Breaking News Bar
posted: 9/1/2012 7:42 AM

Why you should probably disable Java now

hello
Success - Article sent! close
 
By Will Oremus, Slate

Hackers have found a flaw in Oracle's Java software that allows them to break into users' computers and install nasty malware, security experts report. The attack, first spotted on Sunday by researchers at the security firm FireEye, is what security types call a "zero-day" threat, exploiting a previously unknown vulnerability for which there is currently no fix available.

The loophole appears to affect Java Version 7 (also known as 1.7) on all browsers. So far the attacks have been against PCs, but Mac users are vulnerable as well. Businesses should be especially concerned about targeted attacks, but just about anyone who uses Java on the Internet is at risk, especially since the attack has been added to the Internet's most popular hacking kit, BlackHole.

Order Reprint Print Article
 
Interested in reusing this article?
Custom reprints are a powerful and strategic way to share your article with customers, employees and prospects.
The YGS Group provides digital and printed reprint services for Daily Herald. Complete the form to the right and a reprint consultant will contact you to discuss how you can reuse this article.
Need more information about reprints? Visit our Reprints Section for more details.

Contact information ( * required )

Success - request sent close

Given the potential seriousness and pervasiveness of the attacks -- and Oracle's reputation for being slow on the draw in response to Java vulnerabilities -- experts say that everyday Internet users should probably just disable Java entirely. Like, right now.

"Java has been the most exploited program for well over a year now and it simply isn't worth the risk," Chet Wisniewski of the security firm Sophos told me in an email. "I would recommend removing Java entirely, if you can."

That's not as problematic as it might sound. Java is not as popular on websites as it once was, and the average browser will rarely run across it, Wisniewski says.

To disable Java, you usually don't have to uninstall it from your operating system -- you can just disable it in the main browsers that you use. The procedure is slightly different for each browser, but it's actually pretty simple for all of them except Internet Explorer. (One important note: Java should not be confused with JavaScript. Disabling JavaScript will result in a bunch of websites not working properly, and it won't do anything to address this threat.) Here are the basics for disabling Java:

In Firefox, select "Tools" from the main menu, then "Add-ons," then click the "Disable" button next to any Java plug-ins.

In Safari, click "Safari" in the main menu bar, then "Preferences," then select the "Security" tab and uncheck the button next to "Enable Java."

In Google Chrome, type "Chrome://Plugins" in your browser's address bar, then click the "Disable" button below any Java plug-ins.

If you're an Internet Explorer user, the process is a bit more complex. The blog Krebs on Security summarizes a procedure that "may or may not work." Alternatively, you could uninstall Java from your system, provided you don't need it for some particular application or website that's important to you.

For those who can't live without Java, Wisniewski's blog post at Naked Security offers a few other suggestions.

One final point: This flaw does not appear to affect the previous version of Java (Version 6, aka 1.6), which is the default on most Macs. So while Mac users are theoretically as vulnerable as Windows users, only those who have specifically installed Java 1.7 should be at risk.

Share this page
Comments ()
Guidelines: Keep it civil and on topic; no profanity, vulgarity, slurs or personal attacks. People who harass others or joke about tragedies will be blocked. If a comment violates these standards or our terms of service, click the X in the upper right corner of the comment box. To find our more, read our FAQ.