Like Adobe Flash Player, Sun’s Java development environment helps super-charge web pages and create applications for everything from copy machines to smart phones. But Java is like Flash in another way; it’s an incredibly bug-ridden security hole. It was once popular to install it “just in case” you needed it on your computer. But what we now know is that having it on your system can lead to all kinds of problems. We recommend you uninstall Java if it isn’t business-critical. For some folks, however, Java is needed. In those cases, it’s critical that you keep it updated.
Check For Update
Newer versions of Java have an automatic update checker that checks for new versions weekly. If it detects an available update, you’ll have a notification in your task bar (Figure 1).
If a Java patch has been released and you don’t want to wait for your weekly update check (I wouldn’t!), you can manually update by heading over to Control Panel and double-clicking the Java icon (Figure 2).
When you do, the Java control panel applet will appear. Click on the “Update” tab. There are several options available here (we’ll cover these later), but for now we’re concerned with the “Update Now” button at the bottom of the dialog (Figure 3).
Click the button and Java will download the installation files for the update (Figure 4) and launch the installation.
Like Adobe Flash, the update attempts to install crapware on your PC (Figure 5). I can’t tell you how many times I’ve been called by customers asking me how a Yahoo! or Google or Ask toolbar got installed on their PC when, in fact, it was installed by one of these updaters. Deplorable. Make sure you click the button labeled “Do not update browser settings” before you click Next.
Once the update installation package has completed you’ll get a dialog telling you as much. Clicking the “Close” button on the dialog launches a browser that navigates to the Java web site and loads a web page with an embedded Java object. Depending on your Java plug-in settings, you may receive a series of prompts to enable the Java plug-in when the object attempts to run. Click through and you should get yet another notification that the update was successful (Figure 6).
Automatic Update Options
Because having Java on your system is such a dangerous proposition, checking for updates only once a week is too lax. I recommend changing the default setting for automatic updates. Go back to the Java Control Panel applet and click on the “Update” tab (Figure 3). Click on the “Advanced” button. The “Automatic Update Advanced Settings” dialog gives you much more granular control over your Java updates. I recommend checking daily at a time that you know your machine will be on and available. I’ve chosen 4 p.m. (Figure 7).
The final change involves the “Notify Me” setting in Figure 2. The default is notification “Before Downloading”. I prefer to have the download cached and ready to go, rather than having to wait on it at installation time, so I have changed my notifications to pop up “Before Installing”. It has no security implication, but it makes it more convenient when it’s time to apply the update.
There is more you can do to secure a machine that has Java installed. You can disable the plug-in in your browser. You can choose to run Google Chrome as your default browser (Chrome doesn’t support Java), and only use Internet Explorer or Firefox (which do support Java) only when you need to access a secure Java-enabled site. You can tweak Java’s security settings so that Java only runs on web sites you specify. And if you’re uber-paranoid, I’ve seen some people keep a virtual machine on hand that they only use for Java applications. That way if they happen to get infected with something nasty it won’t affect their main computer. All of these are valid, and I use a combination of them all.
What about you? Do you still use Java? What’s keeping you from uninstalling it? Let us know in the comments below.