I need java, but I don't want any browser to be able to access it.
Is it possible to remove the whole applet/browser plugin code?
Asked
Active
Viewed 6,237 times
4 Answers
11
As of Java Version 7 Update 10, the Java Control Panel (in the Security tab) can disable the Java plug-in completely: http://www.java.com/en/download/help/disable_browser.xml
This should avoid the possibility that a Java upgrade might re-enable the plug-in, which might be a risk with some other approaches.
4
If you install the JRE; you can delete or rename npjp2.dll or libnpjp2.so (on linux); or on Linux make it non executable (chmod 0000 libnpjp2.so). This single file is the plugin file.
They're located in %ProgramFiles%\jre<x>\bin\plugin2 on Windows. On Linux, they're where ever your java is installed. You can run locate libnpjp2.so to find the location.
The same also applies to the JDK.
-
2Disabling the plugin would alleviate most java security concerns right? (Since java attacks happen through the browser) – reinier Sep 29 '12 at 16:08
-
But if this is a server, people should not be using it for browsing web sites anyway... – Massimo Sep 29 '12 at 17:37
-
I really don't think anything is located in "jre
/bin/plugin2" on Windows. :) – John Gardeniers Sep 29 '12 at 21:49
3
One method to disable the Windows/IE browser plugin is to set a deny ACE on the following files:
"C:\Program Files\Java\jre6\bin\ssv.dll"
"C:\Program Files\Java\jre6\bin\jp2ssv.dll"
"C:\Program Files\Java\jre7\bin\ssv.dll"
"C:\Program Files\Java\jre7\bin\jp2ssv.dll"
"C:\Program Files (x86)\Java\jre6\bin\ssv.dll"
"C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll"
"C:\Program Files (x86)\Java\jre7\bin\ssv.dll"
"C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll"
This could be performed in a computer startup script.
If you run this command manually, it must be done from an elevated command prompt.
icacls "C:\Program Files (x86)\Java\jre7\bin\ssv.dll"
C:\Program Files (x86)\Java\jre7\bin\ssv.dll
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
icacls "C:\Program Files (x86)\Java\jre7\bin\ssv.dll" /deny Everyone:(X)
processed file: C:\Program Files (x86)\Java\jre7\bin\ssv.dll
Successfully processed 1 files; Failed processing 0 files
icacls "C:\Program Files (x86)\Java\jre7\bin\ssv.dll"
C:\Program Files (x86)\Java\jre7\bin\ssv.dll
Everyone:(DENY)(S,X)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
Greg Askew
- 34,339
- 3
- 52
- 81
-
-
3What if a process replaced the files? This is not inconceivable, for example if an installer had the files on a manifest to determine relevancy. A script to remove the files may not be applied until the next restart. Applying the deny ACE works in most cases. – Greg Askew Sep 29 '12 at 17:27
2
Starting from Oracle JDK/JRE 7u21 (Release Notes), a Server JRE is available which can serve such requirement.
A new Server JRE package, with tools commonly required for server deployments but without the Java plug-in, auto-update or installer found in the regular JRE package, is available starting from this release. The Server JRE is specifically targeted for deploying Java in server environments and is available for 64-bit Solaris, Windows and Linux platforms. For more information on installing this package, see Installation Instructions.
ryenus
- 151
- 1
- 6