Java, The Never-Ending Saga ~ Security Garden

Java, The Never-Ending Saga

Tweet This

Remove Java

The saga of Java being active exploited is a long one.

 History

I have been following problems with Java since 2005 when a campaign was started by Steve Wechsler (aka, MowGreen) to convince Sun Microsystems (the owner of Java before Oracle's purchase) to change the Java auto-updater to uninstall previous (vulnerable) versions of the program.  At that time, the current version was Java JRE 5.0 Update 5 and Virtumundo (Vundo) infections were rampant.

Three years later, with JRE SE 6u11, the update mechanism for Java was finally changed to remove the previous install. However, it did not remove installations prior to update 10.

Do You Need Java?

There are very few reasons why a Java is needed on a personal computer. Some of those reasons include the following:
  • Playing on-line games generally requires Java.
  • With OpenOffice, Java is needed for the items listed  here . 
  • It used to be that Java was needed for websites to be properly displayed. However, that is generally not the case now with Flash having taken over.
  • There may be commercial programs that depend on Java. If Java is needed for a software installed on your computer, there should be a prompt for it. 
Although Internet Explorer is now blocking outdated ActiveX components (see Out-of-date ActiveX control blocking), if you don't need Java, uninstall it. One less update to worry about and, more importantly, one less potential vulnerability. In the event a program you use requires Java, you will be prompted to install it.

The Problem With Old Java Versions

Any web application can specify any vulnerable JRE installed to run attack code on your computer.  Finally, in June 2011, Oracle included the advisory that old and unsupported versions of Java are not tested for the presence of vulnerabilities and that it is likely those versions are affected by the vulnerabilities.

Significantly, there are frequent reports of critical and Java zero-day vulnerabilities being actively exploited in the wild.  With any version of Java installed on your computer, visiting a malicious link can result in a serious malware infection.  Although most vulnerabilities target Windows operating systems, many can also run the same or a modified code on Mac OS X or Linux.

Additional reading:
Do not confuse Java with Javascript

Javascript, which many sites use, allows dynamic HTML webpages.  Unlike Java, Javascript is not to be found outside the browser.

Java is a stand-alone programming language. It is used to write applications outside of the browser (although they can be linked).

Recommendations

1.  Uninstall Java 

To remove Java, navigate to Control Panel\All Control Panel Items\Programs and Features (Add/Remove Programs on Windows XP). Select for removal all instances of Java, including:
Java 8 Update XX
Java 7 Update XX
Java Auto Updater
JavaFX 2.2.4 (or earlier)
Java 6 Update XX (any version)

Confirm that the folders shown below have also been removed.  If not, delete the folders manually.
C:\Program Files\Java
C:\Users\%UserName%\AppData\LocalLow\Sun
Note:  Many people have reported missing Java uninstallers or are receiving Error 1316.  To solve this problem, run the Microsoft Fix it solution, Fix problems with programs that can't be installed or uninstalled

2.  Disable Java via Java Control Panel

With the update to Java JDK 7u10, Oracle included the option to disable Java in the browser.  Thus, if you have a business need to use Java, play online games, use open source programs such as OpenOffice (see here) or LibreOffice (which only requires Java for a few features), it is recommended that Java be disabled until needed.

Java can be disabled via the Java Control Panel or, except for Internet Explorer, via browser settings.  The instructions for both are included below. 

A.  Launch the Java Control Panel
Simple:  
Click the Windows Start button and in the Start Search box type or paste the path according to whether your computer is 32-bit or 64-bit (How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system).
    Windows 32-bit: c:\Program Files\Java\jre8\bin\javacpl.exe
    Windows 64-bit: c:\Program Files (x86)\Java\jre8\bin\javacpl.exe
      Operating System Specific:
      • Windows XP -- Click > Start > Control Panel. Double-click the Java icon to open the Java Control Panel.  
      • Windows Vista and Windows 7 -- Click > Start > Control Panel. In the Control Panel Search type Java Control Panel.  Click the Java icon to open the Java Control Panel. 
      • Windows 8.x -- Press Windows logo key + W to open the Search charm to search settings (or drag the Mouse pointer to the bottom-right corner of the screen, then click on the Search icon.  In the search box type Java Control Panel.  Click the Java icon to open the Java Control Panel.

      Java Control Panel

      B.  In the Java Control Panel, click on the Security tab.
        • Uncheck Enable Java content in the browser.
        • Click Apply.  (Approve any User Account Control/UAC prompt to provide permission to the change.)
        • Click OK in the Java Plug-in confirmation window. 
        • Move the slider for the Security Level to Very High*.
        • Restart the browser for changes to take effect.

          Enable Java

          *Very High
          With the Very High setting, all unsigned and self-signed applets and applications are blocked and will not run. Only apps that have an associated certificate from a trusted authority will run after presenting a prompt.

          3.  Disable via Browser-Specific Settings

          For Java-dependent software programs, disabling Java in the browser will still allow Java to work for the desktop applications.

          Internet Explorer -- The only way to completely disable Java in Internet Explorer (IE) is to disable Java through the Java Control Panel as noted above.  Update: See Microsoft Fix it to Disable Java in Internet Explorer for instructions on disabling Java in IE.

          Firefox and Pale Moon

          • Click the Firefox tab --> Add-ons --> Plugins 
          • Select the Java (TM) Platform plugin and click Disable (if the button displays Enable then Java is already disabled)
          • Close the tab.
          Chrome

          • Click the Chrome menu --> Settings --> Show advanced settings.  
          • In Privacy click Content Settings --> Plug-ins 
          • Click Disable individual plug-ins, and scroll to the Java section and click Disable.  
          • Close and restart the browser to enable the changes.

          (Alternatively, you can access the Plug-ins settings by typing about:plugins in the browser address bar.

          Opera
          • Go to opera:plugins (alternatively, copy/paste in a new tab) 
          • At the right of the "Java Applet Plug-in", click the blue Disable text button
          • Close the tab/window


          Safari
          • Select Safari Preferences --> Security and deselect Enable Java.
          • Close the Safari Preferences window

          4.  JavaRa (Retired)

          For over six years, JavaRa has helped users of SunJava (since acquired by Oracle) remove the old bits of Java and outdated versions after a security update.  Oracle has (finally) gotten their act together.  As a result, SingularLabs is ceasing development of JavaRa and will no longer be providing definition updates after December 18th 2014.

          Thanks to Freð ðe Vries for originally developing the program and to SingularLabs for continuing it when Fred passed over the reins.



          Updated:  17NOV2014

          Home
          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...


          No comments: