On Thursday the news broke about this Java exploit – the exploit is referred to as CVE-2013-0422. On Friday, this exploit hit mainstream news sites, not just the techie journals – and even got the attention of the Department of Homeland Security – enough for them to recommend uninstalling Java. Oracle – the company that produces Java, proudly proclaims that Java is installed on 3 Billion devices, and more than 850 million personal computers – that is why this exploit is such a big deal.
Java is installed on 3 Billion devices – 850 million+ PCs
Here are some Q+A’s regarding Java:
Q: What is Java, anyway?
A: Java is a very popular programming language and computing platform that powers programs including games, utilities, & business applications. According to Java’s maker (Oracle Corp.), Java runs on more than 850 million personal computers worldwide, and on billions of devices worldwide, including mobile, TV devices, DVD and BluRay Players and even regrigerators. It is required by some Web sites that use it to run interactive games and applications.
Q: What is all the fuss about?
A: Researchers have discovered that cybercriminals are attacking a previously unknown security hole in Java 7 that can be used to seize control over a computer if a user visits a compromised or malicious Web site with carefully crafted code.
Q: How do I protect my computer?
A: The versions of Java that runs on most consumer PCs includes a web browser plug-in. According to researchers at Carnegie Mellon University’s CERT, unplugging the Java plugin from the browser effectively prevents exploitation of the vulnerability. Not long ago, disconnecting Java from the browser was not straightforward, but with the release of the latest version of Java 7 – Update 10 – Oracle included a very quick and simple method for removing Java from the browser. You can find their instructions for doing this here.
Q: How do I know if I have Java installed, and if so, which version?
A. Follow the instructions here – we covered this last week – but it is quick and easy to tell if you have Java installed and what version it is. Basically – you visit the Java website (http://www.java.com/) – and hit the link “Do I have Java?”
Q: I’m using Java 6. Do I have to worry about this?
A: There have been conflicting reports on this front. The description of the bug at National Vulnerability Database (NVD), for example, states that the vulnerability is present in Java versions going back several years, including version 4 and 5. Analysts at vulnerability research firm Immunity say that the bug could impact Java 6 and possibly earlier versions. But Will Dormann, a security expert who’s been examining this flaw closely for CERT, said the NVD’s advisory is incorrect: CERT maintains that this vulnerability stems from a component that Oracle introduced in Java 7. Dormann points to a detailed technical analysis of the Java flaw by Adam Gowdiak of Security Explorations, a security research team that has alerted Java maker Oracle about a large number of flaws in Java. Gowdiak says Oracle tried to fix this particular flaw in a previous update but failed to address it completely with the update they releases in October of 2012.
Either way, it is important not to get too hung up on which versions are affected, as this could become a moving target. Also, a new zero-day flaw is discovered in Java several times a year. Brian Krebs of KrebsOnSecurity.com is now advising users to uninstall Java completely unless they need it – or unplug it from the browsers on your computer – no matter what version you are using.
Q: A site I use often requires the Java plugin to be enabled. What should I do?
A. You can downgrade to Java 6, but that isn’t a great solution – because support for Java 6 ends at the end of February 2013. The best way to handle this would be enable Java for a separate internet browser – use that browser for the site that needs it – and another browser (with Java disabled) – for the rest or majority of your internet surfing.
Q: I am using a Macintosh, so I am not affected, right?
A: Not exactly. Experts have found that this flaw in Java 7 can be exploited to foist malware on Mac and Linux systems, in addition to Microsoft Windows machines. Java is made to run programs across multiple platforms, which makes it especially dangerous when new flaws in it are discovered. For instance, the Flashback worm that infected more than 600,000 Macs wiggled into OS X systems via a Java flaw. Oracle’s java disable instructions include advice on how to unplug Java from Safari. It should noted that Apple has not provided a version of Java for OS X beyond version 6, but users can still download and install Java 7 on Mac systems. However, it appears that in response to this threat, Apple has taken steps to block Java from running on OS X systems.
Q: I don’t browse random web sites or visit dodgy porn sites, so I shouldn’t have to worry about this, correct?
A. Incorrect. This vulnerability is being made available to cybercriminals who have bought “exploit packs” – this is “off the shelf” malware – or crimeware tools made to infect websites at random – these exploit packs go after websites that are not up to date and can infect any website almost – the mostly go after legitimate websites which are not udpated by their owners. All it takes is for a hacker to insert one line of code onto a compromised website and this will be invisible to you.
Q.I read that this is the first time the US Govt. has suggested or urged users to uninstall a piece of software – is this true?
A. No – this is not the first time. CERT has advised users to avoid using internet explorer in the past – although this made extra headlines because of it being flagged as “Department of Homeland Security”
Q. I think my PC has Java installed – but I can’t find the Java control panel
A. This appears to be a bug in Java – you can run the Java Control Panel applet may be launched by finding and executing javacpl.exe manually. This file is likely to be found in C:\Program Files\Java\jre7\bin or C:\Program Files (x86)\Java\jre7\bin.
Alternatively, you can use a tool like cCleaner – to remove the java software.
Q. I don’t think I use Java – because I can’t remember when I last used it – can I just remove it?
A. Java certainly isn’t as used on websites as it once was in the past. If you don’t think you use it – you can try removing it. The worst case scenarios is that you have to reinstall it when you find a use for it.
Q. If I manage Java on a lot of business machines how do I proceed?
A. CERT advises that system administrators wishing to deploy Java 7 Update 10 or later with the “Enable Java content in the browser” feature disabled can invoke the Java installer with the WEB_JAVA=0 command-line option. More details are available in the Java documentation.
Q: What about Javascript?
A. Java and JavaScript are comletely different – an exploit in Java does not mean there is a problem with JavaScript. Disabling JavaScript is another way to keep yourself safer – but for completely different reasons. Do no confuse this problem with anything to do with JavaScript.