Java disable control needed in browsers?

I apologize in advance for being long winded.

I don’t know how many of you have heard about the KoobFace that was recently created for Macintosh (October 2010). It uses Java to do the install. I have news for you. That Java code also runs on Linux and Windows as long as Java is installed and plugged into your browser. I assumed I did not have Java on OpenSuse 11.3 because it never showed up as an option to turn off in Firefox prefs. I said nothing to get Java with the 11.3 install. OTOH, I had to install whois. If Firefox had a preferences control for Java I would have turned it off until it is needed. Imagine my surprise to be asked by multiup.org once I turned off ABP and my PAC filter because the rule I was testing “advertising.” blocked it to be staring at a request to install and run a Java app! It is the first one I have observed since installing OpenSuse 11.3 over six months ago. In fairness JRE did request my permission to run it and when I did ask for more information it told me the app was signed by a dubious and untrusted source. RUN DISALLOWED! Would some normal computer user know to do that and continue to disallow it until they knew more? I have more news for you - some Macintosh owners said yes to both the JRE query and then to the OS sudo query for Java KoobFace and were successfully infected. Java has more risk than people believe. Once hackers start to use Java you have a dandy multi-platform infection agent. Fortunately, I can’t even get the binaries for my utility programs compiled on OpenSuse 11.3 to work on Ubuntu 10.04. I had to recompile the programs on Ubuntu 10.04. Until the hackers figure out one size doesn’t fit all for Linux you have an extra edge of protection if you are a Linux user.

Despite all of the whines I read in the forum abut Java not working, I do NOT want Java installed by default unless I have more control over it than just an interactive query. I consider the risk of whois much less than the risk for Java. Unless there is more control for Java in the browsers you may be better off without Java. Generally speaking, from a security standpoint JRE should never be enabled until you need it. Here is what I have using rpm (I used software control only to be staring at nothing familiar - thus why I used rpm):

$ rpm -qa | grep -i java
java-1_6_0-openjdk-1.6.0.0_b20.1.9.1-0.2.2.i586
timezone-java-2010l-0.2.1.noarch
java-1_6_0-openjdk-plugin-1.6.0.0_b20.1.9.1-0.2.2.i586

Question 1.
Will control over when to be able to use Java ever be put back into Firefox? If not then I really don’t want Java at all. I don’t have the JRE plugged into any of the browsers on Ubuntu or the two versions of Windows that I have and have never missed it. There is another factor at play here. I produce filters to filter out bad stuff and I REALLY do not want Java enabled most or all of the time. I put up with flash because you always need it. In fact, when I am informed I have X viruses in my “Documents and Settings” folder on Linux you KNOW what you are looking at - a flash run. The host that did it is black-listed instantly. What ever it is leading to, no Windows user wants.

Question 2:
If number one cannot be done, would removing the openjdk-plugin package severely damage things or break something? Is that all that needs to be removed or do all three or even more things need to be removed? Unless I can control when I am seeing that JRE prompt I would rather not even see it. I might be tired or sick on next one I see 6+ months from now and stupidly click on “yes, run it!” Novice users would be perplexed by those pop-up requests to run because it did not say it was a Java app. I am concerned about removing Java though. All of the stuff showing up in OpenSuse’s Software panel leads me to believe that if I remove Java I may break something.

The main use I see for Java is companies internal house apps. On the Internet, my advice is to not let any distrusted Java app to run until you do some VERY THOROUGH checking. Has anybody actually observed a trusted (legitimately signed) Java app at all? I haven’t.

First off, I do share your concern over viruses and malware and want eveyrone to have control over their system. I claim to be no expert per say on Java, but I thought that if you use the Firefox command about:config, search on Java and change the following setting javascript.enabled;true to javascript.enabled;false, Java does not run. Am I missing something there?

Believe it or not, I don’t recommend you use the following files you show if you want full java compatability:

$ rpm -qa | grep -i java
java-1_6_0-openjdk-1.6.0.0_b20.1.9.1-0.2.2.i586
timezone-java-2010l-0.2.1.noarch
java-1_6_0-openjdk-plugin-1.6.0.0_b20.1.9.1-0.2.2.i586

I normally use the files:

java-1_6_0-sun-1.6.0.u22-1.2.1-x86_64 -> openSUSE                                                                                                             
java-1_6_0-sun-alsa-1.6.0.u22-1.2.1-x86_64 -> openSUSE                                                                                                        
java-1_6_0-sun-plugin-1.6.0.u22-1.2.1-x86_64 -> openSUSE 

But perhaps these are more susceptible to problems. Sorry I did not exactly answer your questions.

Thank You,

This is really a Firefox question and a quick search gave the answer:

How to turn off Java applets

I don’t have the Java plugin package installed anyway and I haven’t missed it. As you say, it’s mostly internal apps that use Java applets. It never was very popular and websites have turned to other technologies for client side execution.

Java and Javascript are different languages.

ken_yap This is really a Firefox question and a quick search gave the answer:

How to turn off Java applets

I don’t have the Java plugin package installed anyway and I haven’t missed it. As you say, it’s mostly internal apps that use Java applets. It never was very popular and websites have turned to other technologies for client side execution.

Java and Javascript are different languages.
Hello there ken_yap. So I do now remember you can Disable any plugin such as Java. What would you be able to do with Java if the Java plugin is enabled and javascript is disabled? Now I am just asking as an already declared non-expert on Java.

Thank You,

Lack of Java applet execution will affect very few websites. Most people will not even miss it. As I said, I don’t.

Lack of Javascript will disable many modern features. A lot of pages are written assuming Javascript is available and the poorly written ones don’t have fallback to work without Javascript.

Lack of Java applet execution will affect very few websites. Most people will not even miss it. As I said, I don’t.

Lack of Javascript will disable many modern features. A lot of pages are written assuming Javascript is available and the poorly written ones don’t have fallback to work without Javascript.
So I was right in my thinking that if you did not want to get a problem from Java, you would disable Javascript, right? Now that does not mean using the internet would be all of that fun without Java of course. What course of action do you take with Java, if your concern in malicious java code running, being asked by someone that does not claim to understand it all.

Thank You,

No, you still don’t get it. Java and Javascript are separate things. The control for one doesn’t affect the other.

No, you still don’t get it. Java and Javascript are separate things. The control for one doesn’t affect the other.
For the fear of not making you mad, I might ask, if you were concerned about Viruses and Malware, which claimed to use Java, what would you do to your Java settings, any of them?

Thank You,

Disable Java from the Plugins dialog, or if more paranoid, not install the Java plugin package.

Again, Java and Javascript are different languages with different syntax and semantics. They have some superficial similarities. Java is executed via a Java plugin that contains a Java interpreter to execute JVM bytecode that is sent from the website. Javascript is nearly always associated with and embedded in a webpage and executes in the context of the web document.

Disable Java from the Plugins dialog, or if more paranoid, not install the Java plugin package.

Again, Java and Javascript are different languages with different syntax and semantics. They have some superficial similarities. Java is executed via a Java plugin that contains a Java interpreter to execute JVM bytecode that is sent from the website. Javascript is nearly always associated with and embedded in a webpage and executes in the context of the web document.
Thank you there ken_yap for the very good explanation. I am sure everyone will take such advise to heart.

Thank You,