Once again there are reports of a Java zero-day vulnerability being actively exploited in the wild. All versions of Java are impacted, including the most recent release, JRE 7, Update 10.
With any version of Java installed on your computer, visiting a malicious link can result in a serious malware infection. Significantly, the exploit is not operating system and, although currently targeting Windows systems, can also run the same code on Mac OS X or Linux.
Edit Note: The recent Java update 11 did little other than adjust the settings to the Java Control Panel. Additional vulnerabilities have been found in that latest Java update. See Java, The Never-Ending Saga for additional information on removing or disabling Java.
Recommendations
1. Uninstall Java.First and foremost, most home computer users do not need Java installed on their computer. In the past, Java was needed for websites to be properly displayed. However, that is generally not the case now. I uninstalled Java several years ago and have not had a need for it.
To remove Java, navigate to Control Panel\All Control Panel Items\Programs and Features (Add/Remove Programs on Windows XP). Select for removal all instances of Java, including:
Java 7 Update 10 (or earlier)Confirm that the folders shown below have also been removed. If not, delete the folders manually.
Java Auto Updater
JavaFX 2.2.4 (or earlier)
C:\Program Files\Java
C:\Users\%UserName%\AppData\LocalLow\Sun
2. Disable Java
The update to Java JDK 7u10 includes the option to disable Java in the browser. Thus, if you have a business need to use Java, play online games or use OpenOffice, disable Java. All you need to do is uncheck the box "Enable Java content in the browser" in the Java Control Panel.
(Image via Sophos Naked Security Blog) |
In the event Java is needed for software installed on your computer, there should be a prompt for it. In that situation, launch the Java Control Panel and re-check the option to enable Java. Then, remove the check again when finished.
References
- Protect against latest Java zero-day vulnerability right now: Mal/JavaJar-B | Naked Security
- Nasty New Java Zero Day Found; Exploit Kits Already Have It | threatpost
- Kill that Java plugin now! New 0-day exploit running wild online • The Register
2 comments:
Thanks so much Corrine, although words cannot express my gratitude!
That exploit happened on my fully patched system last week – however due to your timely post, I managed to find more information about this vulnerability, cleaned the infection and finally disabled Java.
May you have a flourishing life!
You are very welcome. I am glad I was able to help.
Post a Comment