Java – The Hacker’s Best Friend

Some of you may have heard that a significant security vulnerability was disclosed recently that affects pretty much all versions of Java. Oracle (who now owns Java) seemed to be dragging their feet on providing a fix until they felt some heat from the U.S. Government. A fix was made available today but only for users of Java version 7. Java runs on all operating systems so Mac users are impacted along with PC users.  Note: there won’t be a fix available for Mac users with Snow Leopard or earlier so your best option is to totally disable Java.

How do you know if you have Java installed?
Click on this link to find out: http://www.java.com/en/download/installed.jsp

If you don’t need Java (not to be confused with JavaScript), you should uninstall it or, for Windows, disable browser use in the Java Control Panel (see http://www.java.com/en/download/help/disable_browser.xml). In addition to the Department of Homeland Security, many security industry experts are recommending that Java be disabled immediately (fix or no fix).

Unfortunately, a number of us require Java for applications that we use at work (including for web apps like GoToMeeting and WebEx).  So, if you absolutely must keep Java installed, you should strongly consider disabling Java in all your browsers except the one that you access Java-based applications with.  Use that one browser just for your Java-based applications.  Use your other browsers, the ones with Java disabled, to access the Internet.

Below are steps to disable Java in all browsers except Internet Explorer (so IE is a good choice for the browser where Java is left enabled).

Firefox
1.    Click on the Firefox tab (or Tools) then and then select Add-ons
2.    In the Add-ons Manager window, select Plugins
3.    Click Java (TM) Platform plugin to select it
4.    Click Disable (if the button displays Enable then Java is already disabled)

Safari
1.    Choose Safari Preferences
2.    Choose the Security option
3.    Deselect Enable Java
4.    Close Safari Preferences window

Chrome
1.    Type about:plugins in the browser address bar.
2.    In the Plugins panel, scroll to the Java section. Click Disable to disable the Java Plug-in.
3.    Close and restart the browser to enable the changes

While you’re diligently dealing with this Java mess, you should go ahead and update your installed Adobe products (Reader, Flash and AIR) and install the most recent Microsoft patches (for Windows machines).  Significant security vulnerabilities in these software packages were also patched recently and should be installed as soon as possible.

With all these patches needing installation for various applications, it’s difficult to keep track.  I still recommend using BrowserCheck from Qualys (browsercheck.qualys.com) for what amounts to a quick, one-click assessment of missing security patches on your Mac or PC.  It’s free and there’s no registration required.  I’ve written about BrowserCheck previously here:

https://blogs.swarthmore.edu/its/2010/10/18/give-your-computer-a-fighting-chance/
https://blogs.swarthmore.edu/its/2011/06/15/update-your-browser-save-your-computer/
https://blogs.swarthmore.edu/its/2012/03/12/update-everything/

In summary, if you don’t need Java, get rid of it.
Nick