Java Vulnerability & You

pete

pete

Brassica Oleracea
Staff member
Administrator
If you don't know what Java is and/or why it's on your computer, please check out this link. A brief summary could be, "It's a bit of magic that can make some websites look really good."

I don't quote them often, but it seems prudent, here. Read the brief from the United States Computer Emergency Readiness Team. The bottom line is,

If you really need Java,

* Make sure you have the latest version and check for updates often. Like, daily. Remember, this can affect Macs and Linux boxes, so make sure you're up-to-date on your system software.
* Use "Click-to-Play" for Java -- i.e. enable Java to work ONLY on the websites you want. Here are instructions for Chrome and here are instructions for Firefox. Here are instructions on about everything else. If you've got a newish Mac, Apple disabled Java via System Update.
* Some folks are saying that Java 6, Update 38 might be better than Java 7, Update 11.

If you DON'T need Java, you should remove it from Add/Remove Programs (Programs and Features). If you're an advanced enough user, find all the Java folders in your profile after you've uninstalled Java and trash them.

Again, I don't take any responsibility if you screw up your computer ....
 
All this being said, I've been noticing an alarming rise in malware that's taking advantage of the Java problems. That's the #1 reason to jet rid of Java: if you don't have it, the malware won't do much of anything.

Anyhow, as always, I recommend that you:

* Keep current on all system software updates.
* Keep all your other software updated.
* Use antivirus and antimalware programs. On PC, I recommend BOTH Malwarebytes AntiMalware and Microsoft Security Essentials. Both are free. Run them. Often. If you've got a Mac, get Sophos' free stuff and use that. Often. Linux? I'm partial to AVG. (Last I checked, you could get it thru Synaptic.) Run it. At least weekly.
* Back-up important files and make sure the backups work.
 
I actually haven't heard of MacKeeper in years.

The reason why I listed Sophos is mainly because its free. MacKeeper isn't. Additionally, I've seen Microsoft recommend it and I've worked for a company that had it -- well, the Enterprise version, at least. (The rationale behind Microsoft Security Essentials and Malwarebytes isn't only because they're free, but because the combination of those two really is probably the best Windows protection you can get.)
 
How to win friends and influence people - delete Java.

OK what about all the phones with Java?

Lots of commercial apps require it (I have a few different versions of Java on my machine as a result, cos the updates can screw up code written for older releases.

And my kids' pc has piles of games using it. Maybe I need to lock that down from the rest of the network, but removing Java will result in premature termination of all my rights at home.... It'd be cheaper and easier to walk out.
 
Darn. I wrote a good reply and then hit the wrong button. I'll summarize:

I know all that, Kev. You have to ask yourself if having Java for things like games is worth it. For the apps that require some old version of Java, Oracle would tell you flat out that those versions are highly vulnerable and you should update or replace those apps. Hey, I'm going to be quizzed about this at work tomorrow about that -- and I do understand how difficult a choice that will be. Also you need to note that some of the exploits are password stealers (thanks for that bank account info) and downloaders (you now have a worm that's destroying your data). In the case of the former, that means I can take all the $ out of your account. In the case of the latter, and if you don't have uninfected backups, note that Data Doctors (or equivalent) charges a minimum of $1000. I, personally, charge $9500 an hour, 1 hour minimum.
 
Sorry Pete, I understand. My wording wasn't the best. Wasn't having a go at you, I appreciate the warning.

Bit of a bummer when commercial software comes with it's own Java installer, which relies on their custom java installation - and which hasn't/can't be upgraded. The kid's pc is crash and burn as far as I'm concerned, so no worries there - except the inevitable complaints when it does get smashed & we have to go back to a backup - maybe should get them to do the backups, then there's no excuse if they're a bit old. But... My wife uses it occasionally to order online - when it's something the kids found and want, easier and quicker than firing up her own laptop. Won't happen any more. And I think that machine is goign to be locked into it's own private lan area (subnet I guess, need to think about it) with no access outside of that, except to the internet. But we've now got two Android phones in the house, and they're wide open... Yes I have firewall/AV software licenced and up to date on all the machines (but not the phones), but it's not enough, it can at best be just behind the malware authors, and I often wonder how big the gap is. Funny how running a scan pulls out something it didn't recognise a few days earlier. Worries me a lot.

I started in IT in '78, have seen a lot of the things we take for granted come in. Bit like you I guess. I saw the early destructive viruses and worms. I saw pcs come back from being fixed, infected with viruses by the repairer. I was never happy with Windows as an OS (nice features, but too flakey). But I never thought we'd get to such a serious situation with such pressure on security for home users. My guess is that we're moving into a control era, where all new software releases will have to be registered, verifiable and certified as to exactly what they do. It'll expose the level of tracking that google and others do. But it'll make things a lot safer. Frankly I'm horrified at the laxity surrounding Android apps and the risks involved there.

Ah well, rant over. I just need to remember what it was like having to go to the library every time I wanted to look something up... Or make a half day trip into town to buy something that wasn't available locally. Or trying to drive somewhere on my own, and keep pulling over to read the map and realising I missed the turn miles back.
 
kevgermany said:
Yes I have firewall/AV software licenced and up to date on all the machines (but not the phones), but it's not enough, it can at best be just behind the malware authors, and I often wonder how big the gap is. Funny how running a scan pulls out something it didn't recognise a few days earlier. Worries me a lot.
Click to expand...

Something that's even more worrying is that some malware -- and, in particular, some of these Java exploits -- are written to specifically circumvent antimalware programs. This highlights the comment I made about using two antimalware products on your computer.

Zbot, one of the big malware families out there that takes advantage of the Java exploits, comes in several major "flavors," too:

* Trojan Downloader: you launch the infected Java applet and you get more junk downloaded to your computer. One of the really nice variants downloads worms: that's a malware variant that eats data and can replicate to other machines on your network.
* Password Stealer (PWS): your keystrokes are being recorded.
* Scareware: "You've got viruses on your machine!!!!!111one Pay us $25 and we'll take care of it for you!"

It definitely makes me wanna throw my hands up in the air and go back to pencil and paper.

Anyhow, some tips:
* If you use Internet Explorer as your main browser, stop. Use Firefox, Chrome or something else (while I really love Opera, it has compatibility problems with websites that are written for Internet Explorer).
* Use the FlashBlock and AdBlock extensions for Firefox, Chrome, etc.
* Uninstall Java.
* Keep Flash up-to-date.
* Keep your operating system up-to-date.

As far as FlashBlock and AdBlock are concerned, I've seen more than one person get his computer infected through an ad placed on a website. These two browser plugins eliminate most ads and have the added benefit of letting you pick what Flash you want to run.

You can go sooper-dooper security by using an Internet browser inside a sandbox or a virtual machine, but that can be difficult to set up.

FWIW, there's a beta of Java 1.7.11 that came out yesterday (I think). This will plug more holes when it's available for public consumption as 1.7.12, but there are still going to be problems ....

FWIW 2, in my real-world testing Microsoft Security Essentials has been pretty darn good at detecting Zbot. Perfect? No.
 
Gandalfe said:
I'm not really missing having Java on my computer. Is there any compelling reason to install it now-a-daze?
Click to expand...


I think this is what Pete was saying. imho no, unless you need it for specific app(s).

In the kids case it's a minecraft subscription.
 
Yah. I removed Java from both my work computer and home computer and I'm not feeling any ill effects. My work laptop does require it, though.
 
You must log in or register to reply here.
Back
Top Bottom