Tech Made Simple

Hot Topics: How to Fix Bluetooth Pairing Problems | Complete Guide to Facebook Privacy | How to Block Spam Calls | Snapchat Symbol Meaning

We may earn commissions when you buy from links on our site. Why you can trust us.

author photo

Critical Java Security Risk Requires Immediate Action

by Josh Kirschner on January 13, 2013

Security experts have identified a serious security flaw in Java that allows hackers to execute almost any type of malicious activity on affected computers, whether Windows, OSX or Linux. Worse, this flaw was identified because it has already been integrated into commonly used commercial hacking software.

According to the Computer Emergency Response Team at Carnegie Mellon University:

This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available. We have confirmed that Windows, OS X, and Linux platforms are affected. Other platforms that use Oracle Java 7 may also be affected.

We are recommending that everyone, whether you use a Mac or Windows PC, follow the steps below to protect yourself immediately.

UPDATE 1/14/13: Oracle released a patch, Java Version 7 Update 11, to address the security hole and change the default security setting in Java to "High", requiring users to confirm an applet is safe before running. However, our advice remains the same—all users should disable or uninstall Java as soon as possible unless you require it to run a specific application. Java has been a constant source of security exploits and there is no guarantee that the current fix actually fixes the problem (this issue was supposed to have been fixed with a patch released back in August). And, while the security setting change is welcome, many users are too accustomed to hitting the "confirm" button to run applications without really considering the potential risk, or they may easily be tricked into thinking an application is safe when it really is not.

Who is impacted by the Java security flaw?

Anyone who has Java Version 7 installed is vulnerable to being exploited. According to Oracle, the makers of Java, Java is installed on as many as 850 million personal computers worldwide.

Some reports have suggested that earlier versions of Java may be impacted as well. However, the well-respected security expert Brian Krebs says this is not the case. Until this question is resolved, it is safest to assume that all versions of Java could be vulnerable.

Java is used to run various types of local and web applications, and many of us may have knowingly or unknowingly installed it at some point in the past. Because Java is its own separate application used by programmers for cross-platform compatibility, the flaw affects all major operating systems and all browsers. (Note the risk here is specifically with "Java", not the more commonly used "Javascript", which is a completely different application.)

Some sites have suggested that Mac users may be protected with a security update Apple released on Friday to block Java applets. However, if you do not have automatic updates turned on or the fix turns out not to be complete, you may still be at risk.

Victims can be infected when they visit a compromised website and load a malicious Java applet. Depending on your browser settings, you may or may not see the option to block the applet before loading. Since any website with poor security can be compromised by hackers, don't assume that a site is safe just because it is "legitimate."

How do I know if Java is installed on my Computer?

Follow this link to check if Java is installed on your PC and what version you have.

UPDATE 1/14/13: We have determined that this method from Oracle is not reliable. It may tell you that you do not have Java on your computer even if you have the plug-in installed on your browser. The most certain may to determine if you have Java is to follow the steps below to check for the plug-in in your browser.

I have anti-malware software, am I safe?

The answer to this question is not clear. Even if you have anti-malware software installed on your PC, we recommend following the steps to disable Java below.

How to disable or uninstall Java

The easiest and most certain way to protect yourself is simply to uninstall Java, as you would any other other program. If you don't need Java, and most people do not, this is the safest course. If you encounter a program in the future that requires Java to run, you will be prompted to reinstall it, and you can decide whether or not to do so.

UPDATE 1/14/13: Uninstalling Java may not remove the plug-in from your browser. After the uninstall, we recommend you check your individual browser settings as outlined below, as well.

For Windows users, the latest version of Java, Version 7 Update 10, also allows you to disable Java in all of your browsers through the Java Control Panel. Find the Java icon from within the Windows Control Panel, go to the Security Tab and uncheck "Enable Java content in the browser"

Disable Java from the control panel

Mac users and Windows users with earlier versions of Java who wish to disable Java should follow the instructions below for individual browsers.

Internet Explorer

  • Click on the Tools dropdown menu, then Manage Add-ons.
  • Find the Java Plug-in under Toolbars and Extensions (it's listed under Oracle America), highlight it and click Disable.

Chrome

  • Click on the Chrome menu, and then select Settings
  • At the bottom of Settings window, click Show advanced settings
  • Scroll down to the Privacy section and click on Content Settings
  • In the Content Settings panel, scroll to the Plug-ins section and click Disable individual plug-ins.
  • Find the Java plugin and click Disable

Firefox

  • Click on the Firefox tab and then select Add-ons
  • Select Plugins, find "Java (TM) Platform plugin" and click Disable (a of 1/11/13, Firefox has automatically disabled the Java plugin, but you should check to verify this has been done for your browser).

Safari

  • Choose Safari Preferences
  • Choose the Security option and uncheck Enable Java

What if I need to use Java?

Java custom security settingsUse of Java on websites is becoming more rare and most users will never need to use it. However, there are certain applications that do require Java (such as the online trading app I use for Schwab). If you need to use Java, you can set your Java security settings to require a prompt before running any Java apps. You can do this through the custom security setting from within the Security tab in the Java Control Panel.

Alternatively, you can turn off Java in your standard browser (e.g., Chrome), but keep it turned on in an alternative browser (e.g., Firefox) that you only use to access those sites where Java is required.

 


Topics

Computers and Software, News, Computer Safety & Support, Blog


Discussion loading

Home | About | Meet the Team | Contact Us
Media Kit | Newsletter Sponsorships | Licensing & Permissions
Accessibility Statement
Terms of Use | Privacy & Cookie Policy

Techlicious participates in affiliate programs, including the Amazon Services LLC Associates Program, which provide a small commission from some, but not all, of the "click-thru to buy" links contained in our articles. These click-thru links are determined after the article has been written, based on price and product availability — the commissions do not impact our choice of recommended product, nor the price you pay. When you use these links, you help support our ongoing editorial mission to provide you with the best product recommendations.

© Techlicious LLC.