View 757 Friday, January 11, 2013
There is a zero-day alert. I was alerted to this by people I trust. Zero Day means that the threat is already released into the wild. The only remedy currently known is to turn off Java.
Turning off Java can break some things you need.
First, the threat:
Java Under Attack Again, Disable Now
http://www.informationweek.com/security/attacks/java-under-attack-again-disable-now/240146082
More on that in a minute. For the moment, just don’t go browsing around the Internet looking at strange new sites until you have read the rest of this.
Advice and discussion from a security expert. Read this carefully:
Note that "Java" is different than "JavaScript". JavaScript (JS) is used by a lot of web sites; disabling JS may cause problems.
Java is mainly used for web-based applications. Many business sites use Java web-based applications. Uninstalling Java will break those apps … not a good alternative in a business/corporation environment. Disabling Javascript will cause problems with many web sites.
There are reports that some on-line banking sites require Java (although this may possibly be just JavaScript). There is a procedure for disabling Java in your browser (here http://www.kb.cert.org/vuls/id/625617 ) . Sun says to do this (link http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html#disable )
For installations where the highest level of security is required, it is possible to entirely prevent any Java apps (signed or unsigned) from running in a browser by de-selecting Enable Java content in the browser in the Java Control Panel under the Security tab.
The vulnerability appears to be in malicious web sites/pages that will contain the code that exploits the vulnerability. There don’t appear to be easy answers for all situations. Users may have to experiment with their settings to ensure that needed applications will still work.
Safe browsing seems to be one of the important keys here. Full anti-virus install/updates, installing Microsoft updates, installing application updates. The best way to do all of that update effort is to use the free (for personal use) Secunia Personal Property Inspector (available here http://secunia.com/vulnerability_scanning/personal/ ). Business should look at their business-level version to ensure updates are installed properly.
Rick Hellewell, security guy
Disabling Java apps in Firefox requires that you open Firefox, go to the upper left corner where you see the word Firefox (not its icon) and click on that. Go to plug ins, find the Java app, and disable. Then restart Firefox or nothing will happen.
If you use Explorer (I use Explorer when downloading Microsoft stuff) you probably ought to turn off Java there.
Note that there are likely to be fixes for these problems, but we don’t know when they will come out. And of course turning off Java may break something you need. Read Rick’s advice again.
And Good Luck.
Eric adds this advice:
As a rule, it’s simpler to regard Java as perpetually under and assess whether you need on a machine. My preferred torrent client is a Java app but I’m not aware of any site I regularly visit using Java (not to be confused with the widely required but unrelated JavaScript. Thanks for the dumb opportunistic name, Netscape.) and it shouldn’t break anything if I don’t allow my web browser to invoke the VM.
It has been a busy morning and it’s lunch time. More on what we’ve been doing after lunch.