Disable Java Plugin in Google Chrome?

157

This is the second time I've had a drive-by executable installed on my machine using the following:

Google Chrome 6 (latest)
Windows 7, UAC on

This happened while I was browsing for images to add to a gaming.se post; one of the sites I visited (to get an image of a transfer cable) must have had drive-by browser exploit code running.

UAC alerted me that a weird temporary executable wanted to run, and I declined, but I still got the fake antivirus executable running on my machine. Sigh..

I do have Java installed because I upload stuff monthly to clearbits.net and their uploader is a Java plugin. So my best guess is, websites are doing drive-by installs using the massive numbers of zero-day vulnerabilities in the Java browser plugins.

For now, I have uninstalled Java, which works. But I wondered if I could disable the Java plugin in Google Chrome instead.

So, how do you disable these vulnerable plugins in Google Chrome? I can't find the UI.

Jeff Atwood

Posted 2010-10-20T18:46:01.107

Reputation: 22 108

8How did you detect this drive-by executable ? – Leonel – 2010-10-20T19:00:39.797

@leonel first, UAC triggered (I declined). Then it somehow ran anyway and started begging me to install some kind of fake antivirus in the system tray.. – Jeff Atwood – 2010-10-20T19:11:43.910

You can always see if your plug-ins need to be updated here: http://www.mozilla.com/en-US/plugincheck/

– travis – 2010-10-20T19:16:01.467

I have a Windows XP Virtual Machine set up with Java just for that reason. @Jeff Curiously, how did you go about getting rid of it? – Chad Levy – 2010-10-20T22:58:05.870

@paper I used http://www.microsoft.com/security_essentials/

– Jeff Atwood – 2010-11-09T00:03:07.830

Thanks for the wonderful article https://stackoverflow.blog/2011/07/01/its-ok-to-ask-and-answer-your-own-questions/ .

– neverMind9 – 2019-03-14T09:43:21.607

1I got a similar thing from a PDF the other day... and to top things off, if I had only remembered that I hadn't meant to open one, I could have avoided it! – SamB – 2010-12-10T22:07:39.947

1How do you know it was a vulnerability in Java and not a vulnerability in webkit? – BlueRaja - Danny Pflughoeft – 2011-06-28T04:57:28.397

@blue my Chrome is constantly updated (by Chrome itself..), but Java was massively out of date. Do the math.. – Jeff Atwood – 2011-06-28T05:00:36.540

Sorry, didn't know; but, doesn't Java come with an auto-updater? – BlueRaja - Danny Pflughoeft – 2011-06-28T16:38:42.513

I can't find it, but I know one was using a glitch in the print spooler to get around UAC, then TDSSv4/aluron started using it to inject it's rootkit. If you got the fake AV, its probably a variant of the TDSS virus that downloaded it in the background. YOU SHOULD DO A ROOTKIT SCAN RIGHT NOW! https://www.securelist.com/en/blog/337/TDL4_Starts_Using_0_Day_Vulnerability

The TDSS viruses are insanely complex, they actually have code in them that innoculates the pc to other viruses and rootkits, and run completey encrypted in hidden sections on the hardrive.

You really should do a post on it.

– Ape-inago – 2013-01-29T11:36:36.510

Answers

136

For Java specifically, Chrome now disables Java by default on all pages and prompts you to allow it to run each time a site needs it.

For more general plugin worries, Chrome allows you to block all plugins on all sites completely, and then allows you to selectively enable them on a page without reloading it. You can also configure exceptions for particular URLs.

To enable this, under the Plug-ins section of the settings url: chrome://settings/content select "Block All".

With this option enabled, when you want to run plugins on a page you have 3 options:

Right click on the plugin and choose "Run this plug-in" from the context menu
Click the plugin icon in the URL bar and choose "Run all plug-ins this time
Add an exception for sites you trust so that they can run plugins without your explicit permission each time

Chrome also has a "Click to play" setting which is hidden behind a flag in some versions of Chrome. As a commenter mentioned, this option is vulnerable to clickjacking attacks so I would advise against using it. You're better off with the "Block all" feature.

Dan Herbert

Posted 2010-10-20T18:46:01.107

Reputation: 1 772

I found a really old bug / feature request on Google Chrome here.
It appears in Chrome 6.0 or later. Visit chrome://plugins/ or about:plugins and disable Java there.

alt text

Once I did this, to make sure Java was disabled, I visited a Java plugin demo page. And indeed it was disabled:

alt text

But my general recommendation is to uninstall Java -- you really don't want Java on your system unless you absolutely, positively have to have it .. because there are so many new exploits for it.

I would also recommend disabling any plugins you don't absolutely need. Every enabled plugin is an attack surface, and yet another thing that needs to be kept up to date..

Jeff Atwood

Posted 2010-10-20T18:46:01.107

Reputation: 22 108

Starting from Chrome 57 plugins page is no more accessible. – anton_rh – 2017-05-31T15:27:42.227

17I ended up disabling like 15 plugins I didn't know I had... – juan – 2010-10-20T19:02:21.893

Couldn't you just go in and delete the "netscape" (and IE, I suppose) plugin DLLs, rather than uninstalling everything? – SamB – 2010-12-10T22:04:44.893

1Oracle, in their wisdom, have broken those sun.com links. I googled "java applet demo" and tried the first non-sun link. Yes, it looks like modern Chrome disables Java by default. – Jason – 2012-09-15T11:25:36.970

One small trick I use with Java is to hunt around and install the x64 version only, which I only use when I fire up IE x64 to use the one-off Java only apps like the one you reference.

CoreyH

Posted 2010-10-20T18:46:01.107

Reputation: 885

7oh man that's an awesome tip; I use IE 64 bit in a similar way when I want to test in "browser I never use but still works" – Jeff Atwood – 2010-10-20T19:08:48.097

Although it may be an easy fix, just sufficiently blocking Java, if you are in favour of a more holistic approach you may prefer to use a combination of:

Secunia PSI/VIM for notification of updates, vulnerabilities and automatic updates
Microsoft EMET for preventing stack overflows and similar
BufferZone for protection from drive by installers
iCore Virtual Accounts for times when you need to walk the dark side of the net on a production machine (it's a bit inconvenient to login/logout and uses semi-virtualisation so there is some overhead - but when you only have one machine at your disposal...)

This should protect you from more than just Java vulnerabilities.

To measure the effectiveness of these approaches (EMET alone seems to stop 90% of them) you may want to use the Social Engineering Toolkit.

Metalshark

Posted 2010-10-20T18:46:01.107

Reputation: 286

To only disable Java plugins one can use the -disable-java startup switch. Example:

"C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" -disable-java

Navigating to http://java.com/en/download/help/testvm.xml after a restart of the browser gives the nice message

No working Java was detected on your system. Install Java by clicking the button below.

One can read about other switches in The Power User’s Guide to Google Chrome. There is other useful information, too.

Bobrovsky

Posted 2010-10-20T18:46:01.107

Reputation: 367

Instead of disabling the plugin in Chrome, another possibility is configuring Java in order to disable it for all browsers.

To do that:

Open Java Control Panel (C:\Program Files\Java\jre7\bin\javacpl.exe)
Go to Security tab
Uncheck "Enable Java content in the browser"
Java tells you it will take effect after restarting browser(s)

Oriol

Posted 2010-10-20T18:46:01.107

Reputation: 1 199