Do You Need Java?

Shortly after Oracle released their quarterly update which addressed twenty-nine security flaws in Java SE, a frustrated forum poster asked, "How can I determine if I need Java?"  Along with removal instructions, my reply included the following reasons why someone may need Oracle Sun Java installed on their computer:

• Playing on-line games generally requires Java.
• With OpenOffice, Java is needed for the items listed  here . 
• It used to be that Java was needed for websites to be properly displayed. However, that is generally not the case now with Flash having taken over.
• There may be commercial programs that depend on Java. If Java is needed for a software installed on your computer, there should be a prompt for it.

There is no question that the forum poster's question was very timely. As reported by Holly Stewart in a MMPC Blog post, there has been "an unprecedented wave of Java exploitation."  The report continues:

"In fact, by the beginning of this year, the number of Java exploits (and by that I mean attacks on vulnerable Java code, not attacks using JavaScript) had well surpassed the total number of Adobe-related exploits we monitored.  See chart below for details:

The Java spike in Q3 is primarily driven by attacks on three vulnerabilities, which all, by the way, have had patches available for them for some time now.  The first two, in particular, have gone from hundreds of thousands per quarter to millions:

CVE	Attacks	Computers	Description
CVE-2008-5353	3,560,669	1,196,480	A deserialization issue in vulnerable versions of JRE (Java Runtime Environment) allows remote code execution through Java-enabled browsers on multiple platforms, such as Microsoft Windows, Linux, and Apple Mac OS X.
CVE-2009-3867	2,638,311	1,119,191	Another remote code execution, multi-platform issue caused by improper parsing of long file:// URL arguments.
CVE-2010-0094	213,502	173,123	Another deserialization issue, very similar to CVE-2008-5353.

Whether you keep Java or decide to uninstall it from your computer, it is necessary to look not only for the Java(TM) 6 Update (number) but also for any installation with J2SE, Java(TM) 5, or Java(TM) SE Runtime Environment 6.  It is also advisable to remove the leftover files in your downloads folder.

In the event you keep Java installed, there should only be the current version in add/remove programs (as of this posting, Java(TM) 6 Update 22, available at Java SE Runtime Environment 6u22).

Since Java updates tend to leave leftovers, JavaRa is recommended.  Freð ðe Vries provided notice that JavaRa has been silently updated to reflect the publication of Oracle's Java JRE 1.6.0.22. Leftovers up to Oracle Sun Java 1.6.0.21 are now cleaned by JavaRa.  Simply download JavaRa and unzip it to your desktop.

• Double-click on JavaRa.exe to start the program.  (Windows Vista and Windows 7 users right-click JavaRa.exe > Select Run as Administrator)
• Click on Remove Older Versions to remove older versions of Java.