Java, The Never-Ending Saga ~ Security Garden

Java, The Never-Ending Saga

Tweet This

Remove Java

The saga of Java being active exploited is a long one.

 History

I have been following problems with Java since 2005 when a campaign was started by Steve Wechsler (aka, MowGreen) to convince Sun Microsystems (the owner of Java before Oracle's purchase) to change the Java auto-updater to uninstall previous (vulnerable) versions of the program.  At that time, the current version was Java JRE 5.0 Update 5 and Virtumundo (Vundo) infections were rampant.

Three years later, with JRE SE 6u11, the update mechanism for Java was finally changed to remove the previous install. However, it did not remove installations prior to update 10.

The Problem With Old Java Versions

Any web application can specify any vulnerable JRE installed to run attack code on your computer.  Finally, in June 2011, Oracle included the advisory that old and unsupported versions of Java are not tested for the presence of vulnerabilities and that it is likely those versions are affected by the vulnerabilities.

Significantly, there are frequent reports of critical and Java zero-day vulnerabilities being actively exploited in the wild.  With any version of Java installed on your computer, visiting a malicious link can result in a serious malware infection.  Although most vulnerabilities target Windows operating systems, many can also run the same or a modified code on Mac OS X or Linux.

Additional reading
Do not confuse Java with Javascript

Javascript, which many sites use, allows dynamic HTML webpages.  Unlike Java, Javascript is not to be found outside the browser.

Java is a stand-alone programming language. It is used to write applications outside of the browser (although they can be linked).

Recommendations

1.  Uninstall Java 

First and foremost, most home computer users do not need Java installed on their computer.  In the past, Java was needed for websites to be properly displayed. However, that is generally not the case now and Java can be enabled for trusted sites. 

To remove Java, navigate to Control Panel\All Control Panel Items\Programs and Features (Add/Remove Programs on Windows XP). Select for removal all instances of Java, including:
Java 7 Update XX
Java Auto Updater
JavaFX 2.2.4 (or earlier)
Java 6 Update XX (any version)
Confirm that the folders shown below have also been removed.  If not, delete the folders manually.
C:\Program Files\Java
C:\Users\%UserName%\AppData\LocalLow\Sun
Note:  Many people have reported missing Java uninstallers or are receiving Error 1316.  To solve this problem, run the Microsoft Fix it solution, Fix problems with programs that can't be installed or uninstalled

2.  Disable Java via Java Control Panel

With the update to Java JDK 7u10, Oracle included the option to disable Java in the browser.  Thus, if you have a business need to use Java, play online games, use open source programs such as OpenOffice (see here) or LibreOffice (which only requires Java for a few features), it is recommended that Java be disabled until needed.

Java can be disabled via the Java Control Panel or, except for Internet Explorer, via browser settings.  The instructions for both are included below. 

A.  Launch the Java Control Panel
Simple:  
Click the Windows Start button and in the Start Search box type or paste the path according to whether your computer is 32-bit or 64-bit (How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system).
    Windows 32-bit: c:\Program Files\Java\jre7\bin\javacpl.exe
    Windows 64-bit: c:\Program Files (x86)\Java\jre7\bin\javacpl.exe
    Operating System Specific:
    • Windows XP -- Click > Start > Control Panel. Double-click the Java icon to open the Java Control Panel.  
    • Windows Vista and Windows 7 -- Click > Start > Control Panel. In the Control Panel Search type Java Control Panel.  Click the Java icon to open the Java Control Panel. 
    • Windows 8 -- Press Windows logo key + W to open the Search charm to search settings (or drag the Mouse pointer to the bottom-right corner of the screen, then click on the Search icon.  In the search box type Java Control Panel.  Click the Java icon to open the Java Control Panel.

    Java Control Panel

    B.  In the Java Control Panel, click on the Security tab.
    • Uncheck Enable Java content in the browser.
    • Click Apply.  (Approve any User Account Control/UAC prompt to provide permission to the change.)
    • Click OK in the Java Plug-in confirmation window. 
    • Move the slider for the Security Level to Very High*.
    • Restart the browser for changes to take effect.

    Enable Java

    *Very High
    With the Very High setting, all unsigned and self-signed applets and applications are blocked and will not run. Only apps that have an associated certificate from a trusted authority will run after presenting a prompt.

    3.  Disable via Browser-Specific Settings

    For Java-dependent software programs, disabling Java in the browser will still allow Java to work for the desktop applications.

    Internet Explorer -- The only way to completely disable Java in Internet Explorer (IE) is to disable Java through the Java Control Panel as noted above.  Update: See Microsoft Fix it to Disable Java in Internet Explorer for instructions on disabling Java in IE.

    Firefox

    • Click the Firefox tab --> Add-ons --> Plugins 
    • Select the Java (TM) Platform plugin and click Disable (if the button displays Enable then Java is already disabled)
    • Close the tab.
    Chrome

    • Click the Chrome menu --> Settings --> Show advanced settings.  
    • In Privacy click Content Settings --> Plug-ins 
    • Click Disable individual plug-ins, and scroll to the Java section and click Disable.  
    • Close and restart the browser to enable the changes.

    (Alternatively, you can access the Plug-ins settings by typing about:plugins in the browser address bar.

    Opera
    • Go to opera:plugins (alternatively, copy/paste in a new tab) 
    • At the right of the "Java Applet Plug-in", click the blue Disable text button
    • Close the tab/window


    Safari
    • Select Safari Preferences --> Security and deselect Enable Java.
    • Close the Safari Preferences window

    4.  Additional Option:  JavaRa

    You may wish to run JavaRa when uninstalling or even after updating Java to the latest version.

    JavaRa will remove left-over files from previous versions of Java.  It also includes a Java temporary file cleaning tool.

    Additional information and download available from SingularLabs.



    Home
    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...


    No comments: