Java 7 Update 13 and Java 6 Update 39 released to patch critical flaws
February 3, 2013
Last night, on Feb 2, 2013, Oracle Corporation released 2 new versions of its Java virtual machine: Java 7 Update 13 and Java 6 Update 39. These new versions contain fixes for an unbelievable 50 exploitable vulnerabilities in the previous versions (Java 6 and 7). These updates were not supposed to be released until February 19, but new Java exploits are already in the wild. So, Oracle did the right thing and released them ahead of schedule.
Some of the patched vulnerabilities have already been reported publicly and were rolled into online exploit attack kits (e.g. Blackhole Exploit Kit 2.0 and Cool Exploit Kit). Others were reported to Oracle, or discovered by them and kept quiet. Most of the exploitable vulnerabilities exist in Java 6, not Java 7. Oracle is already applying tactics aimed at getting users of Java to stop using version 6 and migrate to the new version 7 platform. Apparently, patching version 6 is no longer feasible and this update (build 39) is the last one planned for Java 6.
Secure your Java software!
If you are an end user, not an employee using a company workstation, and you have and want Java installed on your computers, go to www.java.com and download and install the latest build of Java 7. Then reboot. When the computer boots up and you are logged in, for Windows users, go to Control Panel (Start > Settings > Control Panel) > Programs and Features (or Add/Remove Programs in XP). Open the list of installed programs and find Java alphabetically. If you see any previous versions still installed (prior to Java 6 b39 or Java 7 b13), uninstall them, then reboot.
The reason for uninstalling older versions of Java is because cybercriminals and hackers have been targeting specific versions of Java, installed into default folder locations, for many years. This way, if your computer is attacked by an exploit kit but has the latest version of Java as the active one, JavaScript code might still run to search out a previous version lurking in your Program Files. If the secondary (older) Java target is installed, your PC could be exploited through that version.
Locating and getting rid of unwanted Java software
Two paragraphs ago I started off by talking about people who both know they have and want Java on their computers. These folks should update yesterday. But, many of you may not know if Java is installed, or if it is, what version or versions you have. As I wrote in the last paragraph, having an older version still installed leaves you at risk if you come across an exploit that has an older version fallback attack. Since you may not even need Java at all, you should consider uninstalling all versions you find and be done with the problem.
Windows users can go to Control Panel > Programs and Features (or Add/Remove Programs) and uninstall every version of Java you see in the list of installed programs. Then reboot the computer to finish flushing out any Java components that may have been running while you were using Windows. This protects your PC against old exploits and those that are sure to come along any day.
Mac users should read these instructions for uninstalling Java. You basically locate the "JavaAppletPlugin.plugin" and move it to Trash.
Oops; a desktop app needs Java!
However, some computer users have desktop applications (which we used to refer to as "software") that run on Java, in whole or in part. You folks can have Java with your cake and eat it too. You do this by disabling Java from running in web browsers, but allow it to run in desktop applications. Here's how: Install the current build of Java 7 and uninstall any remaining versions of Java 6. Go to the Control Panel Java icon and open it. In the "Security" tab there will be a checkbox to enable Java content in your web browsers. Uncheck that option, apply the change and click OK to close the Java Control Panel icon.
Instructions for enabling or disabling Java from individual browsers are found here.
After you disable Java content in your browsers (via the Control Panel Applet), close any browsers (e.g. Internet Explorer, Firefox, Opera, Safari, Chrome, AOL, etc) that were open, then restart them. Your browsers should now be safe from direct exploit kit attacks targeting Java plug-ins in web browsers. But, it will still run in desktop applets or offline programs requiring it.
What if I need Java to interact with a particular website?
Some of you may have to have Java plug-ins in a web browser to interact with some particular website that is important to you. In that case, you'll have to disable the Java plug-in for all browsers except the one you will use for only that or those websites and no others. If that is not feasible, consider using Firefox with the NoScript Add-on installed and active. It blocks JavaScript and Java by default, unless you specifically allow them to run, for every website you encounter. This adds one more layer of protection to a Java enabled browser, because all of the exploit attack kits I have seen use JavaScript to probe for vulnerable software, before launching actual attack code against your browser. A browser that has JavaScript disabled for unapproved websites will not allow those codes to run from the exploit website (unless you foolishly approve that site).
NOTE: When Firefox 19 is released, Java plug-ins will be disallowed from running in it. I will publish more information about the plug-in restriction when Firefox 19 has been released. When that happens, assuming that Java won't run in Firefox at all, if you must have Java in a web browser, I suggest using the regularly updated Google Chrome browser with the Java plug-in enabled. There is a "Script No" extension for Chrome browsers that acts in a more or less similar way to the NoScript Add-on for Firefox. It is just not as granular in its control of active content on web pages.
Each browser company has an options page available from one of their menus, which will allow you to control what does or doesn't run in that browser. Internet Explorer hides the Java disabling option inside the Custom Level portion of the Security tab. You actually have to set the security slider all the way to High to disable Java Applets in that browser. This also breaks "Active Scripting," which is what Microsoft calls JavaScript and presumably, Flash and Silverlight.
I use Firefox with NoScript, or Chrome with Script No. Am I safe now?
Unfortunately, cyber-criminals employ hackers to find vulnerabilities in some software running on legitimate websites, then upload hostile JavaScript into their landing pages. If you regularly visit a newly compromised website, and have already allowed JavaScript to run on it (for various web functions to work right), you could be exploited by the hostile script that was embedded into that web page, unbeknownst to the Webmaster or site owner.
Why is Java targeted by exploit kits?
Cyber-criminals make a huge amount of money selling exploit kits to botnet operators, who make huge amounts of money reselling the use of their botnets to spammers and scammers who want to install remote control software and bank account stealing Trojans onto personal and corporate computers. Java is their primary target because so many computers have it installed (by old programs, or to play games) and the majority of computer owners don't know it is there, or even if they know, don't keep it updated. I hope that my drilling these facts into your heads will make you aware that (1) Java exists and (2) it is or isn't installed on your computers and (3) if it is, it's only the most current version, and (4), you have unplugged it from your browsers if you can.
Epilogue
If you don't know if you really need to have Java installed, uninstall it and see what breaks. For most of us, nothing current will break with Java gone. If you break something really necessary, install only the most recent version and follow my previous tips for securing your browsers against Java and JavaScript exploits.
Note: Java and JavaScript are not the same. They are totally different technologies that have the misfortune of having similar names. However, most if not all Java exploit kits use JavaScript to probe your web browser for weaknesses for which it contains an exploit package. You see, JavaScript is something that is interpreted by a web browser to perform typically useful functions. Java is something that has been assembled/compiled into a tiny program, which when run inside a browser is called a Java Applet. It is poor coding in the Java executable components that allows hostile Applets to jump out of the otherwise insulated browser and into the operating system.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.