Taking the Java Bull by the Horns
It's been several weeks since DHS raised the alarm about zero-day exploits in Java and cautioned users to disable it in their browsers. One would think that the situation would be under control by now, but even though Oracle has made some efforts to patch the flaws, DHS hasn't lifted its warning. For users who don't want to live on the edge of a Java vulnerability, here are some options.
Jan 31, 2013 5:00 AM PT
Oracle's Java is a programming language that's used in browser plug-ins. It's used by vendors to make applications function across operating systems. A vendor can develop one piece of code and distribute it knowing that it will work on most platforms.
What's the Problem?
Hackers have been able to exploit vulnerabilities in versions of Java. Those exploits have allowed hackers to perform criminal activities using the exploited machine.
If a computer user with a vulnerable Java install visits a malicious website, the website can execute an applet that can deliver malware to that computer. The malware can include ransomware that blocks computers from being used.
What Are the Solutions?
You can apply patches supplied by Oracle, or you can disable Java entirely. Applying patches supplied by Oracle may fix known vulnerabilities, but it may not affect future vulnerabilities. Although disabling Java will remove current and future threats, it could severely curtail Web activities that require Java.
Updating Java is accomplished best through Windows' default Internet Explorer. Once you've updated that, you can move on to other browsers.
Secure Internet Explorer
As of Jan. 22, 2013, the current version of Java is Version 7, Update 11. The latest version includes fixes for issues raised by DHS as well as other issues. It also sets security settings to "High."
Step 1: Visit http://www.java.com/en/download/installed.jsp to determine if Java is installed, and if so, which version. The resulting Web page will display the version.
Step 2: Remove all old versions of Java by accessing the Windows Control Panel and using the Uninstall button within Programs and Features. Allow the uninstall to complete by following the prompts, including prompts to close browser windows as requested.
Step 3: Download the latest Java software at http://www.java.com/en/download/ by clicking on the "Free Java Software" button. Follow the prompts and restart the computer.
Step 4: Open and then restart Internet Explorer. Then paste the verification link from Step 1, and click on the "Verify Java Version" button within IE. Click on the "Allow" button when prompted to allow the Oracle America, Inc. add-on.
Step 5: Observe the browser indicating the verified Version 7, Update 11 or higher update. At this point you have the latest version, with security enhancements.
Update Firefox Settings
The latest version of Mozilla's Firefox browser has purposefully stopped the Java plug-in from running automatically. Java will run when you acknowledge that you trust the website. Here's how to use this method of protection.
Step 1: Update Firefox Tools. Click on the Tools menu item from within Firefox and select Options. Click on the Update tab and verify that one of the two uppermost radio buttons are checked. Select "Automatically Install Updates" or "Check for updates but let me choose when to install them."
Step 2: Update Firefox. Click on the Help menu item from within Firefox and select About Firefox. Then click on the Check for Updates button. If updates are available, the browser will be updated along with the new Java blocking features.
Step 3: Browse the Java-coded Web page with Firefox as you would normally do, and when you see a "Click here to activate" message, click on it to load the Java applet if you trust the page you are visiting.
Tip: Click on the red plug-in icon that looks like a Lego block on the address bar if you want to automatically authorize java for the trusted website you are visiting.
Switching Off Java Altogether
You may decide that it's prudent to switch off Java altogether. New Java vulnerabilities are likely to be discovered, according to DHS's Computer Emergency Readiness Team.
Step 1: Type "Java" in the Windows Control Panel, and click on the Java icon that will appear.
Step 2: Uncheck "Enable Java Content in the browser" from the Security tab, and then choose Apply and OK. Agree to any Windows-originating run prompts.
Java will be disabled cross-browser.