Java has had quite an eventful year. With new vulnerabilities being found and exploited on an almost weekly basis, Java is looking less and less like the powerful, secure platform Oracle wants it to be and more like an aging block of swiss cheese. Many security experts have questioned whether it’s really a good idea for most computer users to have Java installed at all. I’m very much in agreement with this group.
In the security community, we have a concept known as “attack surface”. Your attack surface is any area of your system that could potentially be exploited by an attacker to compromise your system security. Obviously, the smaller your attack surface, the less opportunity there is for an attacker to exploit your computer. The great thing about Java is that it runs on a wide variety of computing platforms, making it possible for Java applications to run anywhere Java can be installed. The terrible thing about Java is that it runs on a wide variety of computing platforms, making it possible for Java vulnerabilities to run almost everywhere. This makes Java an ideal target for malware authors. And because Java installs its browser plugin by default, the only action a user needs to take to risk having their system infected is to visit a malicious or infected website. This is true even with fully up to date web browsers. That’s bad. Really bad.
Unless you absolutely need to have Java installed, it’s time to ditch it. To uninstall Java, open your Control Panel and select “Add or Remove Programs” (if you’re using Windows XP) or “Programs and Features”. Select Java and press “Uninstall”.
If you do need to have Java installed you should at least attempt to disable the Java browser plugin, which is where most Java vulnerabilities are exploited. The official Java website provides a walkthrough of how to disable Java in all major browsers here.