Sunday, January 13, 2013

Java Security Woes

Rapid 7 published an exploit for Java versions prior to 7.7 which gives an attacker full control of the affected computer.  All that needs to happen is to lure a user to a web site that has a particular set of code running on it.  Now that this exploit is in the wild (available in public to hackers and wannabe's alike) you need to take action.

Lately Oracle has had a bad run of security issues with Java.  For years vulnerability testers have focused their efforts on Windows or other high visibility targets, but now that Java runs on more machines world wide than any other technology, hackers are taking notice.

Recently the US government, apparently a new source of computer security wisdom, (yes I am fully aware of the irony) is recommending turning Java off.  Curiously though, given all the machinations Java had to go through to get around Microsoft's proprietary protections, uninstalling it is rather more difficult than it would seem.  Java runs outside of the normal task-managed applications.  You can't just pop up task manager and kill java apps.  You can't just turn it off with one browser setting either.  There are many ways to invoke java by HTML and half a dozen ways you need to stop it using registry tweaks and IE settings.

So now what can be done?  If it's so hard to turn off that you can't be certain you've shut them all down you may want to simply uninstall the entire JRE (Java Runtime Environment).  That gets kind of inconvenient if you're a Java developer.  If you're not it's probably the best alternative to ensure that you're actually safe for the time being.  YouTube is a good resource for understanding the removal process and does a better job than 100 static screen shots.  How to uninstall Java from Windows  Uninstall Java from Mac

If that solution doesn't sound good you or your child runs Minecraft and is complaining the next day you have the option of upgrading to JRE to 7.11 and praying really hard. If you like that option here is the link to install JRE 7.11. (yes 11 major security patches in a year - YIKES!) So upgrade and take your chances is always an option.

For now I've uninstalled JRE on my PC and will probably break down and install the update on my sons' computer for Minecraft.   

I hope this helps!  I wish there was an easier way.  Personally I think that disabling Java is the least recommended course of action because it leaves you open to feeling secure even though there is likely some way to still invoke Java by the browser that remains in place.  Additionally, leaving the vulnerable version on your computer even if it's turned off is a risk because at some point in time it will likely get turned back on and it will be in an ideal state for cyber criminals to take advantage of.

If you choose "the road less traveled by" and it makes "all the difference" please let me know.


BTW you'll want to patch up to 7.12 now. Good luck!