Java has its security flaws, but it isn't going away any time soon—after all, many important applications run on the technology, especially in business settings. Still, numerous users are worried enough about vulnerabilities that they restrict Java's ability to run on their machines. That's what we heard from Ars readers when we asked Friday whether they let Java run on their computers, and why.
Some users have disabled or uninstalled Java entirely. But the most common solution for those worried about security risks is to leave the Java Runtime Environment in place on the desktop while disabling the browser plugins that allow Java applets to run on websites. Those plugins are often vulnerable to attacks involving remote code execution.
"Java as a desktop framework is not a big security risk," writes commenter Stilgar. "It is the browser plugin that presents a problem. Avoiding desktop Java on purpose does not make any sense. On the other hand every browser plugin you install on any browser increases the attack surface."