Critical Java Security Risk Requires Immediate Action

Security experts have identified a serious security flaw in Java that allows hackers to execute almost any type of malicious activity on affected computers, whether Windows, OSX or Linux. Worse, this flaw was identified because it has already been integrated into commonly used commercial hacking software.

According to the Computer Emergency Response Team at Carnegie Mellon University:

This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available. We have confirmed that Windows, OS X, and Linux platforms are affected. Other platforms that use Oracle Java 7 may also be affected.

We are recommending that everyone, whether you use a Mac or Windows PC, follow the steps below to protect yourself immediately.

UPDATE 1/14/13: Oracle released a patch, Java Version 7 Update 11, to address the security hole and change the default security setting in Java to "High", requiring users to confirm an applet is safe before running. However, our advice remains the same—all users should disable or uninstall Java as soon as possible unless you require it to run a specific application. Java has been a constant source of security exploits and there is no guarantee that the current fix actually fixes the problem (this issue was supposed to have been fixed with a patch released back in August). And, while the security setting change is welcome, many users are too accustomed to hitting the "confirm" button to run applications without really considering the potential risk, or they may easily be tricked into thinking an application is safe when it really is not.

Who is impacted by the Java security flaw?

Anyone who has Java Version 7 installed is vulnerable to being exploited. According to Oracle, the makers of Java, Java is installed on as many as 850 million personal computers worldwide.

Some reports have suggested that earlier versions of Java may be impacted as well. However, the well-respected security expert Brian Krebs says this is not the case. Until this question is resolved, it is safest to assume that all versions of Java could be vulnerable.

Java is used to run various types of local and web applications, and many of us may have knowingly or unknowingly installed it at some point in the past. Because Java is its own separate application used by programmers for cross-platform compatibility, the flaw affects all major operating systems and all browsers. (Note the risk here is specifically with "Java", not the more commonly used "Javascript", which is a completely different application.)

Some sites have suggested that Mac users may be protected with a security update Apple released on Friday to block Java applets. However, if you do not have automatic updates turned on or the fix turns out not to be complete, you may still be at risk.

Victims can be infected when they visit a compromised website and load a malicious Java applet. Depending on your browser settings, you may or may not see the option to block the applet before loading. Since any website with poor security can be compromised by hackers, don't assume that a site is safe just because it is "legitimate."

How do I know if Java is installed on my Computer?

Follow this link to check if Java is installed on your PC and what version you have.

UPDATE 1/14/13: We have determined that this method from Oracle is not reliable. It may tell you that you do not have Java on your computer even if you have the plug-in installed on your browser. The most certain may to determine if you have Java is to follow the steps below to check for the plug-in in your browser.

I have anti-malware software, am I safe?

The answer to this question is not clear. Even if you have anti-malware software installed on your PC, we recommend following the steps to disable Java below.

How to disable or uninstall Java

The easiest and most certain way to protect yourself is simply to uninstall Java, as you would any other other program. If you don't need Java, and most people do not, this is the safest course. If you encounter a program in the future that requires Java to run, you will be prompted to reinstall it, and you can decide whether or not to do so.

UPDATE 1/14/13: Uninstalling Java may not remove the plug-in from your browser. After the uninstall, we recommend you check your individual browser settings as outlined below, as well.

For Windows users, the latest version of Java, Version 7 Update 10, also allows you to disable Java in all of your browsers through the Java Control Panel. Find the Java icon from within the Windows Control Panel, go to the Security Tab and uncheck "Enable Java content in the browser"

Mac users and Windows users with earlier versions of Java who wish to disable Java should follow the instructions below for individual browsers.

Internet Explorer

• Click on the Tools dropdown menu, then Manage Add-ons.
• Find the Java Plug-in under Toolbars and Extensions (it's listed under Oracle America), highlight it and click Disable.

Chrome

• Click on the Chrome menu, and then select Settings
• At the bottom of Settings window, click Show advanced settings
• Scroll down to the Privacy section and click on Content Settings
• In the Content Settings panel, scroll to the Plug-ins section and click Disable individual plug-ins.
• Find the Java plugin and click Disable

Firefox

• Click on the Firefox tab and then select Add-ons
• Select Plugins, find "Java (TM) Platform plugin" and click Disable (a of 1/11/13, Firefox has automatically disabled the Java plugin, but you should check to verify this has been done for your browser).

Safari

• Choose Safari Preferences
• Choose the Security option and uncheck Enable Java

What if I need to use Java?

Use of Java on websites is becoming more rare and most users will never need to use it. However, there are certain applications that do require Java (such as the online trading app I use for Schwab). If you need to use Java, you can set your Java security settings to require a prompt before running any Java apps. You can do this through the custom security setting from within the Security tab in the Java Control Panel.

Alternatively, you can turn off Java in your standard browser (e.g., Chrome), but keep it turned on in an alternative browser (e.g., Firefox) that you only use to access those sites where Java is required.