See my Defensive Computing blog at  

Test the version of Java used in this browser

 Java security news

October 18, 2016: Java 8 Update 111 has been released. It is the new security baseline and is due to expire January 17, 2017.

July 19, 2016: Java 8 Update 101 has been released. It is the new security baseline and is due to expire October 19, 2016.

April 19, 2016: Java 8 Update 91 has been released.

March 23, 2016: Java 8 Update 77 has been released. It is the new security baseline and is due to expire April 19, 2016.

March 11, 2016: Two-year-old Java flaw re-emerges due to broken patch by Lucian Constantin of IDG News Service.

February 8, 2016: Java installer flaw shows why you should clear your Downloads folder by Lucian Constantin for Computerworld.

February 5, 2016: Java 8 Update 73 and Update 74 are released. The security baseline remains Update 71. Both versions will expire on April 19, 2016.

January 28, 2016: I have seen the future and it does not include Java running inside a web browser. Oracle blames web browsers for no longer supporting the quite-old NPAPI plug-in standard. Why Oracle can't move Java to a different plug-in interface is not discussed. As a substitute for Java applets, Oracle suggests Java Web Start apps. These are full blown apps, written in Java that are downloaded to a Java cache on your computer and run from there, outside of any web browser. Java Web Start apps can automatically self-update and the run in a sandbox by default. User action is required for them to break out of the sandbox. Different Java Web Start apps can run concurrently and use different versions of Java. The security issues with Java were always tied to the web browser interface, the language itself was never a security issue. More.

January 19, 2016: Java 8 Update 71 is released. It fixes critical security flaws, as usual, and is now the Security Baseline. Update 71 is scheduled to expire on April 19, 2016. Also released was Update 72, described by Oracle as "a patch-set update, including all of 8u71 plus additional features". Then too, there is a BPR (Bundled Patch Release) and a public edition of Update 72.

November 16, 2015: Java 8 Update 66 is released. Although the Release Notes say "This release contains fixes for security vulnerabilities," the security baseline, however, remains at Update 65. Update 66 is scheduled to expire on January 19, 2016.

October 20, 2015: Java 8 Update 65 is released. It fixes a bunch of bugs and is the new security baseline. It is due to expire January 19, 2016.

Undated: Java and Google Chrome Browser from Oracle. Starting with Chrome version 45, released in Sept. 2015, Java applets are no longer supported because they use an old plugin interface known as NPAPI. Java web starts apps continue to work fine. IE and Safari still support NPAPI so Java applets work with these browsers.

September 29, 2015: How to Uninstall Java on Mac OS X by Lowell Heddings of HowToGeek

September 30, 2015: Insider: Oracle has lost interest in Java by Paul Krill of Infoworld

September 7, 2015: Oracle cuts Java execs by Barb Darrow in Fortune

August 18, 2015: Java 8 Update 60 is released.

July 14, 2015: Java 8 Update 51 is released.

July 12, 2015: From Trend Micro - First Java Zero-Day Attack in Two Years Targets NATO & US Defense Organizations

May 6, 2015: Just a reminder: Java 7 is dead. Oracle will not release any more bug fixes for it.

April 14, 2015: Three new versions of Java were released today: Java 7 Update 79, Java 7 Update 80 and Java 8 Update 45. These releases fix 14 security flaws. Quoting Oracle: "All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. "

April 14, 2015: Chrome version 42 will pour your Java coffee down the drain: Plugin blocked by default by Shaun Nichols in The Register. Chrome version 42 blocks the Java plugin by default because it uses an old deprecated plugin API. For the time being, you can tweak Chrome to run Java but that will end in September 2015.

Older News...

 About Java    (last revisions: Oct. 16, 2013 | Jan 25,2013 |Jan 15,2013 | Oct 2012

Java is supported on Windows, OS X and Linux. It is not supported in iOS or Chrome OS. Java is very much involved in Android, but not in a way that is visible to end users.

Java is used both online and offline in Windows, OS X and Linux. The online use involves Java programs, typically referred to as "applets", embedded in a web page. All the security issues regarding Java involve applets. Offline, Java is used by applications installed in your operating system. Examples of these applications are below in the "Do you need Java" section. The topic of Java being used in a web browser vs. an installed application was addressed by Steve Gibson on the Jan 16, 2013 edition of his Security Now podcast (do a find for "Jared").

A component of Java has to be installed on a computer before Java programs can execute, either online or offline. This component has a couple names. It was initially referred to as the Java Virtual Machine (JVM), but now the more common term is JRE (Java Runtime Environment). Sometimes, it is just referred to as Java, which is a big misnomer as there are many parts to the Java ecosystem.

The latest edition of Java is version 7. It comes from Oracle and is supported on Windows, OS X and Linux. Oracle gave up issuing bug fixes for Java version 6 in the middle of 2013 (for free that is; you can pay Oracle for Java 6 bug fixes). Apple continues to issues bug fixes for Java 6 on Snow Leopard, Lion and Mountain Lion.

On Windows, the Java runtime (JRE) may or may not be pre-installed, the decision is left up to the hardware manufacturer. A Java version 6 runtime was pre-installed by Apple on OS X Leopard and Snow Leopard, but starting with Lion, Apple stopped pre-installing Java. Java 6 can be installed on Lion and Mountain Lion, but it will not run applets. Java 7 can be installed on Lion and Mountain Lion to run applets. Java 7 can not be installed on Snow Leopard. Lion and Mountain can have both Java 6 and Java 7 installed concurrently.

The Java runtime (JRE) on Windows comes from Oracle (previously from Sun). On OS X, Apple supplies the JRE for Java version 6, while Oracle supplies the JRE for Java version 7. Oracle is the official supplier of the JRE for Linux, but there are also other sources available. Microsoft used to maintain their own JRE on Windows but that fell by the wayside long ago. In the old days Netscape had their own JRE as did IBM and others.

Just because a Java runtime is installed, does not mean that a web browser will actually use it. There are three possible reasons for this:

  1. The use of Java may be disabled in any one browser. The only exception here is Internet Explorer which, despite what you may read online, is not capable of totally severing its connection to Java.

  2. Starting with Java 7 Update 10, the use of Java online by all installed web browsers can be disabled with a new checkbox in the security section of the Java Control Panel. To date, my experience has been that while this works, web browsers incorrectly report that Java is not installed at all.

  3. The web browser may be architecturally unable to run Java. One example of this is Chrome on OS X Lion and Mountain when Java 7 is installed (it is a 32 bit vs. 64 bit issue). Another example is the tile world version of Internet Explorer 10 on Windows 8 which does not support any plug-ins.

  4. Apple may not allow it. On OS X systems (Snow Leopard, Lion and Mountain Lion) the XProtect feature has been used by Apple to prevent Java from running in Safari (not sure of other browsers, I've read conflicting information). To see this in Lion and Mountain Lion, go to System Preferences -> Security section -> Advanced button. There should be a checkbox to "Automatically update safe downloads list".

Currently Java has a poor reputation for an endless stream of security flaws. But well before this, Apple and Microsoft did not like Java because it made their operating systems less important. A Java program can, in theory, run equally well on Windows, OS X and Linux. And, that's just for starters. As long as there is a JRE for an operating system, Java programs can run on that system. This opens up other environments too, such as IBM mainframes and Unix. The popular phrase, in the early days of Java was "write once, run anywhere". But, it all went wrong, well before security flaws became the main Java story.

As it played out over the years, Flash beat out Java in the marketplace on the client side (your computer). Flash served the same cross platform needs that Java was intended for. There were annoying differences between Java runtimes from different vendors which led to the sarcastic phrase "write once, debug everywhere." It may be that Flash won out simply because there was only one source (Adobe now, Macromedia initially) for its runtime environment. On the server side however, Java has always been popular.

Java programs are prepared for execution in the JVM/JRE by being translated into something called Java bytecode. The Java Runtime Environment doesn't really care about, or deal with, the Java programming language, it takes Java bytecode as input. This, along with assorted advantages to using a JVM, has led to other programming languages also being translated into Java bytecode so that they can be run in a Java Virtual Machine. In Sept. 2013 Wired reported on two such popular languages, Clojure and Scala. A version of Ruby known as JRuby also runs in a JVM. Wired reported that Twitter runs entirely inside JVMs mostly using software written in Scala but also some written in Java. LinkedIn is also married to JVMs and uses a mixture of Java and Scala.

Now that security flaws are the big issue with Java, the safest best practice is to un-install Java and see if anything breaks. I say this because, as far as I know, there is no inventory function that reports on Java usage system-wide. Since all the security issues have been with Java applets embedded in web pages, someone that only needs Java for installed applications, should disable its use in all browsers using a security feature first introduced in Java 7 Update 10 (see Oracle"s instructions). Someone needing to run Java applets should normally use a web browser that has Java disabled and use a second browser, with Java enabled, exclusively on the site(s) that need Java. If you are not sure which sites use Java, Google's Chrome browser is your friend, as it warns before running Java applets.

The Version page of this site verifies that a browser is capable of running Java applets in web pages by running a very simple applet that displays the version of Java. It also has a history of Java releases and instructions for disabling Java in assorted browsers. The source code for the applet is on the About page.

Java applets can, optionally, be digitally signed. Those that are not, started generating a new pop-up warning with the introduction of Java 7 Update 11. The "version" applet on this site is not signed. Neither are those from Oracle that test if Java is working (here and here).

Finally, you may see Oracle mention the Java security baseline. This refers to the latest version of Java that contains no security flaws. This is not necessarily the latest version. There is a different security baseline edition for Java 6 and 7. To illustrate, as of mid-January 2013, Update 37 was the security baseline edition for Java 6. Windows users had access to Update 38 which contained bug fixes, but no security related bug fixes. Apple did not produce an Update 38 for the Mac, they maxed out at Update 37.

 My Blogs

I have written about Java a few times in my Defensive Computing blog at Computerworld.

 Do you need Java?

In April 2012, Ed Bott adressed this by listing some applications and websites that require Java. See How big a security risk is Java? Can you really quit using it?. Some omissions from the article are

On the other hand are web sites that have walked away from Java:

 Terminology    (Revised January 15, 2013)

In the beginning, Java programs embedded in web pages were called applets. That's the term I use on this site because it was created long ago. Now however, things are more complicated. According to Oracle, Java programs running inside a browser "includes plugin applets, Java Web Start applications, embedded JavaFX applications, and access to the native deployment toolkit plugins".

Windows users may find the term applet used to describe the small applications in the Control Panel (Power Options, Mouse options, Administrative Tools, etc.). These control panel thingies have nothing to do with Java, other than the Java one, which is referred to as the Java Control Panel.

Java applets can be digitally signed. Those that are not are referred to as "unsigned", "untrusted" and "sandboxed".

JavaScript is separate and distinct from Java. No relationship at all.