Thread: U.S. tells computer users to disable Java software

January 11, 2013, 8:24 PM

U.S. tells computer users to disable Java software

Updated 9:00 p.m. ET

WASHINGTON The U.S. Department of Homeland Security is advising people to temporarily disable the Java software on their computers to avoid potential hacking attacks.

The recommendation came in an advisory issued late Thursday, following up on concerns raised by computer security experts.

• Read the US-CERT release concerning Java

Experts believe hackers have found a flaw in Java's coding that creates an opening for criminal activity and other high-tech mischief.

CNET's Topher Kessler writes:

"The malware has currently been seen attacking Windows, Linux and Unix systems, and while so far has not focused on OS X, may be able to do so given OS X is largely similar to Unix and Java is cross-platform.

Even though the exploit has not been seen in OS X, Apple has taken steps to block it by issuing an update to its built-in XProtect system to block the current version of the Java 7 runtime and require users install an as of yet unreleased version of the Java runtime.

Luckily with the latest versions of Java, users who need to keep it active can change a couple of settings to help secure their systems. Go to the Java Control Panel that is installed along with the runtime, and in the Security section uncheck the option to "Enable Java content in the browser," which will disable the browser plug-in. This will prevent the inadvertent execution of exploits that may be stumbled upon when browsing the Web, and is a recommended setting for most people to do. If you need to see a Java applet on the Web, then you can always temporarily re-enable the plug-in.

The second setting is to increase the security level of the Java runtime, which can also be done in the same Security section of the Java Control Panel. The default security level is Medium, but you can increase this to High or Very High. At the High level, Java will prompt you for approval before running any unsigned Java code, and at the Very High level all Java code will require such approval, regardless of whether or not it is signed."

Java is a widely used technical language that allows computer programmers to write a wide variety of Internet applications and other software programs that can run on just about any computer's operating system.

Oracle Corp. bought Java as part of a $7.3 billion acquisition of the software's creator, Sun Microsystems, in 2010.

Oracle, which is based in Redwood Shores, Calif., had no immediate comment late Friday.

http://www.cbsnews.com/8301-205_162-57563619/u.s-tells-computer-users-to-disable-java-software/

How to Disable Java

Java is a handy, cross-platform language that's been mightily abused by hackers. With the discovery of a new Java vulnerability that affects even the most up-to-date version, many experts advise everyone to simply disable Java. Here's how.

• By Neil J. Rubenking
• January 11, 2013

Java was once touted as the "write once, run anywhere" language. In theory, a single Java program could run on any Java-supporting platform. That dream never quite came to perfection, though, and these days Java is a favorite attack vector for hackers. The Flashback Trojan breached Macintosh computers via a Java vulnerability last year, for example. In August, researchers at FireEye reported another zero-day vulnerability in Java. The most recent Java vulnerability affects all versions of Java 7, including the most current version. Unless you absolutely need it, you should disable Java now.

Fortunately, Oracle offers a Web page with straightforward instructions on how to turn off Java.

Disable Java in All Browsers
Last month Oracle released a new Java version, Update 10, that includes a one-stop option for disabling Java in all browsers in the Java Control Panel.

Open Control Panel and launch the Java applet. If you don't see it, switch to Classic View (in XP) or small icons (in Vista or Windows 7). Click the Security tab. In previous versions this tab just allowed advanced users to manage Java-related certificates. It now displays a security-level slider and, more important, a single checkbox titled "Enable Java content in the browser." Un-check this box, click OK, and you're done.

Disable Java in One Browser
For security's sake you really should be using the very latest Java version. If you're not, or if you need to enable Java in some browsers but disable it in others, you can do that too.

Using Chrome? Enter chrome://plugins in the browser's address bar. Scroll down to Java and click the link to disable it. That was easy, and a bit simpler than Oracle's recommended steps. The process is similar in Opera, which Oracle's page doesn't mention. First, enter about:config in the address bar.

Click the Java heading to expand that section, un-check the checkbox, and click the Save button.

In Safari, choose Preferences, choose Security, and deselect Enable Java.

The only way to disable Java in Internet Explorer is through the Java Control Panel. Launch it as described above, click the Advanced tab and expand the item titled Default Java for browsers. Un-check the boxes for Microsoft Internet Explorer. You may need to click the item and press spacebar in order to clear the checkmarks.

Firefox users can click the Firefox button at the top and choose Add-ons from the resulting menu. On the Plugins tab, click the Disable button next to "Java(TM) Platform." You can also disable Java for all Mozilla family browsers by un-checking the Mozilla family box in the Java control panel.

Stay Updated
When writing this article, I had a hard time viewing the new feature that Oracle added in Update 10. Why? Because I had disabled Java and figured I didn't need to update it. That was lazy thinking; I've reformed. At any time you might find you need Java, perhaps for a Web meeting, or a remote-control tech support session. If you don't want to let Java update automatically, you can check for updates from the Java Control Panel at any time.

Whichever method you choose, visit the Java test page at How do I test whether Java is working on my computer? to confirm that Java is disabled.

Yes, you'll occasionally run across a website that relies on Java. If necessary, you can temporarily enable Java for those sites. But you may be surprised at how little you miss it.

http://www.pcmag.com/article2/0,2817,2414191,00.asp

US tells computer users to disable Java software
CBS News‎- 1 hour ago
DHS warning people to temporarily disable the Java software on their computers to avoid potential hacking attacks, malware.

Feds warn PC users to disable Java due to security flaw
USA TODAY‎ - 2 hours ago


US warns on Java software as security concerns escalate
NBCNews.com (blog)‎ - 4 hours ago

1. Java Under Attack Again, Disable Now
2. In-Depth
3. -InformationWeek-15 hours ago
4. Ban Java NOW? Yet another zero-day rears its ugly head.
5. Blog
6. -Computerworld (blog)-18 hours ago

7. Moriches Daily

   Sci-Tech Today

   IT PRO

8. all 363 news sources »

9. Malware targets Java servers You +1'd this publicly. Undo PCWorld-by Lucian Constantin-Dec 30, 2012 Malware targets Java servers ... and Java servlet container or can be downloaded when browsing to malicious websites from such a system.

10. Komando: In 2013, catch the pin money wave on web The News Journal-50 minutes ago First, you have to download the most recent version (Version 7 Update 10) from the Java site. Since the big problem with Java stems from ...

11. Java zero-day vulnerability actively exploited by attackers InfoWorld-by Lucian Constantin-Jan 10, 2013 ... visit compromised websites, in what are known as drive-by download ... "We reproduced the exploitation mechanism on Java 1.7 Update 9 ...

12. VentureBeat

    Remains of the Day: New Plugin Exploit Found, Disable Java if You ... Lifehacker-Jan 10, 2013 A nasty Java exploit is discovered, Facebook Pages Manager finally comes to ... The free update will automatically download for all users via ...

Techworld.com

Java server malware targets Windows systems SC Magazine-Jan 2, 2013 Java server malware targets Windows systems ... called “JavaWar,” infects victims via drive-by download or as a file dropped by other malware, ...

Oracle releases software update to fix Java vulnerability

Emergency software update repairs vulnerability that could allow remote attackers to execute arbitrary code.

by Steven Musil
January 13, 2013 3:43 PM PST


Oracle released an emergency software update today to fix a security vulnerability in its Java software that could allow attackers to break into computers.

The update, which is available on Oracle's Web site, fixes a critical vulnerability in Oracle's Java 7 that could allow a remote, unauthenticated attacker to execute arbitrary code. The attack can be induced if someone visits a Web site that's been set up with malicious code to take advantage of the hole.

Oracle said the update modifies the way Java interacts with Web applications.

"The default security level for Java applets and web start applications has been increased from 'medium' to 'high," Oracle said in an advisory today. "This affects the conditions under which unsigned (sandboxed) Java web applications can run.

Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the 'high' setting the user is always warned before any unsigned application is run to prevent silent exploitation."

The vulnerability was being exploited by a zero-day Trojan horse called Mal/JavaJar-B, which was already identified as attacking Windows, Linux and Unix systems and being distributed in exploit kits "Blackhole" and "NuclearPack," making it far more convenient to attackers.

http://news.cnet.com/8301-1009_3-57563730-83/oracle-releases-software-update-to-fix-java-vulnerability/

vs 7 update 11 that just came out today. It contains a major security fix for a vulnerability that was just discovered this past Thursday.
Java SE Downloads