Java

As a courtesy to our clients, we have put together this page to help inform and assist regarding the reported Jan 2013 Java vulnerability. Please note that lessons from this vulnerability can be applied to all past, present, and future vulnerabilities.

Page last updated Jan 13, 2013

January 13, 2013: Oracle has released an update that includes a fix for the vulnerability. Please ensure that your Java is updated to the latest version (ver 7 update 11). We would still recommend considering to uninstall Java if you do not need it or disabling Java if you decide to keep and update Java.

What is Java?

Java is a programming language and platform that has been used extensively since 1995 in many applications on computers and other electronic devices. Java was originally developed by Sun Microsystems but is now owned by Oracle. For full information on Java, please visit http://www.java.com/en/download/faq/whatis_java.xml.

Note: Java is unrelated to JavaScript. JavaScript is an open-source scripting language that is used extensively to assist and enhance user experiences on the web. At the moment, there is no significant concerns with JavaScript.


What is the zero-day Java attack announced in Jan 2013?

A zero-day attack is a an attack, or threat of attack, that exploits a vulnerability that was previously unknown. In this case, the discovered zero-day attack takes advantage of Java, including the latest version. According to Security Exploitations, the vulnerability was supposed to be fixed by Oracle in an August 2012 patch but the patch was incomplete.


Am I affected by the Jan 2013 zero-day attack?

As of Jan 12, 2013, if you have Java installed, then yes, you are vulnerable to the attack. The vulnerability is present on Windows, Apple OS X, and Linux. The vulnerability is clearly present in Java 7. However, for earlier versions of Java, it is unclear if the vulnerability is completely present but earlier versions have other vulnerabilities as well so it is not advised to use earlier versions.


Do I have Java installed? What version of Java do I have installed?

Oracle has setup the following page that will allow you to test whether you have Java installed as well as which version if you have Java installed: http://www.java.com/en/download/installed.jsp. If present, click on "Verify Java version".


Does CLS use Java?

No, we do not use Java. We use JavaScript, which is not the same as Java.


How would I get compromised?

The vulnerability by itself will not harm the machine but the vulnerability is like leaving the door open to a house. If the door is open and someone malicious walks by, the vulnerability can be exploited. In a similar sense, your machine would get compromised if you were to visit a website that happens to use Java and is looking to take advantage of the Java vulnerability.


Am I compromised?

The reported Java vulnerability allows a malicious site or user to gain access to your machine and thereby install surreptitious spyware and malware programs, such as keyloggers. In order to determine whether your machine has been compromised, please keep an eye out for suspicious or unusual activites on your system as well as run a well regarded anti-malware program to look for spyware and other malware.


What should I do? How do I uninstall/disable Java?

Until Oracle releases a fix for the exploit, here are our current recommendations. This would be an opportunity to consider whether you require Java. Most websites do not require Java so if you do not require Java, our best recommendation is to uninstall Java. If you do require Java or would like to postpone uninstalling Java, our next recommendation is to disable Java. Instructions are provided below for uninstalling and disabling Java. If you are concerned if your machine has already been exploited, please run an anti-malware/anti-spyware (e.g., Malwarebytes, Spybot - Search & Destroy) and anti-virus program (e.g., Microsoft Security Essentials).

Uninstalling Java on Windows 7
  1. Click "Start".
  2. Select "Control Panel".
  3. Select "Programs".
  4. Select "Programs and Features".
  5. Find all instaces of Java. Select each instance of Java by clicking on the instance and then click the "Uninstall" button. (You will have to repeat this step depending on how many instances of Java is on your machine).
For other versions of Windows, please visit http://www.java.com/en/download/uninstall.jsp for instructions.


Uninstalling Java on Mac OS X
  1. Click the "Finder" icon in your dock.
  2. Click "Applications" in the sidebar.
  3. In the serach box enter "JavaAppletPlugin.plugin", without the quotes.
  4. Right click on the JavaAppletPlugin.plugin file and select "Move To Trash".
For more information and an alternative method of uninstalling on a Mac, please visit http://www.java.com/en/download/help/mac_uninstall_java.xml for instructions.


Disabling Java 7.0, 7u10+
  1. Find the Java Control Panel.
    • Windows XP: Click "Start" > Click "Control Panel" > Double-click the Java icon.
    • Windows 7, Vista: Click "Start" > Click "Control Panel" > In the Control Panel Search, enter "Java Control Panel" (without quotes) > Click on the Java icon.
    • Windows 8: Drag mouse pointer to bottom-right corner of the screen > Click "Search" > In the search box, enter "Java Control Panel" (without quotes) > Click on the Java icon.
    • Mac OS X 10.7.3 and above: Click the Apple icon (upper left corner) > Click "System Preferences" > Click on the Java icon.
  2. Click on the "Security" tab.
  3. Uncheck the box that says "Enable Java content in the browser".
  4. Click "Apply". When the Windows User Account Control (UAC) dialog appears, click on "Allow" to make the changes.
  5. Click "OK".
  6. Restart any open browsers.
For more information, please visit http://www.java.com/en/download/help/disable_browser.xml for instructions.


Disabling Java in Google Chrome
  1. Click on the wrench icon in the upper right corner of the browser. In newer versions, the wrench is replaced by the "hot dog" (a button that looks like a stack of 3 lines).
  2. Click on "Settings".
  3. In the "Search Settings" box, type in "Java" (without quotes).
  4. Click on "Content Settings".
  5. Scroll down to the section called "Plug-ins" and click on "Disable individual plug-ins".
  6. Look for "Java(TM)" and click on "Disable".
For more information, please visit https://krebsonsecurity.com/how-to-unplug-java-from-the-browser/ for instructions.


Disabling Java in Mozilla Firefox
  1. Click on the "Firefox" menu icon in the upper left corner.
  2. Click on "Add-Ons".
  3. Click on "Plugins" on the left.
  4. For each instance with the word "Java", click on the "Disable" button on the right.
For more information, please visit https://krebsonsecurity.com/how-to-unplug-java-from-the-browser/ for instructions.


Disabling Java in Internet Explorer


Where can I get more information regarding the Java exploit?




Support

faq
java guide
Copyright © 1997-2017   Privacy Policy
818.248.6784