control Panel applet, but since that version Java allows prompting or blocking apps that are not digitally signed.

Java 8 is the recommended version since October 14th, 2014.

Generally, only the latest version of Java is now considered secure and all older ones result in prompts each time a browser tries to load some Java content.

To configure Java security settings, open Control Panel and double-click Java. On 64-bit Windows, the applet is named Java (32-bit) or Java (64-bit), and you might see both listed. This also means that you have to configure both separately.
Windows XP users might have to click the Switch to Classic View link on the left to see it listed. Windows Vista, 7, 8 and 8.1 users can simply type "java" (without quotes) into Control Panel's Search box.

Java Control Panel window opens. Open Security tab and make sure that Security level for applications not on the Exception Site list option is set to High.
Since Java 7 update 21, a prompt appears even if Java is up to date (considered secure) and the applet is properly signed - but you can use a check box to trust the applet. If Java version is out of date, a prompt for each Java app appears, and multi-click prompts for unsigned Java apps are used.
By the way, the first check box - Enable Java content in the browser - allows completely turning off Java support in all installed web browsers. Some programs, such as Freeplane, or LibreOffice require Java for some functionality. Now you can install Java without worrying about possible security holes - just clear the check box and Java support in web browsers is gone. You still need to restart all browser windows if any of these were open.
Click OK to apply changes and close the window.
Java Control Panel, Security tab. Set the Security Level option to High.

Next, you can manage the Exception Site List. This means that Java will run on these sites after appropriate security prompts even if Java is outdated.
You should be extremely cautious about adding non-corporate sites to this list, though: your computer might get infected with malware while using outdated Java!
Please click Edit Site List and double-check that the list is empty.
Java Control Panel, Security tab. Click 'Edit Site List' to manage trusted sites. Java Control Panel, Exception Site List. Verify that the list is empty.

Another usable button in Java Control Panel (JCP) is Restore Security Prompts. This allows resetting trust (unhiding security dialogs) for all sites where you already ticked the Do not show this again for apps from the publisher and location above check box.
Java Control Panel, Security tab. Click 'Restore Security Prompts' to reset all trusted sites. Java Control Panel, Confirmation - Restore Security Prompts. Click 'Restore All'.

Here's an example of Java warning for a properly signed app. If you trust the site, you can tick the Do not show this again for apps from the publisher and location above check box. This will prevent the warning from appearing again.
Java Security Warning for a good app, Do you want to run this application? Click Run.

Please note that you might see additional warnings for signed apps, such as the one below. Here the app contains both signed and unsigned code and Java asks whether to block potentially unsafe components from being run. Clicking Don't block is recommended only if you are 100% sure you are on a safe site.
Java Security Warning, Block potentially unsafe components from being run? Click Don't block only if you trust the site.

The second example shows a signed Java application with expired digital signature. You can still tick the box if you really-really trust the site, but notice how yellow warning signs are shown.
Java Security Warning, The application's digital signature has expired. Click Run only if you trust the site.

And finally, here's an example of multi-click prompt for an unsigned Java app with a red "Running this application may be a security risk" warning. You must enable the I accept the risk and want to run this app option and click Run to let the program start. But please make sure you really are on the correct web site first. Ticking the Do not show this again for this app check box is not recommended for unsigned apps.
Java Security Warning for an unsigned app, Running this application may be a security risk. Click Run only if you trust the site or the unsigned app.

Removing older versions of Java Runtime Environment with Oracle's online tool

As Java installer before version 8 did not remove older versions of JRE, most computers have several outdated JRE installations as in the example below:
Windows XP, Add or Remove Programs. Note how many Java Runtime Environments are installed!

And that is not the worst case I've seen! Wink You could now remove all these old versions by clicking Remove or Uninstall buttons (depending on which version of Windows you have), but this can be really slow and might require several restarts. And then there are those uninstallers that just fail...

Luckily, Oracle has created a small and simple Java Uninstall Tool for Microsoft Windows users. Just browse to the uninstallation tool page, wait for a while until the applet loads and click the big red I Agree to the Terms and Want to Continue button. Oh, Java must be enabled in your browser for this tool to work!
Oracle Java Uninstall Tool, click I Agree to the Terms and Want to Continue.

The version detection will take some time.
Oracle Java Uninstall Tool, Finding versions of Java on your computer. Stand by.

After the detection is complete, click the red Uninstall Selected Versions button.
Oracle Java Uninstall Tool, You have the following insecure versions of Java that should be uninstalled. Click the Uninstall Selected Versions button.

Oracle warns you that some older Java programs might not run after removing the outdated installations. Click the Continue to Uninstall button - home users normally do not have corporate applets that date back to prehistoric ages when security was all about locking your front door. You know, like the times when Aqua's "Barbie Girl" was hot. Just kidding! Or am I? Tongue Out
Oracle Java Uninstall Tool, Uninstalling old versions of Java will increase security but may cause some old Java programs to no longer run. Click the Continue to Uninstall button.

And then, after some time (depends on the number of outdated installations), old versions of Java are gone! The success page also includes links on how to restore old versions in case you really need it.
Oracle Java Uninstall Tool, Old Versions Successfully Uninstalled. Jump with joy.

Your Java Runtime Environment is now up-to-date and all older versions of it have been removed! Cool



Sub Navigation

Sub Navigation
Next: Securing Skype
Previous: Securing Adobe Reader
comments powered by Disqus