Java security: Still an issue for web browsers

According to US-CERT Alert TA13-010A, a major vulnerability re: how Java 7 restricts permissions of various Java applets could possibly allow attackers and hackers to run arbitrary commands on a vulnerable ciomputer system. All web browsers still using Java 7 plug-ins are affected; we recommend that you disable Java in your web browser(s) now if you have not done so already. Also, the Java Deployment Toolkit plug-in and Java Web Start could also potentially be used to attack unsecure PCs.

Online attackers have wasted no time seizing on a critical vulnerability in Oracle’s Java software framework that makes it possible to install malware on computers running Windows, Mac OS X, or Linux.

So far, all of the exploits reported to be in the wild attack Windows PCs, but according to Errata Security CTO David Maynor, it’s not hard exploit Mac and Linux machines that have the latest version of Java from Oracle installed. Neither platform has it installed by default, however. The vulnerability has nothing to do with JavaScript.
(Source: Attack targeting critical Java bug added to hack-by-numbers exploit kit – Ars Technica Risk Assessment, Security, and Hacktivism)

Given the potential seriousness and pervasiveness of the attacks—and Oracle’s reputation for being slow on the draw in response to Java vulnerabilities—experts say that everyday Internet users should probably just disable Java entirely. Like, right now.

"Java has been the most exploited program for well over a year now and it simply isn’t worth the risk," Chet Wisniewski of the security firm Sophos told me in an email. "I would recommend removing Java entirely, if you can."

That’s not as problematic as it might sound. Java is not as popular on websites as it once was, and the average browser will rarely run across it, Wisniewski says. Sadly, it does mean that my old favorite Java game, Voodoo Bowl, is out of the question.
(Source: Why You Should Probably Disable Java on Your Browser Right Now – Slate [Dec 2012])

How to disable Java in your web browser

Here are basic instructions on how to disable Java in popular web browsers.

How to disable Java in Firefox web browser

In Firefox, select Tools from the main menu, then select Add-ons, then click the Disable button next to any listed Java plug-ins.

How to disable Java in Google Chrome web browser

In Google Chrome, type Chrome://Plugins into your browser’s address bar, then click the Disable button which should appear beneath any offending Java plug-ins.

How to disable Java in Safari web browser

In Safari, tap Safari (main menu bar), then hit Preferences, then the Security tab and uncheck the button next to Enable Java.

NOTE: If your browser was not listed above and you are not sure how to disable Java in your web browser(s), you’ll find plenty of instructions by Googling,” How to disable Java in [your web browser].”

If you are still using IE (Microsoft Internet Explorer) then we must ask, Why on earth are you still using it?

Switch to Google Chrome or Mozilla Firefox, already!

Hey. it’s just a suggestion. Happy computing… and thanks for visiting!

Resources: Still haven’t disabled Java in your web browser?

• No, Seriously, Just Disable Java in Your Browser Right Now – Slate (Jan 2013)
• Oracle Java 7 Security Manager Bypass Vulnerability – US-CERT: United States Computer Emergency Readiness Team – U.S. Dept. of Homeland Security (Jan 2013)
• Why You Should Probably Disable Java on Your Browser Right Now – Slate (Dec 2012)
• Zero-Day Season is Not Over Yet: New Java zero-day vulnerability has been spotted in the wild – FireEye Malware Intelligence Lab: Threat research, analysis, and mitigation (Aug 2012)
• Attack targeting critical Java bug added to hack-by-numbers exploit kit: “Please, for the love of your computer, disable Java on your browser.” – Ars Technica Risk Assessment, Security, and Hacktivism (Aug 2012)