Alexander’s Blog

By now you may have heard of all the warnings and bad things that can happen if you have Java installed on your computer, like having your credit card or other personal data stolen, identity theft, and spyware installed on your computer after you are redirected to certain sites. Even Department of Homeland Security (DHS) issued a warning in January to disable Java. This is rather unusual because DHS doesn’t usually go around telling people what they should remove from their computers.

Before I tell you how to disable Java, I want to make it clear that Java is not the same thing as JavaScript. They may sound similar but they are two different things.

Difference Between Java & JavaScript

Oracle’s Java is a programming language while JavaScript is a scripting language developed by Netscape and is not part of the Java platform. JavaScript is used inside HTML pages to enhance its functionality and can make your Web pages do things that HTML code won’t let you do by itself.

According to Java.com here are the key differences between Java and JavaScript.

Java is an OOP programming language while Java Script is an OOP scripting language.

Java creates applications that run in a virtual machine or browser while JavaScript code is run on a browser only.

Java code needs to be compiled while JavaScript code are all in text.

They require different plug-ins.

Disabling Java

So now you know that we are concerned about Java, and not JavaScript.You can disable Java on individual browsers, or you can disable Java for all the browsers. I personally prefer to disable them on all the browsers. I use Firefox, Internet Explorer and Chrome on a daily basis on the same computer. If you want to disable Java on an individual browser, for example, Chrome, you can type chrome://plugins, click Disable and then restart the browser. In Firefox go to Add-ons, locate Java platform, disable it and restart the browser. In Internet Explorer it is not easy to disable Java. In fact, even if you go to Java Web site and check if you have Java installed in Internet Explorer, don’t believe it as gospel truth. You can read this InfoWorld article for more information: Disabling Java in Internet Explorer: No easy task. Frankly, besides Internet Explorer, other browsers can also lie and tell you that Java is not installed, when it is.

The security warning issued by DHS was related to all versions of Java 7 through Update 10. Java 7 Update 11 sets the default Java security settings to “High” so that users will be prompted before running unsigned or self-signed Java applets. The latest version is of today is Java 7 Update 13. With all the issues with Java I believe it is best to disable Java altogether on all the browsers. Period!

NOTE: Even after Oracle claimed that they have fixed the problem that prompted DHS to issue a security warning, DHS still insisted that we should disable Java.

Disabling Java in Internet Explorer

1. If you don’t already have Java installed, install the latest version of Java. I know, I am asking you to install Java but you can’t kill the beast if it doesn’t exist. So first you need to install it and then disable it. This will be good for you in the long run. As of today, the latest version of Java is Java 7, Update 13.
2. Windows 8/7/Vista: Go to Control Panel and search for Java. Double-click to open the Java Control Panel.

   NOTE: On 64-bit Windows computers you can also get to the Java Control Panel by using this command at Start, Run: c:\Program Files (x86)\Java\jre7\bin\javacpl.exe. On 32-bit Windows computers, use the following command: c:\Program Files\Java\jre7\bin\javacpl.exe.

   Windows XP: Go to Control Panel and double-click to open the Java Control Panel.

3. On the Security tab, uncheck the box Enable Java content in the browser. This should disable Java on ALL your browsers, even though it doesn’t say that on the screen. This will provide the highest level of security and none of the Java apps (singed or unsigned) will run in your browser. This is the method I prefer.

   

4. Restart your browser, or as a best practice I recommend you restart your computer.
5. To verify that Java is disabled, go to the Java verification site in each browser and verify that you don’t have Java running.

Disabling Java on Macs

For instructions on how to disable Java on Macs, visit JavaTester.org. You will find some very useful information on this site. Among other things, you can also check whether JavaScripting is working in your browser. Remember, you want to disable Java, not JavaScript.

Possible Consequences of Disabling Java

The potential drawback of disabling Java can be that some Web sites won’t display menus properly, or you may not be able to see the stock prices, weather updates or some ads. Frankly, most of us don’t care about this stuff. Even if you do, in my opinion disabling Java far outweighs the benefits of seeing ads or weather updates on different sites.

TIP: If you must use Java because you feel your life is completely miserable without Java and you had some great luck skiing in the avalanche season and skating on thin ice then enable Java in the latest version of Chrome or Firefox, rather than Internet Explorer, because they give you more control on when to run Java on specific pages.

Have I experienced any negative consequences by disabling Java in all three of my browsers (Firefox, Internet Explorer, and Chrome)?

No.

Microsoft recently posted this Knowledge Base article 2588513: Vulnerability in SSL/TLS could allow information disclosure. The actual Security Advisory is posted here. According to the advisory:

“Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0 and TLS 1.0, affecting the Windows operating system. This vulnerability affects the protocol itself and is not specific to the Windows operating system. This is an information disclosure vulnerability that allows the decryption of encrypted SSL/TLS traffic. This vulnerability primarily impacts HTTPS traffic, since the browser is the primary attack vector, and all web traffic served via HTTPS or mixed content HTTP/HTTPS is affected. We are not aware of a way to exploit this vulnerability in other protocols or components and we are not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers.”

There are at least two mitigating factors:

1. The attack must make several hundred HTTPS requests before the attack could be successful.
2. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.

Workaround

Microsoft offers the following workaround. In Windows 7, disable the TLS 1.0 protocol and enable TLS 1.1 and TLS 1.2 because they are not affected. Unfortunately, in Windows XP the Internet Explorer doesn’t offer TLS 1.1, or TLS 1.2.

NOTE: Neither Mozilla Firefox nor Chrome supports TLS 1.1 and TLS 1.2. Therefore, your best bet is to use Internet Explorer 9 on Windows 7 or Opera 10, which also supports TLS 1.2.

In Internet Explorer 9, go to Tools, Internet options, and on the Advanced tab clear the TLS 1.0 check box and select the TLS 1.1 and TLS 1.2 check boxes. Your screen should look something like this.

Does Fix It Really Fixes Things?

If you use the Fix it solution in the KB article that automatically creates a restore point and then supposedly fixes the problem, you will notice that it DOES NOT clear the TLS 1.0 box. I am not sure why when the entire hoopla has to do with TLS 1.0 and SSL 3.0 in the first place. All it does is enable TLS 1.1. Perhaps enabling TLS 1.1 takes precedence and therefore TLS 1.0 is not used but I don’t feel comfortable using any scripts or wizards created by a vendor because there is no way for me to know exactly what the wizard does behind the scenes. Besides, I have been burned in the past by one of Microsoft’s wizard that installs a security template so I am pretty hesitant when it comes to wizards. I’d much rather make the change manually so I can reverse the process manually if necessary.

One challenge that you might have to face is whether the Web sites you visit support TLS 1.1 and later or not. Until there is a solution (remember this is only a workaround) I would rather implement the workaround just to be on the safe side and take my chances with Web sites not supporting the newer version of TLS.

As a best practice, always sign out of the Web site and then close your browser to ensure that your SSL/TLS session is properly terminated.

Today I noticed the following error when I tried to create a new library in SharePoint 2010. I am running SharePoint Server 2010 and was using IE9 on my Windows 7 Ultimate x64 client.

Error: An unhandled exception occurred in the Silverlight Application

Here’s how I was able to resolve the problem.

1. Go to Central Administration site.
2. Go to Manage Web Applications in Application Management section.
3. Highlight your Web application and select General Settings from the General Settings drop-down box.
4. Turn on the Web Page Security Validation. The Web Page Security Validation establishes an amount of time after which the user is required to retry the operation. By default it is set to on and the expiration time is 30 minutes. I don’t recall turning it off on my Web application but somehow it was set to off. I looked at all the other Web applications and discovered that it was set to on. It might be some kind of bug in SharePoint but because I haven’t done any research on this issue I can’t say for sure.

   

5. Now you should be able to create new libraries.

There is no need to restart any services, browser, or your computer. Your change should take effect immediately.

I recently noticed that I was unable to open PDF files in SharePoint 2010 when I used Internet Explorer 9. I didn’t have the same problem in Mozilla Firefox 5. If you have encountered similar problem, here’s one solution that might help you.

1. Start Internet Explorer.
2. Go to Tools, Internet options, Advanced tab.
3. In the Security section, clear the box Do not save encrypted pages to disk. I tend to check this option on most of my computers running Internet Explorer but noticed that clearing this option lets me open the PDF files. Because my site uses SSL, by disallowing the ability to save encrypted pages to disk, SharePoint is unable to open PDF files.
   

Once in a while IE9 I start to have the same problem again where I am unable to open PDF files in IE9. I simply go back and check the box I mentioned in step 3 and apply the changes. Then I go back and clear the box once again and IE9 finally gets the clue and will allow me to open the PDF files again.

By the way, the IE9 problems are more wide spread than most people realize. For those of you who believe that IE9 is the most problematic browser Microsoft has ever released, I think you have a point. Even Microsoft has issues with IE9 compatibility. Here’s one example.

Post updated on February 27, 2012

If you go to Google or Bank of America’s Web site you will notice that your browser displays a custom logo to the left of the URL. It’s nice to have a custom icon or logo for a SharePoint 2010 site so when visitors add the site to their Favorites in Internet Explorer or Bookmarks in Mozilla Firefox it displays the custom icon/logo. I wrote about this last year but in this blog I have added numerous troubleshooting tips that will come handy. You can follow the procedure described below to change the browser icon for a SharePoint 2010 site.

There may be other methods of achieving this but this is the method that I use. The procedure is very simple but it requires you to use SharePoint Designer 2010. The good news is that SharePoint Designer 2010 is a free download from Microsoft. The bad news is that if you don’t know what you are doing you can completely destroy your site by “messing” with your site in SharePoint Designer.

WARNING! Always backup your site before you make any modifications to your site in SharePoint Designer 2010.

1. Create your site icon and save it as favicon.ico. There are lots of free programs that you can use. I have been using an old program called Easy Icon Maker. Keep in mind that you don’t have to use such a program. You can use any application (MSPaint, Word, etc.) to create the icon then copy it to MSPaint program and save it as a JPG or PNG. Then convert it to .ico file using a convert utility. More on that in the Troubleshooting section.
2. Upload the favicon.ico file to the SharePoint site. I prefer to upload it to the SiteCollectionImages library so it is available to me for all the subsites.
3. Go to the SiteCollectionImages library and open the favicon.ico file.
4. Copy the path to the clipboard.
5. Open SharePoint Designer 2010.
6. Open your SharePoint site.
7. In the Site Objects section select the Master Pages folder. You will notice a default.master page and v4.master page.
8. Select the v4.master page.
9. Under Customization, click Edit File.
   
10. When prompted to check out the file, select Yes.
    
11. On the toolbar, in the Page Views section click Code.
12. Notice the line that starts with SharePoint:SPShortIcon. The path in this line determines which icon will be displayed in the browser. By default, it points to the favicon.ico file in the images library.
    <SharePoint:SPShortcutIcon runat=”server” IconUrl=”/_layouts/images/favicon.ico”/>
    
13. Change the path for the IconURL to your custom favicon.ico file. For example for my winnetusergroup.com site I would change it to http://www.winnetusergroup.com/SiteCollectionImages/favicon.ico.
14. Save the v4.master file.
15. You will prompted by a warning that once you save the file your page will not longer be based on the original site definition. Did I mention that you should always backup your site before you make any modifications to your site in SharePoint Designer 2010? If you have backed up your site, select Yes.
    
16. In the left hand pane right-click v4.master page and select Check In.
17. Select an option for the version. If you are not sure what to select, accept the default option of Check In a minor version and click OK. You will notice that the green check mark changes to a blue icon with an “i”. This means the page is no longer based on the site definition. If things get messed up you can right-click the file and select Reset to Site Definition.
18. Close SharePoint Designer.
19. You should now see your custom icon when you refresh your browser screen. When visitors add your site as Favorite they will see the custom icon in the listing. In addition, the address bar will display your custom icon instead of the default icon.
20. Here’s a sample of SeattlePro’s Web site displaying custom space needle icon in the address bar as well as the Bookmarks toolbar.
    

NOTE: If you are working with a standard HTML-based Web site (not a SharePoint site) then all you have to do is copy the favicon.ico file to the root of the Web site, e.g. wwwroot folder, and your icon will be displayed automatically. The root folder is where your home or index file is located. There is no need to edit any files.

Troubleshooting Tips

If your icon is not displaying properly, here are some troubleshooting tips.

1. Make sure that you modified the v4.master page and not the default.master page.
2. If your site is using SSL, depending on how you configured your site, you may see the custom icon when you add it to the Bookmarks toolbar in Mozilla Firefox or Favorites bar in Internet Explorer if you do not add the s after http. However, it will not display the icon in the address bar. To see the icon in the address bar you must use https in the URL when you edit the master page.
3. In Mozilla Firefox your icon will always be displayed properly. If you want to test your icon use Firefox. In Internet Explorer (all versions) it’s hit and miss. In my experience, Internet Explorer displays it only about 5% of the time. And that 5% is completely random. Do not waste too much time trying to get this to work in Internet Explorer.
4. If your site gets messed up because you modified the master page, reset it to the site definition. Just right-click the master file and select Reset to Site Definition. It will create a copy of the current master page and reset the site definition.
5. If your icon is not displayed, you may have forgotten to check in the master page. Unless the page is checked in, visitors cannot see the changes.
6. If your icon is not displayed, you may have to login to the SharePoint site. For example, if its a public site the icon may not be displayed but if you login to the site with your account the icon will show up right away.
7. If you have an existing icon and then you change the icon by uploading a new favicon.ico file you may have to clear the cache and restart the browser. Sometimes the old icon will be cached and you must restart the browser while other times your new icon will be displayed right away. A lot depends on which browser you are using and how you have configured your browser.
8. The icon has to be certain size or else it may not display at all. Check out my blog post.
9. You can’t just rename a jpg, bmp or png file to favicon.ico. You must either use a utility that allows you to save files with .ico extensions or use a tool that allows you to convert it from other formats to .ico format. There are a number of free utilities available to do the conversion. The quickest way is to use an online conversion tool like this one.
10. Although I have used GIFs (including animated GIFs) and you can also use PNG files, I would suggest you stick with ICO files because all the browsers support ICO files. The name of the file must be favicon.
11. If your custom icon is not working, make sure the size of the favicon.ico file is 16×16 pixels. Sometimes you can have a larger file, such as 64×64 pixels and you can try and convert it to ICO but in my experience the smaller size icons work the best. I often reduce it to 32×32 pixels, save it, and then convert it to ICO format. Larger file sizes tend to cause problems.
    

    ---

    Copyright ©2011 Zubair Alexander. All rights reserved.