To eliminate further attack vectors, uninstall both the browser and the OS ; ).

I just want to point out that's there's a big difference between having an interpreter on your machine like python, ruby, or java, and having a browser plugin that executes remote code by default.

There's nothing wrong with the former, there's everything wrong with the latter.

Do you mean Java in the browser? If so, what do you think is happening when your JavaScript code hits your server's REST code returning JSON?

The primary difference is that JSON isn't considered executable-- at least not by any Java JSON libraries that I've seen; it's just data.

(Yes, non-executable data can still deliver a malicious payload, e.g. http://technet.microsoft.com/en-us/security/bulletin/ms04-02.... It's just much less common-- presumably because it's a much smaller attack surface.)

you forget the time when json was usually called with exec...

But mostly it is buffer overflow bugs that get you now.

what do you think is happening? Browsers don't use Java to parse/encode JSON... JSON is a Javascript facility.

I use netbeans for php coding mostly for its code completion and use ElasticSearch for some sites I build. There's two.

For firefox I use quickjava which puts a disable button in the bar. I can't remember the last time I actually enabled it. I do use Java quite frequently but rarely in the browser.

And drop flash too while you're at it!

Flash has legitimate uses for streaming video. I very, very rarely use Java applets.

Not that the parent was suggesting the following, but do note that if you only disable the Java browser plugins, when you next update Java (the SE package/installer, at least), the updated versions of those plugins will be installed and enabled in all or most browsers. You have to go and manually disable them, again.

I keep Java around for some other reasons, so when I update, I have to remember to go and disable the browser plugins once again.