Installing Java on Windows isn’t hard, but it is fraught with security issues.
DANGER, WILL ROBINSON
Before I tell you how to install it, let me tell you why you shouldn’t. Java has historically been a major source of security vulnerabilities. Only install it if you have need for it, and remove it promptly if that need ends.
This is doubly so for the browser plugin. Unless you have an unusual, mission critical need for the browser plugin, you will almost certainly be better off deactivating it and finding alternative web services that do not need Java. Sadly, there is no separate package for the browser plugin you can uninstall, like on Linux. But the instructions below will show you how to deactivate the plugin and verify that it has been deactivated.
DOWNLOAD AND INSTALL
Unlike on Linux, Java for Windows is only available from Oracle, which is unfortunate given Oracle’s apparent indifference to Java vulnerabilities. Download the latest stable version and install it in the usual way. A few notes about which version to choose:
- I have far fewer problems with the “offline” download.
- Use Java 7. I shouldn’t even have to mention this, but there are still too many people heeding outdated articles advising users to stick to Java 6. In ye olden days, yes, but updates to Java 6 ended way back in February 2013.
- Oracle recommends using the 32 bit version, even if your version of Windows is 64 bit.
- Don’t waste your time looking for an MSI installer; there isn’t one. Java should not be thoughtlessly rolled out organization-wide in any case.
If this is an update rather than a clean install, I endorse Oracle’s suggestion to manually uninstall your earlier version(s) of Java first, reboot, then install the new version. I specify earlier versions in the plural because the automatic updater in Java for Windows is famous for leaving old, insecure versions installed and active.
Once installed, open the Java control panel and configure it. Although the Windows Control Panel provides a handy link to it, a bug (is this beginning to sound familiar?) causes security settings in it to be silently discarded. Instead, launch it manually as administrator. Where the Java control panel executable javacpl.exe is located differs according to your versions of Java and Windows. For example, 32 bit Java 7 on 64 bit Windows 7 installs it to C:\Program Files (x86)\Java\jre7\bin. Wherever it’s found, right-click on it in the file manager and select “Run as administrator”.
In Java’s control panel, I recommend the following nondefault settings:
- Update – Receive notification: Before installation.
- Update – Advanced – Frequency: Daily. Apropos of this, Oracle’s default setting of monthly is idiotic.
- Update – Advanced – Time: Select a time when the computer is usually on.
- Security – Activate Java content in browsers: Disabled.
If Java didn’t have such a buggy reputation, I might leave it at that. But it does, so I don’t. I close and reopen the control panel to check that the new settings were accepted. Then I open each browser on the computer and check its list of plugins to insure that Java does not appear. Finally, I visit Java Tester in each browser to verify that Java does not run.
BUT WHAT IF YOU NEED JAVA FOR A WEBSITE?
Quoting Michael Horowitz:
If you need Java for a website, then the best approach is to disable Java in the browser you normally use and leave it enabled in a second browser that you only use on the site(s) that need Java. Oracle’s How do I disable Java in my web browser? includes instructions for disabling Java in assorted browsers.
One interesting point here is Internet Explorer. Oracle says that it is not possible to completely disable Java in Internet Explorer while leaving it enabled in another browser. Thus, Windows users that need Java for a web site should never use Internet Explorer.
KEEPING UP TO DATE
Java for Windows attempts to notify the user if an update is available and prompt to install it. This behavior is unreliable, so you will have to take your own measures to learn of and install updates.
First, the notifier sometimes silently fails to announce available updates. Nor does Oracle provide an RSS feed, mailing list, or any other official means to be informed of new updates. To work around this, follow a reliable third-party such as:
- Secunia PSI will inform you if Java or any other program on your computer requires updating, and will attempt to apply the update automatically.
- Michael Horowitz announces Java updates and security news on his blog, RSS feed, and Twitter account.
Secondly, when the notifier does appear, clicking on it is supposed to install the update. However, my experience is that it fails unless you are logged in as a user with administrative privileges. Since no one should be logged in to Windows as administrator except when troubleshooting, this is a show stopper. To work around the issue, I open a new session as administrator, run the notifier manually, and install from there.
These notes were last updated 11 September 2013 during my application of 32 bit Java 7 update 40 to 64 bit Windows 7 and 8.
How to be as safe as possible with Java