On Jan 10th, The US Computer Emergency Readiness Team, has announced that there is a vulnerability in certain Java systems, specifically affecting JSE 7, JDK 7, and JRE 7. And they have recommended that you disable Java on your web browsers. Based on this, there have been quite a lot of information exchange on the Web, none (unfortunately) pointing to the actual US-CERT website (linked above), but everyone giving tips on how to disable Java.
In order to disable Java on browser, follow these official guidelines from Java website.
This issue was taken up by a number of news agencies and blogs and they immediately jumped into the opportunity to publish a post on how to disable Java, helping the readers. While it is a good thing, it is quite bad not linking to the original release about the issue, which gives much more information about the issue than these news reports.
How It Will Impact You?
The attacker targeting this vulnerability in Java will need to push a malicious Java application (known as an applet) into your system and will try to gain control over it without authorization. However, this cannot be instigated without authorization from your part. In essence, the attacker can gain control only if you specifically allow the Java applet to run.
Within your browser (if you are browsing the malicious code), the message will appear asking whether you want to run the Java applet or not. If you simply click ‘no’, it will not affect your system.
The update on this issue is not yet positive. Oracle is still working on a fix, and until one is found you can either disable Java from your browsers or be cautious about the applets you run.
Oracle released an update for Java to fix the security vulnerability, although the experts do not believe the vulnerability has been fixed yet.
However, it is at your best interest to update Java at this point. Here is how.
Within Control Panel, go to Java Control Panel.
Even if the automatic update option is checked, Java will not update if it is disabled. Hence, update it manually. Check this figure out.
Within Apple Mac, you need to check for software updates, and if the Java update becomes available, it will be displayed in the updates section. Check this out:
Facebook has been hacked into, utilizing the same Zero-day Java exploit. It is much better to disable Java altogether when you are using all kinds of social networks [follow the steps outlined in the Oracle link above]. On various browsers, you have the option of running a plugin automatically if the website is trusted. Look below:
I would recommend you turn on ‘ask’ option by default. Also, in Chrome, in settings, it is better to enable the ‘click to play’ option under Settings->Content Settings->Plug-ins.
This will not only disable automatically playing any Java applet, but also make the website loading much faster as all of the plugins will be disabled until you click on it to play. Which means, you won’t be annoyed by those websites containing auto-play movies that begin to play as soon as you visit the page.
If you haven’t yet updated Java, this seems to be the perfect time to do so. Oracle has released a critical update, Java 7 update 25 that will replace your Java 6 installation. The update will be automatically provided to your Java installation.
This critical update is capable of fixing almost 37 of the security loopholes that Java currently has. For instructions on enabling the Java Console for the update, visit Oracle here. 7u25 update also has a certificate revocation check feature that ensures that the digital certificates associated with a signed applet has the valid unrevoked certificate.