Mon January 14, 2013
Java Security Flaw Is Repaired; Experts Still Recommend Disabling It
Originally published on Tue January 15, 2013 5:46 am
Days after the Department of Homeland Security said computer users should remove the latest versions of its Java software, Oracle Corp. says it has fixed the flaw, in a new update released Monday. As we reported Friday, hacking groups included the Java 7 vulnerability in new "exploit kits" this year.
Oracle provides instructions for updating to Java 7, update 11 on its website, saying the update raises the default security level for Java applets from Medium to High — which means that "the user is always warned before any unsigned application is run to prevent silent exploitation," the company says in its release notes.
But the experts who highlighted the Java 7 flaw say that even though it's fixed, users should beware, as other security problems could arise in the software.
"Unless it is absolutely necessary to run Java in web browsers, disable it... even after updating," recommends Carnegie Mellon University's CERT computer security site.
News of the Java 7 flaw, which can allow hackers to take over a computer, worried many of the millions of people whose computers use the software. It also set off confusion, and calls for Oracle to "rewrite Java from scratch," as PC World reports.
Even as the U.S. Computer Emergency Readiness Team recommended updating Java 7 to combat the flaw, the agency also said Monday that "new Java vulnerabilities are likely to be discovered" — and people should still consider disabling Java in their browsers. Some experts say you should simply remove it entirely — or perhaps keep Java on only one browser, for use on specific sites.
Here's a quick reference of options, from disabling to uninstalling, and other factors:
Disable Java In Browsers
- Oracle has full instructions for those with Java 7 on PCs, Macs, or Linux.
- Disable Java in Firefox - instructions from Mozilla recommend clicking on the Firefox button (or "Tools" in Windows XP) and selecting "Add-ons." Click on "Plugins" and then Java (TM). Select "disable" (or un-click "enable").
- Disable Java in Chrome - Type or paste chrome://plugins/ into your browser's window. Scroll to Java (TM), and click "Disable." Be sure to disable all versions.
- Disable Java in Safari - instructions at Apple. Select Preferences, and then the Security tab. Un-click the checkbox labeled "Enable Java."
- Disable Java in Internet Explorer - instructions at Microsoft's site. Java 7.10 and 7.11 (the newest versions) allow users the easiest path to turning Java off. But fully disabling Java on Explorer can be complicated, leading many experts to recommend removing the program entirely.
Uninstall Java Completely
Many people say they can disable or delete Java completely, and not miss it. One of them is security expert Brian Krebs, who Monday praised Oracle for acting quickly — but still recommended uninstalling Java.
Oracle has instructions for doing that on computers that run Windows XP, Vista, or Windows 7. On a separate page, it addresses uninstalling Java on a Mac — specifically, taking Java 7 off of a machine running OS X.
if you're unsure of whether your computer is running Java, Oracle has a page specifically meant to "test whether Java is working." Another website, Javatester.org, can help you figure out which versions of Java you have.
What About Older Versions Of Java?
Oracle says you should uninstall older versions of Java, as keeping old versions "presents a serious security risk." Because of the way updates were once handled, you might have several out-of-date versions of Java on your machine.
Oracle has a webpage with instructions on uninstalling old versions.
That might present a problem to some folks, especially if they sometimes use business software that requires an older version. This situation most often leads people to keep one browser specifically for Java.