See also: java7.msi
Eventhough the EXE installer is internally still based on an MSI-file, like version 7, Oracle has removed the description from their web page how to extract the MSI-file, and they warn to not use this method any more.
They write that they cannot guarantee that Java will work correctly if installed like this, and that they may change the install method in future versions to make this method not work any more at all.
The alternative is to run the exe installer with a settings file, to make it run silent and set the required parameters. This can probably be done by wrapping it into an MSI with a install-script, but I have not yet done this, and can thus not provide a description.
Even worse, they have modified the MSI file such that it really does not work any more. It is theoretically possible to fix these errors, then it does work. But I decided to not provide this info here, to prevent receiving a cease and desist letter. Thanks Adobe for making me nervous.
Gone are the golden days in which it was officially allowed to work around copy protections "to make things interoperable". Today working around so called copy protections is illegal, and companies can declare arbitrarily what they declare to be a copy protection. At least that is the current state here in Germany.
Use the offline installer, instead of the normal installer. This has the added benefit that it doesn't include the Ask-toolbar.
The easiest method is to use these direct download links.
If that page does not yet list the latest version, go to java.com, but ignore the big download buttons. Instead click in the header on download, and on the next page on 'all java downloads'. The english version of that page is here, the german one here.
The browser plugin of Java version 1.7.51 (January 2014) and later will only run applets, which are signed with a digital certificate. This can be changed by creating a Deployment Rule Set, a whitelist ("Exception List"), or by changing the security level from high to medium. More details here.
Maintaining a whitelist is more work, but provides much higher security, and should thus be preferred. The security level can be set by individual users in the Java Control Panel, and can be deployed to all users with the install option WEB_JAVA_SECURITY_LEVEL=M. This option can either be specified on the command line, or as entry in the properties table of the msi-file (name "WEB_JAVA_SECURITY_LEVEL", value "M"). For maximum security set it to "H".
For security reasons many people recommend to not use Java any more at all, or only when absolutely necessary. If you need Java only to run local apps, then you should disable the web browser plugin. This prevents that security vulnerabilities can be exploited by planting malware on web pages.
Note: If you want to keep using local jnlp-files (Java Web Start), do not tell Java to disable all browser plugins (first item below), instead disable it specifically in the web browser (second item).
Starting with Java version 1.7.10, the installation of the plugin can be disabled by specifying WEB_JAVA=0 either as command line argument for the installer (found in this technote), or as property in the MSI-file. Oracle does not tell that this also works as property in the MSI-file, thanks Miles for this great find and for telling me.
If you ever want to switch back to a version with plugins, it is not enough to just uninstall the MSI with WEB_JAVA=0, and then install one without this property. Instead you must either install one with WEB_JAVA=1, or remove the registry key HKLM\SOFTWARE\Oracle\JavaDeploy that remains in the registry after the uninstall, especially the values WebDeployJava and deployment.webjava.enabled inside this key.
Remove these registry keys:
(This appears to be outdated, does not have an effect on Internet Explorer version 11).
Firefox searches the Java plugin with two methods. Both must be disabled:
The actual registry keys are version specific. For Java version 1.8.65 they are:
You should check all computers for old versions, because in the past the installers for Java did not automatically remove them. Oracle warns that leaving them on the computer 'presents a serious security risk'. The Washington Post explains that this is because a 'web site set up by a bad guy could be made to pick and choose which version of Java should be used.'
Sun could not decide on a version number format, and Oracle does not dare to fix it, because it would break many things.
Depending on where you look, you will find several different version
numbers for the same release, for example:
8.51 = 8.0.510 = 1.8.51 = jre1.8.0_u51
If you think that this is confusing, wait until you see their version numbering scheme.
Oracle releases regular updates on the Tuesday that is closest to the 17th day of January, April, July and October. This can be on the same day as the patchday from Microsoft, but it can also be a week later. The next dates can be found on www.oracle.com/technetwork/topics/security/alerts-086861.html.