“Java is a plugin for web browsers that is installed on approximately 66% of all computers. However there are very few websites that still rely on the features that it provides, leaving those 66% of computers vulnerable to attack when the dated technology is exploited. This has unfortunately happened several times in the past few months.” — Examples of why you should disable Java
All currently-supported versions of Java, including Java 5, Java 6 and Java 7, contain a bug letting attackers install malware on the system.
Windows PCs and Macs are equally at risk. The JDK7 version of the software is affected but it does not affect Java applications directly installed and running on servers, desktops, laptops and other devices.
Please note that this exploit refers to is regarding the Java browser plug-in. Stand alone programs written in Java (such as those packaged as .jar files) are okay, of course, considering you get them from trustworthy sources.
If you have the Java browser plugin and use any of these browsers, Chrome, Firefox, Internet Explorer, Opera and Safari then your computer is vulnerable. Oracle says fix will be available shortly but in the meantime here are is the answer to the question- How to disable Java in my web browser?
Instructions for disabling Java in the major browsers were first found on the US-CERT (United States Computer Emergency Readiness Team) website.
Related articles
- Turn off Java, they warn… Here’s how you do it (slashgear.com)
- How To Disable Java in Your Browser (gizmodo.com)
- Another Java exploit; disable immediately (avast.com)
- Online Security Threat Predictions for 2013 (onecoolsitebloggingtips.com)
Is this Java the one put out by Sun Microsystems?
Yes.
Thank you, TT. If I disable Java from the browser, say, Chrome, does one need to do anything else? I think I disabled from Chrome but the Java update is still asking to be updated. When I went into my the computer Java page, as directed, the disable check box, the disable box was not there. I hope this is making sense. Thank you again.
That’s all you need to do ie. disable java browser add-ons. I’m being prompted as well but I just click the “x” and ignore the prompt. Until the security holes are patched I won’t click to update.
Got it. Thank you, again, TT. You are a blessing. ♥
Basically, should I uninstall Java?
I did not uninstall. I disabled Java browser add-ons only. I’m not updating until Oracle has patched all the holes. Read here > http://www.gmanetwork.com/news/story/298216/scitech/technology/oracle-issues-emergency-patch-for-new-java-bugs
Had not heard about Java being a security threat. I just disabled the Java plug-in in both my browsers– whew! A big thank you for the tip, TT! : )
Hi Mark,
Oracle released Java 7 Update 11 in January as an emergency security update in order to block a zero-day exploit used by cybercriminals to infect computers with malware. However, researchers say it contains new holes. http://www.pcworld.com/article/2025797/oracles-java-patch-contains-new-holes-researchers-warn.html
On February 1, Oracle pulled the trigger early on the February release, which had originally been scheduled for February 19, due to a serious vulnerability that affected Java at the browser level. Oracle isn’t done releasing patches for Java SE this month, as another batch will arrive February 19, according to a company blog post. https://blogs.oracle.com/security/entry/updates_to_february_2013_critical
http://www.pcworld.com/article/2027766/more-java-patches-due-soon.html
I’ve been reading a lot of stories/articles like these– it’s discouraging. I have to nix my earlier statement, in that it is still yet possible for hackers to force unsigned certificates to run automatically (i.e., to foist their malware on users). Oracle Java 7 is still exploitable for the time being.
It may be best to leave browser plug-ins disabled. But I should note that OpenJDK has been available for Mac (you’re a Mac user, yeah Mark?) for some time and may be a viable solution if it is truly needed.
It should be noted that Oracle has claimed to have patched the problem with update 11 (7u11): see here and here. A more non-tech friendly article is here at TheNextWeb (TNW).
In short, update 11 will NOT allow unsigned certificates to run automatically but will prompt you first.
However, I think the advice of disabling the browser plugin (for the Java applet) is sound, simple, and probably the best practice for most users.
Thanks for those links.
TT thank you! even I understood and contacted my computerman before disabling the Java browser plug-in. I wanted to delete Java completely from my system but he told me not to because some functions in OpenOffice need it (if I remember correctly). So I just disabled the browser plug-in. Easy to do. Thanks again!
Hi there,
Yes it’s the browser plugin that’s at issue. It’s good to know you disabled it. Best wishes.
Thanks for the updated warning. I thought from previous info that the security issues were fixed. I am off to make sure Java is still disabled in my web browser.
It’s really important to do this disabling now as there is no patch now and it’s not hard to do.
Whew!!! I had already disabled java when I got the first warnings. Thanks for the reminders. I am sure there are folks for whom this is new news.
Reblogged this on Cheryl Andrews and commented:
Disabled mine for Firefox browser until a ‘fix’ is in!
I’ve seen your cogent comments on the WordPress forums, but this is the first time I’ve ‘found’ your site. I will be back. I admit I am severely lacking in the tech-knowledge-y department, and frankly almost break out in hives at the mere mention of the word. Your writing is clear, concise, and understandable. All of these are mandatory for someone like me when it comes to this realm. Thank you for this information. Am headed over to handle this right now.
Thanks for pointing this out, I always detested java web browser plugins, as they aways need constant updates for whatever reason. Glad that I can finally get rid of it
Some browser plugins are very useful.
Thanks! Another very helpful post. Do you know if there is a way to tell if you’ve been compromised and if so, is there a solution?
No I’m sorry I don’t know the answers to those questions.
NP–but would you say that disabling the Java add ins is a bare minimum step?
Disabling Java plugins on your browser is recommended as Oracle still has not created a security patch.
I contacted my computer techy and here is what he said:
“If you have Java installed and you visit a site that is employing this exploit, you will be prompted to run a Java applet; if you run the applet, you will be infected. Once infected, your computer is open for lowlife to remotely install malware, such as keyloggers.”
Oops! he also said: “Don’t mess with it. Immediately contact a security expert (ie. him) to remove it.”
Did you see that the US govt is telling people to disable Java? http://www.reuters.com/article/2013/01/11/us-java-security-idUSBRE90A0S320130111 Also that they estimate over half the cyber attacks are through Java and security holes they havent filled.
Yes. Didn’t you read that in the post? I provided the link to US-CERT (United States Computer Emergency Readiness Team) website in it and it’s dated : 27 Aug 2012. That’s when I disabled the Java plugins on my browsers.
What is the effect on WordPress of turning over java?
Javascript and Java are NOT the same!
Thank you, they sound the same. The devil is in the detail!
You’re welcome.
Thanks for the complete and easy-to-understand summary, Timethief. I got my first hint of this through a Canadian security guru I follow on Twitter and who seems always to be on top of these things. Now, I’ll pass your post on to some folks who just want to know what to do. ;)
You’re welcome. I have been aware of this since last August as I follow all the main security sites. I blogged this previously here http://onecoolsitebloggingtips.com/2012/10/02/malware-targets-macs-and-windows-pcs/ but I didn’t get much traffic to that post.
My point is the distinction between Java and Java script needs to be made clear!
Please note that this exploit is focused on the Java browser plug-in. Stand alone programs written in Java (such as those packaged as .jar files) are okay, of course, considering you get them from trustworthy sources.
P.S. I beefed up the bold lettering above and added a paragraph in red lettering.