Dept. of Homeland Security Tells Computer Users to Disable Widely Used Java
Update: Oracle has released a patch to address the security problems with Java. But the Department of Homeland Security Cybercommunication and Security Office (CERT) is still recommending that users disable the program altogether.
The program has serious flaws that hackers are using to invade computers around the world, says Adam Wosotowsky, an expert at McAfee antivirus.
“It could end up with a lot of people with permanent infections,” he said.
Wosotowsky said a hacker can use the flaw to install a “bot” to remotely control your computer, reading all your files, downloading your data and sending out emails in your name. “The bot master basically has full control over your machine.”
Hackers are sharing information with each other on how to make use of the flaw with “exploit kits.”
The Department of Homeland Security’s Cybercommunication and Security Office says the problem affects Java 7 Update 10 and earlier versions of the program, and it isn’t aware of any solution other than disabling the program.
From the department’s Computer Emergency Readiness Team (CERT):
This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available.
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.
We are currently unaware of a practical solution to this problem. Please consider the following workarounds:
Disable Java in web browsers
So what happens if you disable Java? The program helps browsers communicate with websites, so you may find that features on some sites don’t work without it. Most people can live without it, but some businesses might find themselves hamstrung. Wosotowsky recommends that businesses experiment with one browser before disabling the function on all its computers.
For an individual, he says, his recommendation varies depending on your technical expertise.
People who don’t use their computers very much might be OK if they have antivirus software with the most recent updates installed, especially if they don’t have sensitive data stored on their computers. For these people, having to uninstall Java, deal with new difficulties browsing, and then reinstall Java when it is fixed may prove challenging.
Oracle, based in Redwood City, has not yet offered a patch for this bug, or commented on the problem. But its Java website does give instructions for disabling the program.
So how big a problem is this for Oracle?
Wosotowsky says that all programs have bugs. “It all comes down to how well Oracle responds to the issue.” If the company puts out a good patch to fix the problem, and deals with customers openly and honestly they will probably forgive and forget.”
Update: From the Mozilla Security Blog:
Mozilla is aware of a security vulnerability in the current version of Java (Java 7 Update 10) that is being actively exploited and affects any browser using the Java plugin. Firefox users may be vulnerable to this issue if they have the Java plugin installed in their browser. Information on how to check which plugins are installed can be found here.Status
There is no patch currently available for this issue from Oracle. To protect Firefox users we have enabled Click To Play for recent versions of Java on all platforms (Java 7u9, 7u10, 6u37, 6u38). Firefox users with older versions of Java are already protected by existing plugin blocking or Click To Play defenses.The Click To Play feature ensures that the Java plugin will not load unless a user specifically clicks to enable the plugin. This protects users against drive-by exploitation, one of the most common exploit techniques used to compromise vulnerable users. Click To Play also allows users to enable the Java plugin on a per-site basis if they absolutely need the Java plugin for the site.
And from The Next Web:
Apple on Thursday quietly disabled Java 7 on Macs that already have the plug-in installed. The news comes soon after we learned Mozilla added all recent versions of Java on Friday to its Firefox add-on blocklist, meaning the former beat the latter to the punch.
MacRumors is also reporting that Apple has blocked Java.