Disable Java – Windows, Mac, Linux

US Department of Homeland Security advises disabling Java following fresh zero-day vulnerability – The Verge

A new Trojan horse has been discovered that exploits a flaw found in Java, leaving computers running Windows, Mac OS, and Linux vulnerable to attack. Mal/JavaJar-B allows attackers to remotely trigger code once it infects a system, potentially leading to the installation of malware, or even ransomware. Oracle hasn’t yet patched the vulnerability, which targets even the latest version of Java.

US-CERT RECOMMENDS THAT USERS DISABLE JAVA IN WEB BROWSERS

Apple has already taken care of this on the Mac by updating to disallow all Java except including the new one that hasn’t even been released yet. Excellent move from Apple.

Firefox and Google Chrome has had you click to even use Java for awhile now. From my experience, I believe that includes the current version of Java as well. As noted above, Firefox now includes the current version of Java in their blacklist. You have to personally choose to actually use Java using their Click to Play feature. Thank you Mozilla!

Google Chrome has instituted on December 21, 2012, noted in their blog posting, a feature that disallows silent extension addon installations. I believe this is something that Mozilla did some time ago when they experienced problems with it. Or maybe not.

So you will definitely want to disable Java in all browsers in Windows, Linux and on the Mac just to be safe for now.

Internet Explorer now allows you to disallow plugins by default and only allow those you specifically allow. But if you have allowed Java in the past, you will want to disable it:

How to Disable Java – PCMag

The PCMag article gives instructions for all the main browsers. Check it out and please for your sake don’t use a browser for general use that allows Java at least for now.

Disable it in at least one browser that you can use for general purpose use.

Whichever method you choose, visit the Java test page at http://java.com/en/download/testjava.jsp to confirm that Java is disabled. Yes, you’ll occasionally run across a website that relies on Java. If necessary, you can temporarily enable Java for those sites. But you may be surprised at how little you miss it.

More here at Security Garden, Dottech.org (How to/tutorial with images) and Venture Beat as well.

I have Java totally disallowed in my main browser, and enabled in one of my other browsers so I can still go to Secunia.com to use their OSI (Online Security Inspector) to check plugins and Internet facing programs. I also compare that with Firefox’s plugin checker. This in Windows. On my Mac, I have Java disabled in all but one browser and turn Java on and off as needed overall. In Linux Java is also disabled in my main browser.

This is very important until Oracle gets this updated and is quick to fix these vulnerabilities.

Oracle really needs to get on the stick before they and all the programs that make use of them are made obsolete! And there are millions of them!!!

EDIT: As of 1/11/2013 – Added Mozilla’s and Apple’s change to include blacklisting of the current version of Java due to the Trojan affecting even the current version of Java. See the info earlier in the posting.

Advertisements

Oracle, Java and Security

[tweetmeme source=”franscomputerservices” only_single=false]Oracle, Java and Security … oh my!

Java bug exposes users to serious code-execution risk – Researchers disclose because Oracle won’t!

This zero day bug, which is in the Java Web Start (this is automatically added as an ‘extension’ in Firefox – which I always disable) has become a real problem. Here’s a quote from the article regarding the Researchers’ attempt to make Oracle understand the severity of this issue:

Both researchers stressed the ease in which attackers can exploit the bug using a website that silently passes malicious commands to various Java components that jump-start applications in Internet Explorer, Firefox, and other browsers. Ormandy said he alerted Java handlers in Oracle’s recently-acquired Sun division to the threat but “they informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle.

(bold emphasis in the quote mine)

Merely disabling ActiveX or Firefox plugins isn’t enough because the toolkit is installed separately from Java. That means the only temporary fixes are browser specific for IE and Firefox and involve setting killbits or employing file system access control list features. (More about that here).

Or we could always just uninstall Java entirely until Oracle decides to protect their users.

That is a sad option since Secunia makes use of Java for it’s OSI (Online Software Inspector) which has become a very handy free tool for folks to keep up on the myriad of “Internet-facing” programs, plugins, missing Windows Updates, etc.

And of course, Weather.gov (for animated maps) and NASA/JPL use Java for many online projects. I would think they would want Oracle to rethink their position on this problem!

Plus, this is not just a Microsoft Windows Issue. The article also notes that this could affect Linux.

And from the sound of it, also Apple’s Mac OS; particularly since Apple is slow to upgrade Java on their OS platform, and they haven’t done an update for Java in a while for OS X Tiger at all.

What a mess. This issue with Java vulnerabilities, and how Oracle is handling it, may well provide a backdrop that opens up other concerns about Oracle’s stance on security related to their flagship products … things that maybe Oracle wouldn’t want folks to start thinking about…