Oracle patches Java vulnerabilities for 3rd time in 30 days
March 6, 2013
Oracle, the current owner and maintainer of Java technology, has just released another critical patch for its "write once, run anywhere" Java Virtual Machine. This makes 3 critical patches in about 30 days. The new versions are now: Java 7 Update 17 and Java 6 Update 43. This patch closes a critical vulnerability (#CVE-2013-1493) in Java that is being used in targeted attacks against important targets in sensitive positions (e.g. espionage).
In a previous blog entry, I mentioned that Oracle had intended to quit shipping updates for Java 6 at the end of February, in an effort to get users to migrate to the new Java version 7 platform. Apparently, due to the huge number of companies and Government agencies that still use version 6 and are being targeted by this exploit, they reversed their decision.
What does this mean for you?
How to update Java
If you have Windows based computers, up to Windows 7, navigate from the Start button to the (Settings) Control Panel link, on the right side of the Start Menu. If you have Windows 8, use Search to find Control Panel. Once you are in the Windows Control Panel, switch to Classic View (Win XP), or to either large or small icons, for Windows Vista, 7, or 8. This will reveal an (alphabetically sorted) icon for Java, if you have it installed. Click or double click to open the Java control panel applet and click on its Update tab. There is a button to check for updates now, so use it. Accept any new updates that are offered and make sure that anything you download is signed by Oracle.
Before you close the Java applet, change the schedule for checking for updates to Daily, at a time when the computer is usually powered on. The default period is set to Monthly, which is ludicrous considering how often Java is exploited and how unpredictably the updates are released. Note, after you update to a new build or version, go back to that Control Panel Java Applet and make sure that it has not reverted back to Monthly checks. This has been reported as happening by many people. It appears to be by design, by misguided programmers. Reset to Daily checking and save the change every time Java modifies your preferences. Sigh
For other operating systems like Mac, you can visit www.java.com and download the correct version for your computer. If you run Ubuntu Linux, use your Software Update feature to get new versions of Java.
How to disable Java in your browsers
Starting with Java Version 7 Update 10, a new security feature was added to Java. Some web pages may include content or apps that use the Java plug-in, and these can now be disabled using a single option in the Java Control Panel. With the Java control panel applet open, click on the Security tab. Uncheck the top option: "Enable Java content in the browser" and click Apply, on the bottom right. Close any browsers that were open, to flush out Java applets that may have been running, as well as the Java Plug-in. When you re-open your browsers, Java will be non-functional in them. But, you will still be able to use desktop applications that require Java support.
If it is truly necessary for you to access particular websites that run Java applets, I recommend doing so with just one browser that is only used to visit those websites. You will have to manually disable the Java Plug-in from any other browsers you have installed. At this time, either Chrome, or Firefox - with the NoScript Add-on - are the safest browsers to use with Java enabled. But, this could change at any time.
Windows users need to go to their Windows Control Panel, then click on either Add/Remove Programs, or Programs (and Features) > Uninstall a program. Locate all entries related to "Java" and uninstall them, one at a time. Reboot your computer to flush out any Java processes that were active in memory.
Trend Micro Internet Security products, for home and office users, use in-the-cloud malware definitions that are updated every day, all day, as soon as new or altered strains of viruses and other malware are detected in the wild and analyzed. By offloading the bulk of these ever changing virus definitions to cloud servers, the load on your computers is greatly reduced. All users of Trend security programs are instantly protected from hostile web pages laden with malware exploits and hostile email, by the Trend Micro Smart Protection Network.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.