Hackers discovered a new security flaw in Java and immediately set up poisoned web sites that can compromise your computer if you click on a link. Since no patch is currently available to fix the vulnerability, it qualifies as a “zero day exploit,” the most dangerous kind of security problem.
You don’t have to panic. Oracle will have a patch available soon.
[Update Sunday 01/13/2013: Oracle released Java 7 Release 11 today, which fixes the vulnerability and increases the security level of Java in web browsers. If Java is installed on your computer, you will be prompted to install the update. Subscribers to Bruceb Remote Management will be updated within the next couple of days.]
I have some suggestions below but your first obligation is the same as always: don’t click on links to web sites unless you know exactly where you’re going. Remember the Rules For Computer Safety:
- Follow links with carefree abandon to and from legitimate sites, but don’t click on links that arrive in spam e-mail, instant messages, web forums, or IRC chats, or that start from an untrustworthy web site.
- Don’t click on links in email messages unless you deeply trust the judgment of the person who sent the message.
- Don’t click on links in forwarded messages.
- Shortened links are becoming popular in Twitter, Facebook, blogs, and social networking sites. You can’t tell where they lead by looking at them. Don’t follow them unless you trust the person who created the link.
- Just because something is listed in a Google search doesn’t mean it’s safe. Make a judgment about where you’re going before you click.
The Java vulnerability is familiar. If you visit a poisoned web site, hackers have figured out a way to exploit the copy of Java on your computer to install malicious software. Once they’re on your computer, they can use that software to commit identity theft, make your computer part of a botnet that attacks websites, or melt your ice cream. Anything they want, really. As of Saturday 01/12/2013, there is no defense – if you have Java on your computer and you go to a website exploiting the new flaw, your computer is owned by the bad guys. The bad guys live for moments like this, so they’re hustling to get malware kits out that can take advantage of the flaw. Scary stuff!
Java is being attacked more often than any other piece of software. According to Kaspersky Labs, Java security holes were responsible for 50% of computer attacks in 2012. Adobe Reader was second, attacked in 28% of incidents, and Adobe Flash was third. Windows and Internet Explorer were only directly attacked in 3% of security incidents in 2012. (Interesting prediction from the same report: watch for a sharply escalating number of attacks on Android phones and tablets in 2013.)
When this week’s zero day exploit began appearing on poisoned web sites with no patch in sight, the US Department Of Homeland Security issued an unusual warning, asking all computer users to disable or uninstall Java. "We are currently unaware of a practical solution to this problem," the DHS Computer Emergency Readiness Team said.
Apple took the aggressive step of updating an internal blacklist in OS X to prevent the Java browser plugin from running until a patched version is available.
Uninstall Java. Go to Control Panel / Programs and remove all items that refer to Java. (Ironically, you’ll be asked to install Java if you visit the web page with Oracle’s instructions about how to uninstall Java.)
A few weeks ago I uninstalled Java from my computers to see if I would miss it. Much to my surprise, I haven’t missed it at all. Web pages occasionally ask permission to install Java but I’m not aware of missing anything important when I’ve declined. It was less convenient to download the New Year’s Phish concerts without the Java downloader but that’s about it for my experience.
Your mileage might vary. Java is widely used and you might need it for something important. If so, put on the latest version and watch for an update this week.
Disable Java. There are detailed instructions in this article for disabling Java in Internet Explorer, Firefox, Chrome and other browsers. Windows users running Java 7 can use the checkbox on the Security tab of the Java Control Panel introduced last summer: uncheck the box “Enable Java content in the browser.”
Wait for a patch. A flap like this does tremendous damage to a company’s reputation. Oracle announced on Friday that it was going to get a fix out lickety split, and you’d better believe they’re moving as fast as they can to make it so. Install it when it appears.
Use Bruceb Remote Management to stay up to date and get timely patches in the future. When Oracle releases a patch for Java, subscribers to Bruceb Remote Management will have it installed on their computers as quickly as possible. The monitoring system watches for updates to all the critical system utilities – Adobe Flash, Java, Reader, Acrobat, and many more, as well as Windows and Office – and installs the latest updates silently and reliably. Staying up to date is as important for your security as running antivirus software.
You’ll recognize Bruceb Remote Management subscribers – they are taller and better-looking than everyone else, and they look noticeably well-rested compared to harried computer users who try to do everything alone. If you’re not using Bruceb Remote Management on all your computers – home, office, notebook – call me or drop me a note! It takes only a moment to get safe.