Soo.. final verdict, java safe or not?

[Lazuli]

A while back I uninstalled, me and my friend, because there were certain loop-holes or what have you that made the program insecure and the devs apparently weren't fixing it. I don't know the full story, and I'm not exactly computer savvy I just know the basics and wanted my computer safe, especially since I don't use any anti-virus software. I hate the hassle, and haven't gotten a virus in literally years because I'm not stupid enough to DL sketchy shit.

I need to use java for certain programs, is it safe to install and use?

[Kaykay]

A while back I uninstalled, me and my friend, because there were certain loop-holes or what have you that made the program insecure and the devs apparently weren't fixing it. I don't know the full story, and I'm not exactly computer savvy I just know the basics and wanted my computer safe, especially since I don't use any anti-virus software. I hate the hassle, and haven't gotten a virus in literally years because I'm not stupid enough to DL sketchy shit.

I need to use java for certain programs, is it safe to install and use?

no, few programs are. Question is, do you have stuff on your pc that makes it more attractive than other pc's to avoid this feature that pretty much all pc's bar restricted company servers. Use?

[ItsRedd]

Meh, there will always be loopholes. Much like how they will always end up being fixed. As you said yourself, you're not a nooby user that simply runs any script / app he comes across.

It's near impossible to effectively use your computer without Java these days.

As KayKay said, what makes you a 'valuable' target? Also, it's really recommended to run an AV program like Nevor below me says. Doesn't matter how careful you are.

[Nevor]

java and flash are still and will always be the most unsafe programs while surfing...
especially java is being used for the distribution of viruses and you can get them with just visiting a prepared webpage.
of course updating it very regularly helps against older exploits but you cant be sure everything has been patched or is known to them, yet.

i would NOT recommend activating java without having an up-to-date virus software on the computer and only have it on when you need it!

[vesseblah]

Would recommend using two browsers. One java enabled for the 1-2 sites where it's required, and other browser for everything else with java plugin turned off. Critically important is that you don't slack with this and use the java enabled browser only when you must instead of regular daily web surfing out of convenience. If you don't need java online anywhere, don't install any browser plugins with it.

[Taira]

Java is among the most popular of technologies for doing anything on the web. I'm kind of baffled by the fact that you think having no antivirus and no Java means you're safe on the web "because you're not stupid". You don't have to be an idiot or practice unsafe browsing to be affected by malware. Trusted sites get compromised. You visit sites you've never been to. Other technologies (Flash, ActiveX, VisualBasic, Silverlight) open you up to attack as well. If you want to be safe online, its better to have protection.
Antivirus software isn't something you have to be hassled with. It doesn't require regular input from the user. Download something free, like Avast (or whatever else suits you and has a proven track record), and let it automatically update the virus definitions. It'll run in the system tray and only require action when something requires your attention.
http://www.av-comparatives.org/ has regular updates regarding the effectiveness of AV software. Avast, AVIRA, BitDefender, BullGuard, ESET (NOD32), F-Secure, G DATA, and Kaspersky all routinely receive high marks and/or awards. In the most recent results released, BitDefender won in comparison to all the other software tested.
Also consider using NoScript and Firefox. The addon will prevent any script or object (i.e. flash player) from being loaded without your express permission allowing items to run, either by clicking them or authorizing the domain via the addon. NoScript is the kind of thing that is a hassle, but it also allows you to only load what you want to load while keeping Java and other potentially unsafe technologies installed so that you can function on the web.

[SpaceDuck]

i was under the impression the loop hole that was announced was in the JDK7 pack (java development kit version 7). so unless you have downloaded the development kit version 7 which would allow you to write code in java then you should be safe from the announced loop hole

[vesseblah]

Java is among the most popular of technologies for doing anything on the web.

Java and JavaScript are two entirely different things. Java was hyped around decade ago as a technology to run code on browsers, but because it's so damn insecure it has since moved into server side where it should be replacing C++ and in some parts PHP/Perl. Only few retarded websites use Java anymore, most have moved into "web 2.0" ie. JavaScript, CSS3 and HTML5.

i was under the impression the loop hole that was announced was in the JDK7 pack (java development kit version 7). so unless you have downloaded the development kit version 7 which would allow you to write code in java then you should be safe from the announced loop hole

There are security bugs in every single release version of JRE/JDK from last several years, it's not a problem of one specific version. That's why security experts are recommending turning it off.

[mafao]

I think one should avoid using any kind of browser addon which can potentially allow execution of malicious code on your machine outside of the browser. This includes Java, Flash and all similar stuff. I have Java Applets turned off at all times and Flash turned off by default (I only turn it on for youtube). To be honest, in the last several years I only once had to use a Java Applet - because a some stupid web portal was forced to work with relies on them. As it seems, Java days of client-side WWW are long gone and Flash is getting there as well. Java is obviously still a very powerful server-side platform and also has its uses on the desktop.

[Rukentuts]

The security issue that prompted the US Government warning has been fixed.

[vesseblah]

The security issue that prompted the US Government warning has been fixed.

And new holes found since.

[evokanu]

Would recommend getting a anti virus program even if you do not download sketchy shit, there are ways to infect one with viruses without downloading questionable files, i.e comercials on a normally fully safe website can be infected with drive-by kind of virus, installing on your computer without informing you at all.
http://en.wikipedia.org/wiki/Drive-by_download

[Twoddle]

The security issue that prompted the US Government warning has been fixed.

The security holes get obfuscated away in each new patch but they are still there. This particular Java security issue won't be completely fixed for at least another couple of years.

[Cyanotical]

uninstalling java will do nothing against someone who wants access to your computer and knows what they are doing, there are thousands of other ways to own the box

you can install it, but do be careful about what you install and what websites you visit, same as always

if you need an AV program, we have tons of threads on the subject

[Pwellzor]

uninstalling java will do nothing against someone who wants access to your computer and knows what they are doing, there are thousands of other ways to own the box

you can install it, but do be careful about what you install and what websites you visit, same as always

if you need an AV program, we have tons of threads on the subject

I am not going to suggest you uninstall Java as previously stated, it runs a lot of stuff. BUT if you find you run limited programs and don't have a need for Java, don't pop it on.

The above quote is a really annoying mindset recently. Sure, there are skilled users out there who could use sophisticated methods to access your system without java loopholes. That isn't who you should be worried about. You're worried about lowering the acceptable risk associated with your system. By keeping Java patched or uninstalled, you are essentially knocking off a giant chunk of potential risk.

TLDR: You're smart, weigh risk with inconvenience. If you have a ton of sensitive data, don't use known attack routes, or at least keep them well maintained.

[Cyanotical]

I am not going to suggest you uninstall Java as previously stated, it runs a lot of stuff. BUT if you find you run limited programs and don't have a need for Java, don't pop it on.

The above quote is a really annoying mindset recently. Sure, there are skilled users out there who could use sophisticated methods to access your system without java loopholes. That isn't who you should be worried about. You're worried about lowering the acceptable risk associated with your system. By keeping Java patched or uninstalled, you are essentially knocking off a giant chunk of potential risk.

TLDR: You're smart, weigh risk with inconvenience. If you have a ton of sensitive data, don't use known attack routes, or at least keep them well maintained.

security is balanced on three principles: accessibility, integrity and accountability, if any of them are too weak, security is compromised, if any are too strong, it upsets the user, uninstalling java lowers accessibility in that it limits what you can do with your computer, meanwhile keeping it installed without any thought lowers the integrity of your computer

what i said may be annoying, but it's true, minimizing risk is a nice way to think that your computer is secure, obviously leaving a port open is not smart either, it's smart to lock down your network, but what i was pointing more at was that you can't think that simply uninstalling java makes your computer secure, it's like locking the windows and thinking you're safe even though the front door is wide open

[Pwellzor]

I very much agree with your point about accessibility. It is quite unnecessary to remove Java in the grand scheme of things, and I didn't feel I needed to repeat what others said about installing antivirus software, there are simple free microsoft programs he could grab with little to no hassles as he mentioned earlier.

My point really was that including the above suggestions about AV software, the choice to use Java is up to the user. If he doesn't need to use it(which is unlikely but possible), he is better off. If the front door is locked, and the window doesn't exist, all you have to worry about is the door.

[Twoddle]

uninstalling java will do nothing against someone who wants access to your computer and knows what they are doing, there are thousands of other ways to own the box

Could you please give one example out of those thousands of ways if there is no vulnerability on my system and assuming I am not a retard? Not counting DDoS attacks.

[Cyanotical]

Could you please give one example out of those thousands of ways if there is no vulnerability on my system and assuming I am not a retard? Not counting DDoS attacks.

uh, no, im not going to hand out ideas

i would suggest buying a CEH book, it's more in depth than Security+ but more oriented on intrusion than CISSP

[vesseblah]

Could you please give one example out of those thousands of ways if there is no vulnerability on my system and assuming I am not a retard? Not counting DDoS attacks.

Almost everything has vulnerabilities. If you're connected to internet, you can be hacked.

From this year's pwn2own competition:

Google returns as a sponsor and the rules are changed to require full disclosure of exploits and techniques used.[49] Web browsers Google Chrome, Internet Explorer and Firefox along with Windows 8 and Java have been exploited.[50]

At Pwn2Own 2013, French security firm VUPEN has successfully exploited a fully updated Internet Explorer 10 on Microsoft Surface Pro running a 64-bit version of Windows 8 and fully bypassed Protected Mode sandbox without even crashing or freezing the browser. [51] VUPEN team has next exploited Mozilla Firefox, Adobe Flash, and Oracle Java to win a total prize of $250,000, the highest payout to date.[52]

Nils and Jon from MWRLabs were successful in exploiting Google Chrome using WebKit and Windows kernel flaws to bypass Chrome sandbox and win $100,000.

George Hotz exploited Adobe Acrobat Reader and escaped the sandbox to win $70,000. James Forshaw, Joshua Drake, and Ben Murphy independantly exploited Oracle Java to win $20,000 each.

Apple Safari on Mountain Lion was not targeted as no teams showed up.