Java, The Never-Ending Saga

Remove Java

The saga of Java being active exploited is a long one.

 History

I have been following problems with Java since 2005 when a campaign was started by Steve Wechsler (aka, MowGreen) to convince Sun Microsystems (the owner of Java before Oracle's purchase) to change the Java auto-updater to uninstall previous (vulnerable) versions of the program.  At that time, the current version was Java JRE 5.0 Update 5 and Virtumundo (Vundo) infections were rampant.

Three years later, with JRE SE 6u11, the update mechanism for Java was finally changed to remove the previous install. However, it did not remove installations prior to update 10.

Do You Need Java?

There are very few reasons why Java is needed on a personal computer. Some of those reasons include the following:
  • Playing on-line games generally requires Java.
  • With OpenOffice, Java is needed for the items listed  here . 
  • It used to be that Java was needed for websites to be properly displayed. However, that is generally not the case now with Flash having taken over.
  • There may be commercial programs that depend on Java. If Java is needed for a software installed on your computer, there should be a prompt for it. 
Although Internet Explorer is now blocking outdated ActiveX components (see Out-of-date ActiveX control blocking), if you don't need Java, uninstall it. One less update to worry about and, more importantly, one less potential vulnerability. In the event a program you use requires Java, you will be prompted to install it.

The Problem With Old Java Versions

Any web application can specify any vulnerable JRE installed to run attack code on your computer.  Finally, in June 2011, Oracle included the advisory that old and unsupported versions of Java are not tested for the presence of vulnerabilities and that it is likely those versions are affected by the vulnerabilities.

Significantly, there are frequent reports of critical and Java zero-day vulnerabilities being actively exploited in the wild.  With any version of Java installed on your computer, visiting a malicious link can result in a serious malware infection.  Although most vulnerabilities target Windows operating systems, many can also run the same or a modified code on Mac OS X or Linux.

Additional reading:
Do not confuse Java with Javascript

Javascript, which many sites use, allows dynamic HTML webpages.  Unlike Java, Javascript is not to be found outside the browser.

Java is a stand-alone programming language. It is used to write applications outside of the browser (although they can be linked).

Recommendations

1.  Uninstall Java 

To remove Java, navigate to Control Panel\All Control Panel Items\Programs and Features (Add/Remove Programs on Windows XP). Select for removal all instances of Java, including:
Java 8 Update XX
Java 7 Update XX
Java Auto Updater
JavaFX 2.2.4 (or earlier)
Java 6 Update XX (any version)

Confirm that the folders shown below have also been removed.  If not, delete the folders manually.
C:\Program Files\Java
C:\Users\%UserName%\AppData\LocalLow\Sun
Note:  Many people have reported missing Java uninstallers or are receiving Error 1316.  To solve this problem, run the Microsoft Fix it solution, Fix problems with programs that can't be installed or uninstalled.

2.  Unwanted "Extras"

Oracle has long included pre-checked options with the updates.  If you are among those who need Java due to programs and games that require it, How-to Geek discovered a little-known and  unpublicized option in the Java Control Panel to suppress the offers for the pre-checked unwanted extras.
  1. Launch the Windows Start menu
  2. Click on Programs
  3. Find the Java program listing
  4. Click Configure Java to launch the Java Control Panel
  5. Click the Advanced tab and go to the "Miscellaneous" section at the bottom.
  6. Check the box by the “Suppress sponsor offers when installing or updating Java” option and click OK.
Java suppress sponsor offers
3.  Disable Java via Java Control Panel
With the update to Java JDK 7u10, Oracle included the option to disable Java in the browser.  Thus, if you have a business need to use Java, play online games, use open source programs such as OpenOffice (see here) or LibreOffice (which only requires Java for a few features), it is recommended that Java be disabled until needed.

Java can be disabled via the Java Control Panel or, except for Internet Explorer, via browser settings.  The instructions for both are included below. 

A.  Launch the Java Control Panel
Simple:  
Click the Windows Start button and in the Start Search box type or paste the path according to whether your computer is 32-bit or 64-bit (How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system).
    Windows 32-bit: c:\Program Files (x86)\Java\jre8\bin\javacpl.exe \javacpl.exe
    Windows 64-bit: c:\Program Files\Java\jre8\bin
      Operating System Specific:
      • Windows XP -- Click > Start > Control Panel. Double-click the Java icon to open the Java Control Panel.  
      • Windows Vista and Windows 7 -- Click > Start > Control Panel. In the Control Panel Search type Java Control Panel.  Click the Java icon to open the Java Control Panel. 
      • Windows 8.x -- Press Windows logo key + W to open the Search charm to search settings (or drag the Mouse pointer to the bottom-right corner of the screen, then click on the Search icon.  In the search box type Java Control Panel.  Click the Java icon to open the Java Control Panel.
      • Windows 10 -- Right-click on the Start button and select the Control Panel option. In the Windows Control Panel, click on Programs.  Click on the Java icon to open the Java Control Panel.


      B.  In the Java Control Panel, click on the Security tab.
        • Uncheck Enable Java content in the browser.
        • Click Apply.  (Approve any User Account Control/UAC prompt to provide permission to the change.)
        • Click OK in the Java Plug-in confirmation window. 
        • Move the slider for the Security Level to Very High*.
        • Restart the browser for changes to take effect.

          *Very High
          With the Very High setting, all unsigned and self-signed applets and applications are blocked and will not run. Only apps that have an associated certificate from a trusted authority will run after presenting a prompt.

          4.  Disable via Browser-Specific Settings
          For Java-dependent software programs, disabling Java in the browser will still allow Java to work for the desktop applications.

          Microsoft Edge  -- Microsoft Edge does not support Java.

          Internet Explorer
          • Select Tools -> Internet Options from the menu toolbar.
          • Click on the Security tab.
          • Click on the Custom level.. button.
          • In the Security Settings window scroll down the list until you see Scripting of Java applets.
          • Java applets are Enabled or Disabled depending on which radio button is checked. Click on the option you want and then click OK to save the change.

          Firefox and Pale Moon
          • Click the Firefox tab -- Tools, Add-ons, Plugins 
          • Select the Java (TM) Platform plugin and click Disable (if the button displays Enable then Java is already disabled)
          • Close the tab.
          Chrome
          • Click the Chrome menu --> Settings --> Show advanced settings.  
          • In Privacy click Content Settings --> Plug-ins 
          • Click Disable individual plug-ins, and scroll to the Java section and click Disable.  
          • Close and restart the browser to enable the changes.
          (Alternatively, you can access the Plug-ins settings by typing about:plugins in the browser address bar.
          Opera
          • Go to opera:plugins (alternatively, copy/paste in a new tab) 
          • At the right of the "Java Applet Plug-in", click the blue Disable text button
          • Close the tab/window
          Safari
          • Select Safari Preferences and click the Security icon.  Deselect Enable Java.
          • Close the Safari Preferences window

          5.  JavaRa (Retired)

          For over six years, JavaRa has helped users of SunJava (since acquired by Oracle) remove the old bits of Java and outdated versions after a security update.  Oracle has (finally) gotten their act together.  As a result, SingularLabs is ceasing development of JavaRa and will no longer be providing definition updates after December 18th 2014.

          Thanks to Freð ðe Vries for originally developing the program and to SingularLabs for continuing it when Fred passed over the reins.



          Updated:  02APR2019



          Remember - "A day without laughter is a day wasted."
          May the wind sing to you and the sun rise in your heart...

          No comments: