Disable Java Plugin in Google Chrome?
Solution 1
For Java specifically, Chrome now disables Java by default on all pages and prompts you to allow it to run each time a site needs it.
For more general plugin worries, Chrome allows you to block all plugins on all sites completely, and then allows you to selectively enable them on a page without reloading it. You can also configure exceptions for particular URLs.
To enable this, under the Plug-ins section of the settings url: chrome://settings/content select "Block All".
With this option enabled, when you want to run plugins on a page you have 3 options:
- Right click on the plugin and choose "Run this plug-in" from the context menu
- Click the plugin icon in the URL bar and choose "Run all plug-ins this time
- Add an exception for sites you trust so that they can run plugins without your explicit permission each time
Chrome also has a "Click to play" setting which is hidden behind a flag in some versions of Chrome. As a commenter mentioned, this option is vulnerable to clickjacking attacks so I would advise against using it. You're better off with the "Block all" feature.
Solution 2
I found a really old bug / feature request on Google Chrome here.
It appears in Chrome 6.0 or later. Visit chrome://plugins/ or about:plugins and disable Java there.
Once I did this, to make sure Java was disabled, I visited a Java plugin demo page. And indeed it was disabled:
But my general recommendation is to uninstall Java -- you really don't want Java on your system unless you absolutely, positively have to have it .. because there are so many new exploits for it.
I would also recommend disabling any plugins you don't absolutely need. Every enabled plugin is an attack surface, and yet another thing that needs to be kept up to date..
Solution 3
One small trick I use with Java is to hunt around and install the x64 version only, which I only use when I fire up IE x64 to use the one-off Java only apps like the one you reference.
Solution 4
Although it may be an easy fix, just sufficiently blocking Java, if you are in favour of a more holistic approach you may prefer to use a combination of:
- Secunia PSI/VIM for notification of updates, vulnerabilities and automatic updates
- Microsoft EMET for preventing stack overflows and similar
- BufferZone for protection from drive by installers
- iCore Virtual Accounts for times when you need to walk the dark side of the net on a production machine (it's a bit inconvenient to login/logout and uses semi-virtualisation so there is some overhead - but when you only have one machine at your disposal...)
This should protect you from more than just Java vulnerabilities.
To measure the effectiveness of these approaches (EMET alone seems to stop 90% of them) you may want to use the Social Engineering Toolkit.
Solution 5
To only disable Java plugins one can use the -disable-java startup switch. Example:
"C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" -disable-java
Navigating to http://java.com/en/download/help/testvm.xml after a restart of the browser gives the nice message
No working Java was detected on your system. Install Java by clicking the button below.
One can read about other switches in The Power User’s Guide to Google Chrome. There is other useful information, too.
Related videos on Youtube
02 : 13
![Enable/Disable JavaScript in Google Chrome [Tutorial]](https://i.ytimg.com/vi/QXb8nvpGBIA/hqdefault.jpg?sqp=-oaymwEcCOADEI4CSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLBrcG1zyhPXV8D04b_XluK-gaqkdw)
02 : 39
![How To Enable Or Disable Plugins In Google Chrome [Tutorial]](https://i.ytimg.com/vi/D5KuS4Vnl1E/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLAA4GfWldeBI3z2w0aJXNmpizvp9g)
01 : 47
![How to enable Java in Chrome [Only for Windows]](https://i.ytimg.com/vi/t779Nz0Q1c4/hqdefault.jpg?sqp=-oaymwEcCOADEI4CSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLBL4-bzhE0FM6FLhm3y04R1JiPd1w)
02 : 43
04 : 26
Jeff Atwood
Stack Overflow Valued Associate #00001 Wondering how our software development process works? Take a look! Find me on twitter, or read my blog. Don't say I didn't warn you because I totally did. However, I no longer work at Stack Exchange, Inc. I'll miss you all. Well, some of you, anyway. :)
Updated on September 17, 2022Comments
-
Jeff Atwood over 1 year
This is the second time I've had a drive-by executable installed on my machine using the following:
- Google Chrome 6 (latest)
- Windows 7, UAC on
This happened while I was browsing for images to add to a gaming.se post; one of the sites I visited (to get an image of a transfer cable) must have had drive-by browser exploit code running.
UAC alerted me that a weird temporary executable wanted to run, and I declined, but I still got the fake antivirus executable running on my machine. Sigh..
I do have Java installed because I upload stuff monthly to clearbits.net and their uploader is a Java plugin. So my best guess is, websites are doing drive-by installs using the massive numbers of zero-day vulnerabilities in the Java browser plugins.
For now, I have uninstalled Java, which works. But I wondered if I could disable the Java plugin in Google Chrome instead.
So, how do you disable these vulnerable plugins in Google Chrome? I can't find the UI.
-
Admin over 13 yearsHow did you detect this drive-by executable ? -
Admin over 13 years@leonel first, UAC triggered (I declined). Then it somehow ran anyway and started begging me to install some kind of fake antivirus in the system tray..
-
Admin over 13 yearsYou can always see if your plug-ins need to be updated here: mozilla.com/en-US/plugincheck
-
Admin over 13 yearsI have a Windows XP Virtual Machine set up with Java just for that reason. @Jeff Curiously, how did you go about getting rid of it?
-
Admin over 13 years@paper I used microsoft.com/security_essentials
-
Admin over 13 yearsI got a similar thing from a PDF the other day... and to top things off, if I had only remembered that I hadn't meant to open one, I could have avoided it!
-
Admin almost 13 yearsHow do you know it was a vulnerability in Java and not a vulnerability in webkit?
-
Admin almost 13 yearsSorry, didn't know; but, doesn't Java come with an auto-updater?
-
Admin over 11 yearsI can't find it, but I know one was using a glitch in the print spooler to get around UAC, then TDSSv4/aluron started using it to inject it's rootkit. If you got the fake AV, its probably a variant of the TDSS virus that downloaded it in the background. YOU SHOULD DO A ROOTKIT SCAN RIGHT NOW! securelist.com/en/blog/337/… The TDSS viruses are insanely complex, they actually have code in them that innoculates the pc to other viruses and rootkits, and run completey encrypted in hidden sections on the hardrive. You really should do a post on it.
-
Admin about 5 yearsThanks for the wonderful article stackoverflow.blog/2011/07/01/… .
-
juan over 13 yearsI ended up disabling like 15 plugins I didn't know I had...
-
Jeff Atwood over 13 yearsoh man that's an awesome tip; I use IE 64 bit in a similar way when I want to test in "browser I never use but still works"
-
SamB over 13 yearsCouldn't you just go in and delete the "netscape" (and IE, I suppose) plugin DLLs, rather than uninstalling everything?
-
Jason over 11 yearsOracle, in their wisdom, have broken those sun.com links. I googled "java applet demo" and tried the first non-sun link. Yes, it looks like modern Chrome disables Java by default.
-
anton_rh almost 7 yearsStarting from Chrome 57 plugins page is no more accessible.
