Turn off Java, they warn... Here's how you do it

Security advice for web users last week from the US Department of Homeland Security recommended that Java should be disabled, lest a growing number of exploits leave your computer open to hacking. "Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered" the US-CERT warned, and argued that users should "consider disabling Java in web browsers until adequate updates are available." Read on past the cut for cross-browser details as to how to do that.

The simplest way – assuming you're relatively up-to-date with your Java installation in the first place – is to disable Java runtimes from operating in the browser within the software's own settings page. From Java 7 Update 10, there's an option in the Security tab of the Settings page to "Enable Java content in the browser" which, when unchecked, stops any Java from running.

Firefox

If you're running Firefox, you want to head to Add-Ons in the Tools menu. From the dialog that opens, choose Plugins: if you're on Windows 8, you want to select "Java (TM) Platform" and then click the Disable button. If you're on Mac OS X, choose either "Java Plug-in 2 for NPAPI Browsers" or "Java Applet Plugin" and click the Disable button. It's also advised to disable the Java Development Toolkit plugin as well. Instructions for other OS versions can be found here.

Chrome

If you're on Chrome, you can visit chrome://plugins/ to see if Java is installed. Click the Disable button under the entry, which automatically blocks both the Java and Java Development Toolkit plugins.

More details on managing Chrome plugins are here.

Safari

On Safari, there's a single checkbox that controls Java. Go to the Preferences page and choose the Security tab; uncheck the box next to "Enable Java" to turn it off. More information can be found here.

It's also worth noting that Apple removed Java from OS X by default, with an October software update uninstalling the software from Macs running either Lion or Mountain Lion.

Opera

In the Opera browser, setting Java to run only when given permission is handled in the Settings page. From there, choose Preferences and then click Advanced: choose "Enable plug-ins only on demand" to force Opera to ask permission to run. However, it's worth noting that this will force all plugins loaded to request permission, which could prove frustrating.

Internet Explorer

Finally, there's Internet Explorer, a process which is altogether more convoluted. The US-CERT gives manual instructions, but there's also a specific registry editing file which, when installed, prevents any Java from being loaded. Performed manually, you need to create and load a .REG file with the following:

[HKEY_CLASSES_ROOT\JNLPFile]

@="JNLP File"

"EditFlags"=hex:00,00,00,00

This changes Internet Explorer's security settings to demand permission to run Java by default. Further disabling can be done by removing the file "jp2iexp.dll"; that is commonly located at the following locations:

C:\Program Files\Java\jdk{version}\jre\bin

C:\Program Files\Java\jre7\bin

C:\Program Files\Oracle\JavaFX {version} Runtime\bin

Secondly, locate and delete any instances of the "npjpi{version}.dll" file, where {version} is a string of numbers related to the version of Java installed (e.g. npjpi170_06.dll). That file is commonly located at the following locations:

C:\Program Files\Java\jdk{version}\jre\bin

C:\Program Files\Java\jre7\bin

C:\Program Files\Oracle\JavaFX {version} Runtime\bin

I want to get rid of Java altogether

The safest option of all, of course, is to uninstall Java completely. Instructions for doing that on Windows are here, while Mac instructions are here. In brief, Windows users should go to either the "Programs and Features" option or the "Add/Remote Programs" option, depending on which version of the OS they're running, and uninstall Java from the list of installed applications.

For Mac users, it involves opening Finder and searching for "JavaAppletPlugin.plugin" then moving that to the Trash. Administrator privileges are required to do that.