Ask LH: What Is Java, Is It Insecure, And Do I Need It?

Ask LH: What Is Java, Is It Insecure, And Do I Need It?

Dear Lifehacker, It seems like every other day that people are freaking out about another Java security hole. Can you settle the Java debate for me once and for all? What is it, really? Is it the same as JavaScript? Should I disable it? Won’t all my websites break if I do? Sincerely,Pitiful Plugins

Dear Pitiful,

Java is indeed a pain, but the good news is few people actually need it in the first place. Here’s what you need to know about what it does, what its problems are and how to get rid of it.

What Is Java?


Java is a programming language that developers use to create applications on your computer. It isn’t as popular as it once was (its big selling point back in the day was the ability to write code that ran on a wide variety of operating systems). Chances are you’ve downloaded a program that required the Java runtime and thus installed it on your system. Java also has a web plug-in that allows you to run these apps in your browser.

Java is not, however, the same as JavaScript. In fact, they don’t have a lot of similarities besides their names. JavaScript is used only in web browsers to create web pages rather than “apps” that run inside them. This can be a bit confusing since Java also runs in your browser. A large number of websites use JavaScript; very few require Java.

With that in mind, we’re only going to discuss Java here. That’s the really insecure one that’s driving everyone crazy. For a better explainer on JavaScript, check out this guide from our friends at the How-To Geek. For the answer to your question, read on.

Is Java Insecure?


Yes, Java is insecure, and not just normal I-can-get-past-your-lock-screen insecure either. Kaspersky Lab says that Java was responsible for 50 per cent of all cyber attacks last year, and security experts are constantly advising that you disable it in your browser. It opens up a number of holes that can allow criminals to steal passwords, credit card numbers and other personal information. And, as you’ve noticed from reading news on the web, new security holes are popping up all the time.

Should I Disable it?

Java has two parts: the runtime that runs on your computer (and lets you run Java apps), and the browser plug-in that comes along with it. Most of the time, the browser plug-in is what causes all the security problems. And since you probably don’t even need the browser plug-in, we recommend disabling it.


To disable Java in your browser, head to your browser’s plug-in page. In Chrome, you can do this by typing chrome://plugins into the address bar. In Firefox, you can do so by going to Tools > Add-Ons > Plugins. Then just find Java and click Disable. That’s all it takes!

However, the Java runtime installed on your computer is annoying in and of itself, particularly on Windows. It’s constantly nagging you for updates, taking up space in your system tray, and chances are you don’t even need it. In a lot of cases, you probably installed Java for some one-time app back in the day and never needed it again.

We recommend uninstalling Java altogether. If you find that an app asks for Java after the fact, you can always reinstall it. Open up the Start menu, search for uninstall a program, press Enter and choose Java from the uninstall list. You’ll be happy you did.

Cheers Lifehacker

Got your own question you want to put to Lifehacker? Send it using our contact tab on the right.


  • Unless you are a minecraft addict like several in this house, then having java installed is almost as necessary as having coffee to hand.

  • Can’t say I agree with this assessment. A few things:

    Java is a programming language and a bytecode specification, nothing more. Java is fairly solid, platform-independent and perfectly safe. Java can be compiled to any target, as long as a compiler exists: you can make a native Windows or Mac app with Java if you have a compiler for it.

    The Java virtual machine (JVM) is the software you install in order to run programs that were compiled as Java bytecode. The JVM is not platform-independent – each platform has its own JVM written specifically for that platform. The JVM acts as an interpreter, taking the platform-independent Java bytecode and translating it to whatever native instructions the platform you’re on expects. There’s more than one JVM out there, but the big ones are Oracle’s JRE and OpenJDK. The problems that have been reported with Java exist only in Oracle’s version.

    The JVM itself is fairly safe. There are some vulnerabilities, but that’s true of all software and Java’s JVMs don’t really stand out from the crowd in that respect. The problems come almost exclusively from yet another bit of software – the Java browser plugin – that is designed to let applets on the web access the JVM you have installed on your computer as though they were running locally (albeit with a few extra security restrictions). The browser plugin is only needed if you run applets through your browser, and some companies deploy their software to their users this way. If you don’t use Java applets in your web browser, you should disable the Java browser plugin, which will shut down all of the vulnerabilities that can be exploited over the internet.

    The advice to remove the JVM in the article is a little bit severe. The JVM isn’t what’s vulnerable and if you don’t have the browser plugin installed, pretty much the only way a vulnerability in the JVM can be exploited is if someone has physical access to your computer and is logged in, and to be blunt, if someone already has physical access to your computer and is logged in, they have what they need anyway without going through the JVM.

    As some people above pointed out, the JVM is needed to run Minecraft, as well as a lot of other software. There’s no reason to panic and remove the JVM from your system. The browser plugin, on the other hand, isn’t needed for most downloaded apps (like Minecraft, unless you’re trying to play the web version) and just disabling that will get rid of the security problems without having to get rid of the JVM as well.

    • This, 1,000,000,000 times this. So much FUD in this article. Disable the browser plugin and you will be fine. The Java browser plugin vulnerabilities are the problem here, not the JVM for desktop applications or servlet containers that run Java code on the server side (eg Tomcat, Jetty, JBoss etc). The number of times I have had to explain this to idiot managers that find out we have Java web apps (serving html and javascript) running on our servers…. /rage

    • TL;DR – but: “Java is a programming language and a bytecode specification, nothing more”

      Java is more than that – it is a full framework, providing a vast amount of API bindings and libraries.. It’s more comparable to say, C# with .NET

      • You’re right that it’s loosely comparable to C# with .NET. The .NET implementation is completely detachable from the C# language, much like Java’s API implementation is (edit: almost completely) detachable from the Java language. In C#, Mono provides implementation of the .NET framework without being the .NET framework and the same thing is possible with Java, albeit uncommon. The Android development platform is a good example of this, where the language is Java but the API implementation is custom Google code.

        The API is a very important part of the Java ecosystem, but I wouldn’t say that if you were to boil Java down to its core that it was essential. There are ways to do without it.

  • I wonder how many users seriously read a blog like this that don’t know what java is.. Or care why/if they need it. They will install it as you say most likely because something prompts them to and then never think about it again.

    What average user do you know that looks at their sys tray and is concerned at the number of icons these days, especially with autohide.. They more likely would be like “MOAR ICONZ, INSTALL ALL OF THE THINGS!”

Show more comments

Log in to comment on this story!