Tuesday, October 19, 2010

Do You Need Java?

Shortly after Oracle released their quarterly update which addressed twenty-nine security flaws in Java SE, a frustrated forum poster asked, "How can I determine if I need Java?"  Along with removal instructions, my reply included the following reasons why someone may need Oracle Sun Java installed on their computer:
  • Playing on-line games generally requires Java.
  • With OpenOffice, Java is needed for the items listed  here . 
  • It used to be that Java was needed for websites to be properly displayed. However, that is generally not the case now with Flash having taken over.
  • There may be commercial programs that depend on Java. If Java is needed for a software installed on your computer, there should be a prompt for it.
There is no question that the forum poster's question was very timely. As reported by Holly Stewart in a MMPC Blog post, there has been "an unprecedented wave of Java exploitation."  The report continues:
"In fact, by the beginning of this year, the number of Java exploits (and by that I mean attacks on vulnerable Java code, not attacks using JavaScript) had well surpassed the total number of Adobe-related exploits we monitored.  See chart below for details:
Java-PDF-Attacks-through-2010Q3[1]
The Java spike in Q3 is primarily driven by attacks on three vulnerabilities, which all, by the way, have had patches available for them for some time now.  The first two, in particular, have gone from hundreds of thousands per quarter to millions:
CVE
Attacks
Computers
Description
CVE-2008-5353
3,560,669
1,196,480
A deserialization issue in vulnerable versions of JRE (Java Runtime Environment) allows remote code execution through Java-enabled browsers on multiple platforms, such as Microsoft Windows, Linux, and Apple Mac OS X.
CVE-2009-3867
2,638,311
1,119,191
Another remote code execution, multi-platform issue caused by improper parsing of long file:// URL arguments.
CVE-2010-0094
213,502
173,123
Another deserialization issue, very similar to CVE-2008-5353.

Whether you keep Java or decide to uninstall it from your computer, it is necessary to look not only for the Java(TM) 6 Update (number) but also for any installation with J2SE, Java(TM) 5, or Java(TM) SE Runtime Environment 6.  It is also advisable to remove the leftover files in your downloads folder.

In the event you keep Java installed, there should only be the current version in add/remove programs (as of this posting, Java(TM) 6 Update 22, available at Java SE Runtime Environment 6u22).


Since Java updates tend to leave leftovers, JavaRa is recommended.  Freð ðe Vries provided notice that JavaRa has been silently updated to reflect the publication of Oracle's Java JRE 1.6.0.22. Leftovers up to Oracle Sun Java 1.6.0.21 are now cleaned by JavaRa.  Simply download JavaRa and unzip it to your desktop.

  • Double-click on JavaRa.exe to start the program.  (Windows Vista and Windows 7 users right-click JavaRa.exe > Select Run as Administrator)
  • Click on Remove Older Versions to remove older versions of Java.

Confirm that the following folders a have also been removed:
C:\Program Files\Java
C:\Users\%UserName%\AppData\LocalLow\Sun



ReferencesHave you checked the Java?

Clubhouse Tags: Clubhouse, Security, Vulnerabilities, Information, Java, Microsoft, Windows


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

3 comments:

alarm monitoring said...

very awesome information. Thanks

Anonymous said...

I am one of two users who use mainly FF (2 profiles). The other user mainly plays the Pogo games, so Java is necessary. I myself could probably get along without Java.

I don't suppose there's much to do in a situation like that. (Getting a second computer is financially out of the question. And both of us like FF too much for one or the other to pick a different browser and confine the use of Java to that browser.)

Corrine said...

As illustrated in the below-linked Mozilla topic, it is easy enough to disable Java on Firefox.

You should see the Java Deployment Kit and Java Platform plugins. Just re-enable as needed.

How to turn off Java applets | Firefox Help