Oracle patches Java vulnerabilities for 3rd time in 30 days
March 6, 2013
Oracle, the current owner and maintainer of Java technology, has just released another critical patch for its "write once, run anywhere" Java Virtual Machine. This makes 3 critical patches in about 30 days. The new versions are now: Java 7 Update 17 and Java 6 Update 43. This patch closes a critical vulnerability (#CVE-2013-1493) in Java that is being used in targeted attacks against important targets in sensitive positions (e.g. espionage).
In a previous blog entry, I mentioned that Oracle had intended to quit shipping updates for Java 6 at the end of February, in an effort to get users to migrate to the new Java version 7 platform. Apparently, due to the huge number of companies and Government agencies that still use version 6 and are being targeted by this exploit, they reversed their decision.
What does this mean for you?
If you have Java installed on any computer that accesses the Internet, either update to the latest version (6-43, or 7-17), or disable Java in your web browsers, or uninstall it altogether (unless your business requires it). Instructions for upgrading or uninstalling Java follow. But, if you use Java applications for business or development purposes, verify that it is okay to upgrade to the new version (6 or 7), and/or reduce your risk by securing your Java enabled computers and operating with reduced user privileges. If you use Firefox as your browser, consider installing the NoScript Add-on and learn to use it for your protection against JavaScript driven, Java Plug-in exploit kits.
How to update Java
If you have Windows based computers, up to Windows 7, navigate from the Start button to the (Settings) Control Panel link, on the right side of the Start Menu. If you have Windows 8, use Search to find Control Panel. Once you are in the Windows Control Panel, switch to Classic View (Win XP), or to either large or small icons, for Windows Vista, 7, or 8. This will reveal an (alphabetically sorted) icon for Java, if you have it installed. Click or double click to open the Java control panel applet and click on its Update tab. There is a button to check for updates now, so use it. Accept any new updates that are offered and make sure that anything you download is signed by Oracle.
Before you close the Java applet, change the schedule for checking for updates to Daily, at a time when the computer is usually powered on. The default period is set to Monthly, which is ludicrous considering how often Java is exploited and how unpredictably the updates are released. Note, after you update to a new build or version, go back to that Control Panel Java Applet and make sure that it has not reverted back to Monthly checks. This has been reported as happening by many people. It appears to be by design, by misguided programmers. Reset to Daily checking and save the change every time Java modifies your preferences. Sigh
For other operating systems like Mac, you can visit www.java.com and download the correct version for your computer. If you run Ubuntu Linux, use your Software Update feature to get new versions of Java.
How to disable Java in your browsers
Starting with Java Version 7 Update 10, a new security feature was added to Java. Some web pages may include content or apps that use the Java plug-in, and these can now be disabled using a single option in the Java Control Panel. With the Java control panel applet open, click on the Security tab. Uncheck the top option: "Enable Java content in the browser" and click Apply, on the bottom right. Close any browsers that were open, to flush out Java applets that may have been running, as well as the Java Plug-in. When you re-open your browsers, Java will be non-functional in them. But, you will still be able to use desktop applications that require Java support.
If it is truly necessary for you to access particular websites that run Java applets, I recommend doing so with just one browser that is only used to visit those websites. You will have to manually disable the Java Plug-in from any other browsers you have installed. At this time, either Chrome, or Firefox - with the NoScript Add-on - are the safest browsers to use with Java enabled. But, this could change at any time.
Uninstalling Java
Windows users need to go to their Windows Control Panel, then click on either Add/Remove Programs, or Programs (and Features) > Uninstall a program. Locate all entries related to "Java" and uninstall them, one at a time. Reboot your computer to flush out any Java processes that were active in memory.
For Mac operating systems, read the instructions on this page. To uninstall Java from a Linux computer, read this.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.