January 12, 2013

On Thursday, the world learned that attackers were breaking into computers using a previously undocumented security hole in Java, a program that is installed on hundreds of millions of computers worldwide. This post aims to answer some of the most frequently asked questions about the vulnerability, and to outline simple steps that users can take to protect themselves.

Update, Jan. 13, 8:14 p.m. ET: Oracle just released a patch to fix this vulnerability. Read more here.

3bjavaQ: What is Java, anyway?
A: Java is a programming language and computing platform that powers programs including utilities, games, and business applications. According to Java maker Oracle Corp., Java runs on more than 850 million personal computers worldwide, and on billions of devices worldwide, including mobile and TV devices. It is required by some Web sites that use it to run interactive games and applications.

Q: So what is all the fuss about?
A: Researchers have discovered that cybercrooks are attacking a previously unknown security hole in Java 7 that can be used to seize control over a computer if a user visits a compromised or malicious Web site.

Q: Yikes. How do I protect my computer?
A: The version of Java that runs on most consumer PCs includes a browser plug-in. According to researchers at Carnegie Mellon University‘s CERT, unplugging the Java plugin from the browser essentially prevents exploitation of the vulnerability. Not long ago, disconnecting Java from the browser was not straightforward, but with the release of the latest version of Java 7 — Update 10 — Oracle included a very simple method for removing Java from the browser. You can find their instructions for doing this here.

Q: How do I know if I have Java installed, and if so, which version?
A: The simplest way is to visit this link and click the “Do I have Java” link, just below the big red “Download Java” button.

Q: I’m using Java 6. Does that mean I don’t have to worry about this?
A: There have been conflicting findings on this front. The description of this bug at the National Vulnerability Database (NVD), for example, states that the vulnerability is present in Java versions going back several years, including version 4 and 5. Analysts at vulnerability research firm Immunity say the bug could impact Java 6 and possibly earlier versions. But Will Dormann, a security expert who’s been examining this flaw closely for CERT, said the NVD’s advisory is incorrect: CERT maintains that this vulnerability stems from a component that Oracle introduced  with Java 7. Dormann points to a detailed technical analysis of the Java flaw by Adam Gowdiak of Security Explorations, a security research team that has alerted Java maker Oracle about a large number of flaws in Java. Gowdiak says Oracle tried to fix this particular flaw in a previous update but failed to address it completely.

Either way, it’s important not to get too hung up on which versions are affected, as this could become a moving target. Also, a new zero-day flaw is discovered in Java several times a year. That’s why I’ve urged readers to either uninstall Java completely or unplug it from the browser no matter what version you’re using.

Q: A site I use often requires the Java plugin to be enabled. What should I do?
A: You could downgrade to Java 6, but that is not a very good solution. Oracle will stop supporting Java 6 at the end of February 2013, and will soon be transitioning Java 6 users to Java 7 anyway. If you need Java for specific Web sites, a better solution is to adopt a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site(s) that require(s) it.

Q: I am using a Mac, so I should be okay, right?
A: Not exactly. Experts have found that this flaw in Java 7 can be exploited to foist malware on Mac and Linux systems, in addition to Microsoft Windows machines. Java is made to run programs across multiple platforms, which makes it especially dangerous when new flaws in it are discovered. For instance, the Flashback worm that infected more than 600,000 Macs wiggled into OS X systems via a Java flaw. Oracle’s instructions include advice on how to unplug Java from Safari. I should note that Apple has not provided a version of Java for OS X beyond 6, but users can still download and install Java 7 on Mac systems. However, it appears that in response to this threat, Apple has taken steps to block Java from running on OS X systems.

Q: I don’t browse random sites or visit dodgy porn sites, so I shouldn’t have to worry about this, correct?
A: Wrong. This vulnerability is mainly being exploited by exploit packs, which are crimeware tools made to be stitched into Web sites so that when visitors come to the site with vulnerable/outdated browser plugins (like this Java bug), the site can silently install malware on the visitor’s PC. Exploit packs can be just as easily stitched into porn sites as they can be inserted into legitimate, hacked Web sites. All it takes is for the attackers to be able to insert one line of code into a compromised Web site.

Q: I’ve read in several places that this is the first time that the U.S. government has urged computer users to remove or wholesale avoid using a particular piece of software because of a widespread threat. Is this true?
A: Not really. During previous high-alert situations, CERT has advised Windows users to avoid using Internet Explorer. In this case, CERT is not really recommending that users uninstall Java: just that users unplug Java from their Web browser.

Q: I’m pretty sure that my Windows PC has Java installed, but I can’t seem to locate the Java Control Panel from the Windows Start Menu or Windows Control Panel. What gives?
A: According to CERT’s Dormann, due to what appears to potentially be a bug in the Java installer, the Java Control Panel applet may be missing on some Windows systems. In such cases, the Java Control Panel applet may be launched by finding and executing javacpl.exe manually. This file is likely to be found in C:\Program Files\Java\jre7\bin  or  C:\Program Files (x86)\Java\jre7\bin.

Q: I can’t remember the last time I used Java, and it doesn’t look like I even need this program anymore. Should I keep it?
A: Java is not as widely used as it once was, and most users probably can get by without having the program installed at all. I have long recommended that users remove Java unless they have a specific use for it. If you discover later that you really do need Java, it is trivial and free to reinstall it.

Q: This is all well and good advice for consumers, but I manage many PCs in a business environment. Is there a way to deploy Java but keep the plugin disconnected from the browser? 
A: CERT advises that system administrators wishing to deploy Java 7 Update 10 or later with the “Enable Java content in the browser” feature disabled can invoke the Java installer with the WEB_JAVA=0 command-line option. More details are available in the Java documentation.

Q: Okay, I think I’m covered on Java. But what about Javascript?
A: Because of the unfortunate similarity of their names, many people confuse Java with Javascript. But these are two completely different things. Most Web sites use JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. To protect yourself, it is critically important to have an easy method of selecting which sites should be allowed to run JavaScript in the browser. It is true that selectively allowing JavaScript on known, “safe” sites won’t block all malicious scripting attacks: Even legitimate sites sometimes end up running malicious code when scammers figure out ways to sneak tainted, bogus ads into the major online ad networks. But disallowing JavaScript by default and selectively enabling it for specific sites remains a much safer option than letting all sites run JavaScript unrestricted all the time.

Firefox has many extensions and add-ons that make surfing the Web a safer experience. One extension that I have found indispensable is NoScript. This extension lets the user decide which sites should be allowed to run JavaScript, including Flash Player content. Users can choose to allow specific exceptions either permanently or for a single browsing session.

Chrome also includes similar script- and Flash blocking functionality that seems designed to minimize some of these challenges by providing fewer options. If you tell Chrome to block JavaScript on all sites by default, when you browse to a site that uses JavaScript, the upper right corner of the browser displays a box with a red “X” through it. If you click that and select “Always allow JavaScript on [site name]” it will permanently enable JavaScript for that site, but it doesn’t give you the option to block third-party JavaScript content on the site as Noscript does. In my testing, I had to manually refresh the page before Chrome allowed scripting on a site that I’d just whitelisted. In addition, there is a very handy add-on for Chrome called NotScripts that works very much like Noscript.

Selectively script blocking can take some getting used to. Most script-blocking add-ons will disable scripting by default on Web sites that you have not added to your trusted list. In some cases, it may take multiple tries to get a site that makes heavy use of Javascript to load properly.

Internet Explorer allows users to block scripts, but even the latest version of IE still doesn’t give the user much choice in handling JavaScript. In IE9, you can select among JavaScript on, off, or prompting you to load JavaScript. Turning JavaScript off isn’t much of an option, but leaving it completely open is unsafe. Choosing the “Prompt” option does nothing but serve incessant pop-up prompts to allow or disallow scripts (see the video below). The lack of a simpler approach to script blocking in IE is one of the main reasons I continue to steer readers toward Firefox and Chrome.


73 thoughts on “What You Need to Know About the Java Exploit

  1. pudecuflla

    Hi great article

    On monday i was prompted to update java to 7.11 after checking thier site and a few forum sites i did so, I then scanned system with MSE and Spybot search and destroy both found my system clean. I then visited Pogo.com (the only site i use that needs java i believe) played a few games and then shut down my system. The next morning when i turned on my computer it would not boot up and would not self fix infact the only option I had available was to restore to factory settings so I did (obviously lost everything i had on the computer) now I have a computer exactly as i just bought it, does this mean i may still have a problem somewhere in my system or is it clear. I dont have java installed anymore of course. Thanks if u can help again great article.

    1. JCitizen

      Your experience with MSE matches my clients. I just got done fixing a PC that had MSE as the resident AV solution, and it had a serious MBR malware infection, and 56 other very nasty bugs on-board. The client had fortunately done his backups, but thanks to the new malware we now have, they were blocking it; they also blocked or otherwise corrupted the IDE controller to the optical drive so I couldn’t use Kaspersky’s Rescue 10 CD to regain control.

      To make a long story short, I had to pull out every weapon in my arsenal to regain control of the PC. I never was able to use the factory restore partition, but at least I was able to burn the restore disks necessary to give one more option for the future. Since the client had no financial stake in day to day operations, I skipped attempting once again to get his backups restored. Some times you just have to pick the economical route.

      Re-installing the IDE controller did at least regain his ability to use his optical drives.

      1. Eric

        So what kind of infection is it that can block you from booting from an optical drive or USB?

        1. JCitizen

          He had one MBR bug that took nuking from space with Kaspersky’s , and 56 other malware that starting from safemode, took several attempts to remove, and normal mode using other anti-malware.

          Bear in mind, when I received this machine you could NOT:
          1. Boot to any optical drive.
          2. Do a factory restore of the recovery partition.
          3. Do a backup image restore.
          4. Connect to the internet
          5. Use the floppy drive
          6. Use restore
          7. Boot to USB dongle despite the fact the machine was capable of it.

          It wasn’t that they blue screened or other odd behavior, they just didn’t work and would simply bypass what you were doing and go back to a normal mode boot.

          You could see most of the drives in the Disk Management console, but not in the backup program GUI – no cigar. When first I saw this, I thought I had one of those Bios flash bugs, but a few other tricks ended up clearing one log jam and made it possible for me to boot to a USB copy of Hiren’s boot CD. Then it was one inexorable step at a time until I had the whole mess cleaned up.

          I really didn’t know which threat was the cause, because it was touch and go each step of the way even as I was reaching success taking out the MBR bug, which I thought was going to be the most serious of the clan; but it was not exactly down hill from there. Fortunately MBAM has changed the way it’s code works, and it is way more resistant to malware manipulation; so that was undoubtedly a big help, because the client already had the last version on board and it obviously didn’t stop the problem.

          Sure it is possible that simple driver corruption caused the optical driver failure, but all these factors taken at once, I can’t help blaming the malware for the whole thing. I’ve seen worse trying to help clients over the phone, where every step we took was thwarted, and we even found threatening notes left by the attackers, who obviously also had remote control of the machine.

          Some of these @holes can reroute their attack of the target PC using blue-tooth from your cell phone, and on board wireless that wasn’t being used at the time; so that even the wireless router was pwned and used to regain control – the client not realizing that Ethernet was not the only vector in the fully equipped PCs that are being sold in recent years.

          After you see enough of this evil, you start believing all kinds of cr@p are possible. X-(

          1. Steve

            Sounds like you don’t really know what you are doing.

    2. Peter

      Our experience says 8 out of 10 you had data corruption, more likely caused by failing HDD. (Note, as Mr Krebs does, the difference between correlation and causation).

      My advice: Make your Factory Restore media now. And keep all your important data backed up. Head off another failure by replacing your HDD (cheap now). Better yet, upgrade to SSD if you have Win7–if you don’t have Win7 and your system is nice and not too old, jump on this deal and get Win 8 for $40 (15 days left) and be sure to have it download for later installation so you can put it clean on the new drive:

      http://windows.microsoft.com/en-US/windows/buy

  2. pudecuflla

    Thanks for that Peter its a Acer aspire with vista about 3-4 years old and as they do has overheated and shut down many times so I would’nt be surprised if its cooked internally I guess it is time to upgrade

  3. MATTHEW BOOKER

    First, Java is not found in web browsers it is utilized by certain websites to replace content built with Adobe Flash.

    Adobe Flash is what sites like Facebook and at least some other social media sites rely on for their content, and an increasing number of people don’t like using those sites, because the Adobe Flash Player constantly crashes, such as in Zynga games on Facebook.

  4. Caitlyn

    I’m not really sure about all of this (I’m not very good with computers) but i’ve installed the latest version of Java. Chrome still insists that it’s out of date, and don’t let me play certain videos. I need these videos for class, so I need to fix this right away. Do you have any suggestions?

    1. BrianKrebs Post author

      Caitlyn,

      I would adopt a two-browser approach, a la the instructions in the story:

      Q: A site I use often requires the Java plugin to be enabled. What should I do?
      A: If you need Java for specific Web sites, a better solution is to adopt a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site(s) that require(s) it.

    2. Eric

      Caitlyn, I don’t know Chrome as well as I know Firefox, but here are some links that might be helpful in getting Java working in Chrome. Pay attention in particular to the links at the bottom of the first page.

      http://java.com/en/download/faq/chrome.xml

      http://support.google.com/chrome/bin/answer.py?hl=en&answer=2429779

      I would follow Brian’s advice after that, though, and use a different browser for general web browsing. It’s either that and go back and forth between enabling/disabling Java in Chrome or browsing the web in a more vulnerable state.

      1. JCitizen

        My version of chrome finally started treating Java like your 1st link describes. The odd thing, is sometimes it works and sometimes it doesn’t. (java – not the blocking control)

        I’ve never been able to get java to test correctly despite doing everything in the book to tech the problem. I haven’t missed it though, because it works when I need it oddly enough. I’d swear my blended defenses may be responsible for this, but I don’t know how, with this on again off again inconsistency

        The only thing I can think of is that Avast’s script blocker will block all but a few URLs that actually need java to work to continue doing business.

        Thanks Eric and Brian for you thoughtful responses!

  5. apchar

    So what’s a web developer to do?
    I’d like to write games for the web. That means java. Javascript won’t do half of what Java can do.
    I can’t realistically tell my users to use a different browser just for my site. I can hear the complaints now. Firefox users remember how frustrating it was to find a website that required IE. I can safely assume my users have been scared into disabling the java plugin. What’s left? Is Java Web Start affected by these threats? I assume it would not be affected by a disabled plugin. I guess I could provide a JNLP link. Users might trust that. It works for Nord.

  6. Will

    Read your story about Java, and others’ advice to get rid of Java. I have WinXP and an iPad, and up until I uninstalled Java on my PC, my Google Calendar synced just fine between the 2.

    I can’t find any help definitely linking the need to have active Java on the PC to make the sync function work…

    I’m going to try the 2 browser approach, but would still like to know if Java is needed for syncing.

Comments are closed.