Another zero-day exploit has been discovered in Oracle's Java VM; something that has many security experts suggest that you disable or uninstall Java. I'll explain why and how.
Another vulnerability has been discovered in Java; if Java is installed on your machine, malware authors can exploit it to infect your computer with something as simple as your visiting a malicious or hacked website.
As I write this, there is no update to Java, which means that there is no fix. Technically that makes this a “zero-day exploit”.
The fix that most experts, including myself, are recommending is to remove Java from your machine. Chances are you don’t actually need it anyway.
From the Ask Leo! Glossary
From the Ask Leo! Glossary
- Is a separate download. Typically, the first time that you run into a need for Java, it is downloaded and installed at that time.
- Is a programming language used to write larger, full-featured applications.
- Uses a “common runtime” which is installed on your computer to provide features and functionality to the programs written in Java.
- May be installed either by installing a program that happens to use Java or by visiting a web page that itself contains a program written in Java.
- Is used by a more limited selection of applications and websites.
However, you may have Java installed if you visited such a website, or installed such an application, even once …
You probably don’t need Java
Java is used only by certain applications and websites, and the majority of websites don’t use it.
However, you may have Java installed if you visited such a website, or installed such an application, even once. The installation was required to make that site or application work, but it’s not practical to somehow automatically uninstall it after your visit or after uninstalling the application because there’s simply no way to know if it’s also needed by some other application that remains or site that you visit.
It gets complex very quickly. As a result, once installed, Java remains installed until you explicitly uninstall it.
And that’s exactly what I recommend you do.
In Control Panel, go to Add/Remove Programs (Windows XP) or Programs and Features (Windows 7).
Look for lines titled “Java”, “Java VM”, “Java Update” and the like, all with the Java logo as an icon.
Right-click on each, and select Uninstall.
Once you’re done, you’ve uninstalled Java.
Didn’t find any Java items in the Programs list? Then you’re done before you even started; you didn’t have Java on your machine to begin with.
Disabling Java in your browser without removing it can be a complex task. I strongly recommend that you follow the process above to uninstall it from your computer completely.
However, as we’ll see in a moment, that might not be practical.
Rather than reinvent the wheel, here are instructions from Sophos’ Naked Security site on disabling Java in Internet Explorer. At the end of their instructions are links to similar instructions for Firefox, Chrome, Safari, and Opera.
What if it turns out I need Java?
After successfully uninstalling Java using the instructions above, you may encounter this when you visit a website that requires or uses Java:
Depending on the browser, you may instead or also see a notification telling you that “Java(TM) is required to display some elements on this page.”
If you run a program on your PC that uses Java, you’ll see a similar error message (exact wording will depend on the program) indicating that Java is required, but not present.
You have a decision to make.
In my order of preference:
- Live without that website or program. Perhaps find an alternative that does not use Java.
- Reinstall Java on a separate “sacrificial machine” or virtual machine and use that to access these sites or run these programs, leaving it off the rest of the time.
- Reinstall Java, but disable it in all browsers except for one, which you use only to access the sites that require it. Use a different browser with Java disabled for your day-to-day web surfing.
- Reinstall Java and be super-extra-careful.
In any of the circumstances that involve re-installing Java, make certain to always keep Java up to date. Letting it update itself is the preferred approach, if offered.
Why is this such a mess?
The current situation isn’t an indictment of Java as a programming language - it actually is a pretty cool language, and ironically was itself designed with security in mind. One of its original selling points (‘write once, run everywhere’), while technically not 100% accurate, is a very popular reason for many to have adopted Java as a technology.
No, the devil here is certainly in the details.
All software has bugs, make no mistake. Even your favorite never-had-an-issue program that you use every day, whatever it is and whatever computer it’s running on, has bugs.
And so does the implementation of Java. It’s not the programs written in Java that are at issue (although they certainly have bugs of their own). The issue here is in that common runtime – often referred to as the “Java VM” or “Java Virtual Machine” – I mentioned earlier. It’s just software too, and like all software, it has bugs.
It might even have more than average, although I’m not going to say that for certain.
And it’s installed on a lot of machines.
As Java has become more popular over time, it’s become worth the time of hackers to see if there are bugs that haven’t been fixed that they can exploit. It’s popularity for hackers may not be based on millions of people actively using it, but rather millions of computers that happen to have Java installed because a website requiring it was visited once upon a time.
In response to some of the comments:
- Yes, a fix was released for the most recent problem. I still encourage people to uninstall Java, simply because most don’t need it, and this is not the first time we’ve been in this position, and it simply seems likely to happen again. If you do need to keep Java, then as I said above keep it (and all your software) up to date.
- J2RE is a part of Java and can be removed.
(Update added January 12, 2013.)
Update to the Update
Several people have noted that:
- A fix was released.
- Java version 6 didn’t have the problem.
I have to stress that this is about much more than just a single vulnerability.
As it turns out, within days of the bug fix release hackers announced that they had found at least two more vulnerabilities in Java 7.
In my opinion the track record for Java vulnerabilities is poor enough that I continue to strongly recommend that you uninstall all versions unless you’re certain that you need it. (And uninstalling it to find out if you need it is also, in my opinion, a valid approach.)
(Update added January 22, 2013.)
How to be as safe as possible with Java, Michael Horowitz, Computerworld
Javatester.org, includes a partial list of applications and sites that use or require Java.
How do I disable Java in my web browser?, instructions from Oracle.