|Test the version of Java your browser is using|
May 6, 2013: Although the Java spotlight shines on Oracle, other companies have also created Java runtimes. IBM ships Java for Linux, AIX (their version of Unix) and z/OS (mainframe operating system) and it's buggy too. Adam Gowdiak, the CEO of Security Explorations, just found new bugs in the Linux edition (he doesn't address AIX or z/OS) and confirmed that old bugs (dating back to Sept. 2012) were not properly fixed.
April 26, 2013: Oracle is expected to release a new version of Java
on May 10, 2013 to fix some bugs.
Update: As of May 12, 2013 9pm ET, there is no new version of Java.
April 23, 2013: A bug that was fixed last week in Java 7 Update 21 is being actively exploited by bad guys. Be sure to update to the latest Java. See Java users beware: Exploit circulating for just-patched critical flaw.
April 23, 2013: It all starts again. The first public acknowledgement of a bug in the latest edition of Java (v7 Upate 21) came from Adam Gowdiak, the CEO of Security Explorations, who has found many previous bugs in Java. As usual, the bug lets malware break out of the Java sandbox. Interesting new twist, the bug can be exploited on any system with Java installed, even if Java is disabled in all browsers. See Serious flaw in Java Runtime Environment for desktops, servers.
Java is supported on Windows, OS X and Linux. It is not supported in iOS or Chrome OS. Java is very much involved in Android, but not in a way that is visible to end users.
Java is used both online and offline in Windows, OS X and Linux. The online use involves Java programs, typically referred to as "applets", embedded in a web page. All the security issues regarding Java involve applets. Offline, Java is used by applications installed in your operating system. Examples of these applications are below in the "Do you need Java" section. The topic of Java being used in a web browser vs. an installed application was addressed by Steve Gibson on the Jan 16, 2013 edition of his Security Now podcast (do a find for "Jared").
A component of Java has to be installed on a computer before Java programs can execute, either online or offline. This component has a couple names. It was initially referred to as the Java Virtual Machine (JVM), but now the more common term is JRE (Java Runtime Environment). Sometimes, it is just referred to as Java, which is a big misnomer as there are many parts to the Java ecosystem.
The latest edition of Java is version 7. Oracle, the company behind Java, is also keeping version 6 up to date with bug fixes. I have argued, that while version is 6 is being maintained, it is safer to use than version 7. Oracle is scheduled to stop issuing bug fixes for version 6 sometime in Feb. 2013. But, this date has been pushed forward in the past.
On Windows, the Java runtime (JRE) may or may not be pre-installed, the decision is left up to the hardware manufacturer. A Java version 6 runtime was pre-installed by Apple on OS X Leopard and Snow Leopard, but starting with Lion, Apple stopped pre-installing Java. Java 6 can be installed on Lion and Mountain Lion, but it will not run applets. Java 7 can be installed on Lion and Mountain Lion to run applets. Java 7 can not be installed on Snow Leopard. Lion and Mountain can have both Java 6 and Java 7 installed concurrently.
The Java runtime (JRE) on Windows comes from Oracle (previously from Sun). On OS X, Apple supplies the JRE for Java version 6, while Oracle supplies the JRE for Java version 7. Oracle is the official supplier of the JRE for Linux, but there are also other sources available. Microsoft used to maintain their own JRE on Windows but that fell by the wayside long ago. In the old days Netscape had their own JRE as did IBM and others.
Just because a Java runtime is installed, does not mean that a web browser will actually use it. There are three possible reasons for this:
Currently Java has a poor reputation for an endless stream of security flaws. But well before this, Apple and Microsoft did not like Java because it made their operating systems less important. A Java program can, in theory, run equally well on Windows, OS X and Linux. And, that's just for starters. As long as there is a JRE for an operating sytem, Java programs can run on that system. This opens up other environments too, such as IBM mainframes and Unix. The popular phrase, in the early days of Java was "write once, run anywhere". But, it all went wrong, well before security flaws became the main Java story.
As it played out over the years, Flash beat out Java in the marketplace. Flash served the same cross platform needs that Java was intended for. There were annoying differences between Java runtimes from different vendors which led to the sarcastic phrase "write once, debug everywhere." It may be that Flash won out simply because there was only one source (Adobe now, Macromedia initially) for its runtime environment.
Now that security flaws are the big issue with Java, the safest best practice is to un-install Java and see if anything breaks. I say this because, as far as I know, there is no inventory function that reports on Java usage system-wide. Since all the security issues have been with Java applets embedded in web pages, someone that only needs Java for installed applications, should disable its use in all browsers using a security feature first introduced in Java 7 Update 10 (see Oracle"s instructions). Someone needing to run Java applets should normally use a web browser that has Java disabled and use a second browser, with Java enabled, exclusively on the site(s) that need Java. If you are not sure which sites use Java, Google's Chrome browser is your friend, as it warns before running Java applets.
The Version page of this site verifies that a browser is capable of running Java applets in web pages by running a very simple applet that displays the version of Java. It also has a history of Java releases and instructions for disabling Java in assorted browsers. The source code for the applet is on the About page.
Java applets can, optionally, be digitally signed. Those that are not, started generating a new pop-up warning with the introduction of Java 7 Update 11. The "version" applet on this site is not signed. Neither is the one at time.gov or those from Oracle that test if Java is working (here and here). The Secunia Online Software Inspector applet is signed.
Speaking of warnings, Firefox 18 warns before running Java 6 applets for no good reason. It is a leftover artifact from the security scare around Java in mid-January 2013.
Finally, you may see Oracle mention the Java security baseline. This refers to the latest version of Java that contains no security flaws. This is not necessarily the latest version. There is a different security baseline edition for Java 6 and 7. To illustrate, as of mid-January 2013, Update 37 was the security baseline edition for Java 6. Windows users had access to Update 38 which contained bug fixes, but no security related bug fixes. Apple did not produce an Update 38 for the Mac, they maxed out at Update 37.
In April 2012, Ed Bott adressed this by listing some applications and websites that require Java. See How big a security risk is Java? Can you really quit using it?. Some omissions from the article are
On the other hand, Libre Office which says it needs Java, in fact, it says so multiple times, seems to run fine without it.
In the beginning, Java programs embedded in web pages were called applets. That's the term I use on this site because it was created long ago. Now however, things are more complicated. According to Oracle, Java programs running inside a browser "includes plugin applets, Java Web Start applications, embedded JavaFX applications, and access to the native deployment toolkit plugins".
Windows users may find the term applet used to describe the small applications in the Control Panel (Power Options, Mouse options, Administrative Tools, etc.). These control panel thingies have nothing to do with Java, other than the Java one, which is referred to as the Java Control Panel.
Java applets can be digitally signed. Those that are not are referred to as "unsigned", "untrusted" and "sandboxed".