The saga of Java being active exploited is a long one.
HistoryI have been following problems with Java since 2005 when a campaign was started by Steve Wechsler (aka, MowGreen) to convince Sun Microsystems (the owner of Java before Oracle's purchase) to change the Java auto-updater to uninstall previous (vulnerable) versions of the program. At that time, the current version was Java JRE 5.0 Update 5 and Virtumundo (Vundo) infections were rampant.
Three years later, with JRE SE 6u11, the update mechanism for Java was finally changed to remove the previous install. However, it did not remove installations prior to update 10.
The Problem With Old Java VersionsAny web application can specify any vulnerable JRE installed to run attack code on your computer. Finally, in June 2011, Oracle included the advisory that old and unsupported versions of Java are not tested for the presence of vulnerabilities and that it is likely those versions are affected by the vulnerabilities.
Significantly, there are frequent reports of critical and Java zero-day vulnerabilities being actively exploited in the wild. With any version of Java installed on your computer, visiting a malicious link can result in a serious malware infection. Although most vulnerabilities target Windows operating systems, many can also run the same or a modified code on Mac OS X or Linux.
- The curious case of the Exploit:Java/CVE… infection by Jasmine Sesso, MMPC Blog
- Adobe & Java Make Windows Insecure by AV-Test
Java is a stand-alone programming language. It is used to write applications outside of the browser (although they can be linked).
1. Uninstall JavaFirst and foremost, most home computer users do not need Java installed on their computer. In the past, Java was needed for websites to be properly displayed. However, that is generally not the case now and Java can be enabled for trusted sites.
To remove Java, navigate to Control Panel\All Control Panel Items\Programs and Features (Add/Remove Programs on Windows XP). Select for removal all instances of Java, including:
Java 7 Update XXConfirm that the folders shown below have also been removed. If not, delete the folders manually.
Java Auto Updater
JavaFX 2.2.4 (or earlier)
Java 6 Update XX (any version)
C:\Program Files\JavaNote: Many people have reported missing Java uninstallers or are receiving Error 1316. To solve this problem, run the Microsoft Fix it solution, Fix problems with programs that can't be installed or uninstalled
2. Disable Java via Java Control PanelWith the update to Java JDK 7u10, Oracle included the option to disable Java in the browser. Thus, if you have a business need to use Java, play online games, use open source programs such as OpenOffice (see here) or LibreOffice (which only requires Java for a few features), it is recommended that Java be disabled until needed
Java can be disabled via the Java Control Panel or, except for Internet Explorer, via browser settings. The instructions for both are included below.
A. Launch the Java Control Panel
Click the Windows Start button and in the Start Search box type or paste the path according to whether your computer is 32-bit or 64-bit (How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system).
Windows 32-bit: c:\Program Files\Java\jre7\bin\javacpl.exe
Windows 64-bit: c:\Program Files (x86)\Java\jre7\bin\javacpl.exe
Operating System Specific:
- Windows XP -- Click > Start > Control Panel. Double-click the Java icon to open the Java Control Panel.
- Windows Vista and Windows 7 -- Click > Start > Control Panel. In the Control Panel Search type Java Control Panel. Click the Java icon to open the Java Control Panel.
- Windows 8 -- Press Windows logo key + W to open the Search charm to search settings (or drag the Mouse pointer to the bottom-right corner of the screen, then click on the Search icon. In the search box type Java Control Panel. Click the Java icon to open the Java Control Panel.
B. In the Java Control Panel, click on the Security tab.
- Uncheck Enable Java content in the browser.
- Click Apply. (Approve any User Account Control/UAC prompt to provide permission to the change.)
- Click OK in the Java Plug-in confirmation window.
- Move the slider for the Security Level to Very High*.
- Restart the browser for changes to take effect.
*Very HighWith the Very High setting, all unsigned and self-signed applets and applications are blocked and will not run. Only apps that have an associated certificate from a trusted authority will run after presenting a prompt.
3. Disable via Browser-Specific SettingsFor Java-dependent software programs, disabling Java in the browser will still allow Java to work for the desktop applications.
Internet Explorer --
- Click the Firefox tab --> Add-ons --> Plugins
- Select the Java (TM) Platform plugin and click Disable (if the button displays Enable then Java is already disabled)
- Close the tab.
- Click the Chrome menu --> Settings --> Show advanced settings.
- In Privacy click Content Settings --> Plug-ins
- Click Disable individual plug-ins, and scroll to the Java section and click Disable.
- Close and restart the browser to enable the changes.
(Alternatively, you can access the Plug-ins settings by typing about:plugins
in the browser address bar.
- Go to opera:plugins (alternatively, copy/paste in a new tab)
- At the right of the "Java Applet Plug-in", click the blue Disable text button
- Close the tab/window
- Select Safari Preferences --> Security and deselect Enable Java.
- Close the Safari Preferences window
4. Additional Option: JavaRaYou may wish to run JavaRa when uninstalling or even after updating Java to the latest version.
JavaRa will remove left-over files from previous versions of Java. It also includes a Java temporary file cleaning tool.
Additional information and download available from SingularLabs.