Yesterday I read about a new Java 0-day exploit that allows executing arbitrary programs on victim computers just by accessing a Web page, without any confirmation from the users.
I need Java Runtime Environment for a very nice app that I use: Geogebra. This and some Yahoo! Messenger games (like Pool or Backgammon) were the only reasons I still keep JRE installed.
I really don’t need the Java plugin enabled in any browser and for major browsers this shouldn’t be a big issue. There are specific and documented ways for disabling Java.
A pretty tricky problem is that my browser of choice is Maxthon 3 (don’t ask me why) and disabling the Java browser plugin isn’t as easy via UI as in other browsers. Even if Maxthon supports two engines (Chrome and IE), it doesn’t expose advanced options (like about:plugins or about:config in other browsers) that would allow better plugin control.
So, the problem was finding a way to disable the Java plugin in Maxthon (and in my other browsers), but still keep the JRE installed in order to use it for Geogebra.
The nicest trick I found for solving my problem was (now I’m assuming the reader has some prior knowledge of manipulating the Windows Registry… and that he’s using Windows):
(1) open the Registry Editor;
(2) in HKEY_LOCAL_MACHINE find (CTRL+F) the key named MozillaPlugins (its location varies based on OS architecture – 32/64 bit; ex. in Windows 7 64 bit the location should be HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\);
(3) expand that key, export the keys named like @java.com/*;
(4) delete those java keys.
This single move disabled the Java plugin in Maxthon 3, Firefox 15 and Chrome 18. I didn’t bother for Internet Explorer, since I don’t use it (except for testing some of my Web apps). Note that disabling Java in IE affects the Yahoo! Messenger games mentioned above. Also note that by clicking a Java applet placeholder in Maxthon, even after deleting those registry keys, an empty dialog with two buttons is displayed (when you click on the left button the browser tries to retrieve the plugin from the Web).
After all those changes you might want to test your browser.
This is, of course, a quick and dirty fix for a 0-day situation, not a thorough solution.