NPR Just Announced : Java Software Presents High Security Risk

Listening to National Public Radio this evening I learned that a computer program which is very common on the internet, and which has served consumers excellently for a long time, has security problems that will not be easily remedied. I’m speaking of Java. Continuing to use Java may result in your being hacked and having someone gain access to personal information which could lead to identity theft. See: http://www.firstpost.com/tech/disable-java-plugin-security-flaw-puts-your-computer-at-risk-584523.html

I’m writing to recommend that you uninstall Open Office from your computer, because that marvelous free office suite runs on Java.

I have not only uninstalled Open Office from my computer, but have removed Java also. I may need to reinstall it if I get to a website that requires it. (Some government sites do, for instance.) But I think I’ll just wait to see whether I need it, and if I do, I can reinstall it. In the meantime, I’ll be safer not having it on my computer.

To uninstall Java on a Windows computer, go to the Start menu and select Control Panel. Then select Programs–uninstall a program. Look for Java in the list of programs and highlight it. Then click on the uninstall link at the top of that page. Then restart your computer.

In addition to this important security step, don’t forget to make sure your computer has the necessary system software updates. Security updates come out fairly frequently. To see whether you need updates, go to your Start menu, then click on Windows Update. That will start a script that will tell you which updates you should install, if any. It’s best to install the recommended ones.

Mac owners can Google how to update your Mac system software and how to uninstall Java. I don’t own a Mac, so you’re on your own in these matters.

Enhanced by Zemanta
, , , , , , ,

4 Comments

  • Barry Zalph says:

    Thanks for this reminder. It led me to wonder whether JavaScript (JS) also harbors or is affected by these security problems. It seems from a cursory glance at the WikiPedia article on JavaScript (JS), it is completely separate and distinct from Java and need not be disabled for security reasons. Do you share this understanding, or should we be concerned about JS too?

  • Jim Bierbaum says:

    Thanks for the alert,
    Tom.  I’d like to second Tom’s warning that this is indeed a serious
    threat, and it is better to be safe than sorry.  You should act, and act now.Since the cat is out of the bag
    about this vulnerability in Java, all the bad guys in the world know
    about the vulnerability and will quickly try to exploit it now before
    people protect themselves or Oracle issues a patch, so you shouldn’t
    delay. After hearing the same story Tom did, and reading his warning, I dove into some research to educate myself, and after looking on about two dozen web sites, I found the following, which I believe all to be accurate

    But since Java is used in many commercial software packages (such as
    Adobe Creative Suite) it’s possible some of your software won’t work
    properly or some features won’t be available if Java is disabled or
    uninstalled, you may want to think hard and do some research on your
    own before deciding you can do without Java completely.  There is conflicting
    information as to exactly which programs will put you at risk, and it
    is Web browsers that are by far the biggest vulnerability, so you can
    disable Java in each of your browsers (instruction below) and most
    likely be pretty safe from the currently known hacks, but if you want to
    be 100% certain you are safe, you can uninstall it.  A few things
    I would like to add add:

     Java is
    completely unrelated to Javascript.  Only their
    names are similar. Javascript is a completely different language
    written by completely different people for completely different uses,
    so there is no need whatsoever to disable or uninstall Javascript
    .  It is Java that is a
    worry.

     Apple Macintosh users are not immune, Java is
    cross-platform and runs independently of OS X. As a matter of fact, within the past year the flashback trojan was directed at a vulnerbility in Java on Macs, and as a result it was revealed that 600,000 Macintosh computers had become infected and were now part of a hacker botnet. That vulnerability was patched, but it makes an important point: just because you have a Mac, you are not safe from viruses, malware, trojans and hackers.
    More information on
    the threat and specific instructions on how to disable Java in each of
    the most common Web browsers can be found at: http://www.f-secure.com/en/web/labs_global/disabling-java-plugins 
    (f-secure makes virus protection software) or http://nakedsecurity.sophos.com/2013/01/10/protect-yourself-against-latest-java-zero-day-vulnerability-now-maljavajar-b/
    (Sophos makes free virus protection software).
    If you decide to
    disable rather than uninstall Java, you must do it in each browser
    installed on your computer. For instance, Windows Explorer probably
    came with your Windows system, but you may also have Firefox. Even if
    you don’t use one very often or at all, still best to disable it in
    each browser until it become clear how to be safe.
    The site http://javatester.org/version.html
    is designed to test which version of Java is installed in the Web
    browser you are currently running, but it also will confirm that you
    have successfully disabled Java in your browser. Since there is some
    conflicting information as to which older versions might or might not
    be vulnerable, until that is clear it is probably best to disable or
    uninstall Java, and javatester is a double check that you did
    successfully disable or uninstall Java.
    FOR MAC USERS 
    Although the Macintosh operating system is generally not vulnerable to
    most known threats, this is NOT true of the Java vulnerability, since
    Java is a cross-platform envinment that runs independently of the
    computer’s operating system.  Therefore, Mac users need to educate
    themselves and take action as well.
    Here’s some more
    information for Mac users: http://www.intego.com/mac-security-blog/java-vulnerability-affects-some-mac-users/
    You can disable Java
    on your Mac OS X machine by going to Applications/Utilities/Java
    Preferences
    , and on the general preferences tab uncheck any
    versions of Java listed there.  Here is more information and
    instructions:  http://reviews.cnet.com/8301-13727_7-57408841-263/how-to-check-for-and-disable-java-in-os-x/
    For Mac users, there
    is some conflicting information flying around about whether Java
    version 6 is vulnerable or it is only version 7, so until that becomes
    clear it is best to disable it in all of your browsers, in addition to
    disabling it in Java Preferences, just in case for one reason or
    another Java is turned back on before you know you are secure.

    Good luck,
    JB

  • Jim Bierbaum says:

    Monday, January 14, 2012 update: Tom, I asked Mike, the former Pacem Webmaster and a longtime IT pro, to comment on the info you and I had sent via e-mail, and he had this to say:

    this one was somewhat serious because it was a zero-day vulnerability and attacks were already included in some popular hacker kits. but by the weekend apple had remotely disabled java 7 in OS X and the major browser vendors (except maybe Microsoft) had issued a security update that disables the java 7 plugin. and yesterday oracle issued a patch for java 7 that lowers the default security level for unsigned applets as a temporary fix. so at this point the best advice for users is to keep their software up to date.

    Oracle reportedly will be issuing a more permanent patch soon. It appears keeping your software up to date should keep you out of trouble, but until Java is properly patched, disabling it in your browser(s) and using it only on sites you can trust and only when necessary is prudent.

  • Tom Davis says:

    A friend suggested I post the following information as a comment to my post about the security problems with Java:

    This security problem with Java was somewhat serious because it was a zero-day vulnerability and attacks were already included in some popular hacker kits. but by the weekend apple had remotely disabled java 7 in OS X and the major browser vendors (except maybe Microsoft) had issued a security update that disables the java 7 plugin. and yesterday oracle issued a patch for java 7 that lowers the default security level for unsigned applets as a temporary fix. so at this point the best advice for users is to keep their software up to date.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>