Java 7 Update 13 and Java 6 Update 39 released to patch critical flaws
February 3, 2013
Last night, on Feb 2, 2013, Oracle Corporation released 2 new versions of its Java virtual machine: Java 7 Update 13 and Java 6 Update 39. These new versions contain fixes for an unbelievable 50 exploitable vulnerabilities in the previous versions (Java 6 and 7). These updates were not supposed to be released until February 19, but new Java exploits are already in the wild. So, Oracle did the right thing and released them ahead of schedule.
Some of the patched vulnerabilities have already been reported publicly and were rolled into online exploit attack kits (e.g. Blackhole Exploit Kit 2.0 and Cool Exploit Kit). Others were reported to Oracle, or discovered by them and kept quiet. Most of the exploitable vulnerabilities exist in Java 6, not Java 7. Oracle is already applying tactics aimed at getting users of Java to stop using version 6 and migrate to the new version 7 platform. Apparently, patching version 6 is no longer feasible and this update (build 39) is the last one planned for Java 6.
Secure your Java software!
If you are an end user, not an employee using a company workstation, and you have and want Java installed on your computers, go to www.java.com and download and install the latest build of Java 7. Then reboot. When the computer boots up and you are logged in, for Windows users, go to Control Panel (Start > Settings > Control Panel) > Programs and Features (or Add/Remove Programs in XP). Open the list of installed programs and find Java alphabetically. If you see any previous versions still installed (prior to Java 6 b39 or Java 7 b13), uninstall them, then reboot.
Locating and getting rid of unwanted Java software
Two paragraphs ago I started off by talking about people who both know they have and want Java on their computers. These folks should update yesterday. But, many of you may not know if Java is installed, or if it is, what version or versions you have. As I wrote in the last paragraph, having an older version still installed leaves you at risk if you come across an exploit that has an older version fallback attack. Since you may not even need Java at all, you should consider uninstalling all versions you find and be done with the problem.
Windows users can go to Control Panel > Programs and Features (or Add/Remove Programs) and uninstall every version of Java you see in the list of installed programs. Then reboot the computer to finish flushing out any Java components that may have been running while you were using Windows. This protects your PC against old exploits and those that are sure to come along any day.
Mac users should read these instructions for uninstalling Java. You basically locate the "JavaAppletPlugin.plugin" and move it to Trash.
Oops; a desktop app needs Java!
However, some computer users have desktop applications (which we used to refer to as "software") that run on Java, in whole or in part. You folks can have Java with your cake and eat it too. You do this by disabling Java from running in web browsers, but allow it to run in desktop applications. Here's how: Install the current build of Java 7 and uninstall any remaining versions of Java 6. Go to the Control Panel Java icon and open it. In the "Security" tab there will be a checkbox to enable Java content in your web browsers. Uncheck that option, apply the change and click OK to close the Java Control Panel icon.
Instructions for enabling or disabling Java from individual browsers are found here.
After you disable Java content in your browsers (via the Control Panel Applet), close any browsers (e.g. Internet Explorer, Firefox, Opera, Safari, Chrome, AOL, etc) that were open, then restart them. Your browsers should now be safe from direct exploit kit attacks targeting Java plug-ins in web browsers. But, it will still run in desktop applets or offline programs requiring it.
What if I need Java to interact with a particular website?
NOTE: When Firefox 19 is released, Java plug-ins will be disallowed from running in it. I will publish more information about the plug-in restriction when Firefox 19 has been released. When that happens, assuming that Java won't run in Firefox at all, if you must have Java in a web browser, I suggest using the regularly updated Google Chrome browser with the Java plug-in enabled. There is a "Script No" extension for Chrome browsers that acts in a more or less similar way to the NoScript Add-on for Firefox. It is just not as granular in its control of active content on web pages.
I use Firefox with NoScript, or Chrome with Script No. Am I safe now?
Why is Java targeted by exploit kits?
Cyber-criminals make a huge amount of money selling exploit kits to botnet operators, who make huge amounts of money reselling the use of their botnets to spammers and scammers who want to install remote control software and bank account stealing Trojans onto personal and corporate computers. Java is their primary target because so many computers have it installed (by old programs, or to play games) and the majority of computer owners don't know it is there, or even if they know, don't keep it updated. I hope that my drilling these facts into your heads will make you aware that (1) Java exists and (2) it is or isn't installed on your computers and (3) if it is, it's only the most current version, and (4), you have unplugged it from your browsers if you can.
Trend Micro Internet Security products, for home and office users, use in-the-cloud malware definitions that are updated every day, all day, as soon as new or altered strains of viruses and other malware are detected in the wild and analyzed. By offloading the bulk of these ever changing virus definitions to cloud servers, the load on your computers is greatly reduced. All users of Trend security programs are instantly protected from hostile web pages laden with malware exploits and hostile email, by the Trend Micro Smart Protection Network.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.