“Unless it is absolutely necessary to run Java in web browsers, disable it”, DHS-sponsored CERT team says

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

"Unless it is absolutely necessary to run Java in web browsers, disable it", DHS-sponsored CERT team says

For anyone who is in any doubt, security experts are spelling it out in black and white.

The advice from the CERT (Computer Emergency Response Team) at the Carnegie Mellon University Software Engineering Institute (who are sponsored by the Department of Homeland Security) is loud and clear – you should only be running Java in your browser if it’s absolutely necessary.

DHS CERT advises disabling Java

“Unless it is absolutely necessary to run Java in web browsers, disable it… even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future.”

You will see similar advice in the advisory posted on the official DHS US-CERT website:

“To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available. As with any software, unnecessary features should be disabled or removed as appropriate for your environment.”

You know what? The advice is absolutely right.

Sign up to our free newsletter.
Security news, advice, and tips.

Even if you have been super-diligent and installed the Java security patch released earlier this week for the serious security hole that allowed Java applets in your browser to do naughty stuff, you should still seriously consider whether it’s sensible to have Java enabled in your browser at all.

If you can’t avoid using a handful of websites that demand your browser supports Java, then why not have a different browser specifically for visiting those sites?

Finger turning off. Image from ShutterstockThat way you can permanently rip Java out of the web browser you use to surf the rest of the web.. and you’ll be a lot safer next time a serious vulnerability is found in Java.

Patching against this security hole isn’t the end of the story. You need to seriously consider whether Java has any place in your browser at all.

Stay secure folks.

This article has been updated to clarify that the first advisory quoted comes from the vulnerability experts at the CMU SEI CERT Program, sponsored by the Department of Homeland Security, and is not directly from the DHS themselves.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.