11
Jun 10

Don’t Need Java? Junk It.

I am often asked to recommend security software,ย  but it’s important to remember that staying secure is just as much about removing little-used software that increases your exposure to online threats. At the very top of my nix-it-now list is Java, a powerful application that most users have on their systems but that probably few actually need.

Not only do most users have some version of Java on their systems, most Windows users likely have multiple copies of this program on their PCs, because older installers failed to remove previous, insecure versions of the software.

Worse still, Java is now among the most frequently-attacked programs, and appears to be fast replacing Adobe as the target of choice for automated exploit tools used by criminals.

Readers of the blog are no doubt familiar with my previous stories on the Eleonore Exploit Pack, a commercial software package sold by and to criminals that is used to booby trap Web sites with exploits for the most common Web browser vulnerabilities. Check out past posts on Eleonore, and it’s clear Java flaws are a key target of this increasingly common exploit pack.

Below are a few screen shots taken from the administration page of yet another working Eleonore Exploit Pack: The first image shows the exploits used by this pack, along with the number of times each exploitย  (“sploit”) was successful in delivering malicious software payloads (or “loads”) to the visitor. As we can see, the “java2e” and “javae0” are by far the most successful of the exploits.

The exploits from this pack were stitched into a number of hacked or maliciously crafted porn sites, shown below. But just because you don’t surf porn doesn’t mean these exploit packs can’t touch you: Many are stitched into more mainstream sites, such as those belonging to online stores and blogs. I hope it goes without saying that readers should assume all of these sites below are still hostile and that you should *not* visit them unless you *really* know what you are doing:

It’s probably worth noting the overall browser stats for this particular exploit panel: A little more than 11 percent of those who visited these…err…booby trapped Web sites were successfully hit with an exploit. At least with this group of exploit sites, nearly all of the visitors and victims appear to have visited with some version of Internet Explorer. I should note these stats should be taken with a grain of salt, because it seems Eleonore’s visitor numbers always contain statistical oddities that make them suspect at best. For example, according to these numbers, only 30 outย  more than 20,000 visitors (slightly more than one out of every thousand) visited the sites with some version of Chrome, Firefox or Opera.

Tags: ,

67 comments

  1. Java hasn’t been installed on my computer for over three years and I have gotten along just fine without it.

  2. Not to be confused with JavaScript, which also must be tightly controlled. NoScript is great, but limited to Firefox-only browsing.

    I’d recommend installing Privoxy as the default HTTP/HTTPS system-wide proxy. In addition to being very effective at removing all adds/popups/etc., Privoxy also attempts to disable malicious Javascript. Even better, chain Squid and Privoxy together to achieve greater speed, security, privacy, and eliminate ads.

    There are many sites that tell you how to do this, along with the appropriate squid/privoxy configuration; here are a couple:

    privoxy.org/user-manual/config.html
    melvilletheatre.com/articles/squid-privoxy/index.html
    christianschenk.org/blog/enhancing-your-privacy-using-squid-and-privoxy/

    An added benefit: you can ssh tunnel into this secure proxy from your smart phone or remote laptop using the command:

    ssh -p 22 -L 8080:localhost:3128 -l username host.name.or.ip.address -f -C -q -N

    This says: pass HTTP/HTTPS comms appearing on port 8080 on your smart phone (which must be set up with localhost:8080 as its proxy) securely encrypted over ssh to Squid on port 3128 on your home computer, which should be set up to pass on to Privoxy on port 8118 as a parent proxy, which handles the request and passes it back to you securely over ssh.

    Secure, private, fast browsing, uninterrupted by annoying ads, available to you anywhere. Personal computers should be set up to do all this robustly out of the box. They never will be for a variety of reasons, but it’s not too painful to achieve this goal yourself.

  3. Running untrusted code with a lot of powers is among the most dangerous activities you can ever attempt on the internet, even with a sandbox as good as the JVM. It is amazing, and a testament to Sun, that for a decade people have basically been getting away with it for this long. You cannot get away with running untrusted code for more than a few days with a typical runtime.

    However, it is still asking for trouble to make it part of the browser. Even if the Java spec was proven secure, there will always be implementation goofs. It’s best to make JavaWebStart/JavaFX be something that a user has to explicitly invoke like any other application, rather than quietly running stuff in the browser.

  4. but some site serve webinar use java based apps.

  5. Very wise advice. Haven’t had Java on any of my personal systems for years. Never looked back. It’s a completely different story at work where they use Java extensively due to many, many custom in house designed Java apps. Along with password resets, Java issues are at the top of the list of workstation issues day in and day out. Not to mention servers that crash from Java heapdumps or high memory usage. We all loathe Java at work! But the cost of migrating to a different platform is cost prohibitive. ๐Ÿ™

  6. I’d dump all of my Java stuff but my Chrome browser requires it for some reason (Ubuntu 10.04).

    Does anyone have a different experience?

    • Oops, correction needed: I’m currently running Ubuntu 9.04, not 10.04. I look forward to updating to 10.04 soon.

  7. @Brian
    “… most Windows users likely have multiple copies of this program on their PCs, due to the fact that older installers failed to remove previous, insecure versions of the software.”

    Not only that, but some applications (companies) _require_ the use of older Java versions.

    I support non-profits and several need to use Java for various online business applications. One day I got a call from a non-profit that had just switched to a new (major) online payroll processor, whose online application requires Java. They are running the latest version of Java, so no problem. However, the information from the payroll processor said their application _requires_ an older version of Java – a two year older version of Java. I communicated with their support person who stated that they _require_ the older version because that is the last one they tested with and they don’t test with every latest Java version. The kicker is that they will only provide support for their online payroll application if we are using the _required_ (older) version of Java. Well, I refused to roll back to a two year old version of Java, and so far their application seems to work with the latest version of Java, but I suspect we won’t be getting any support from them if a problem come up.

    • You’d think that the overriding concern for security would prompt them to make the effort to update their software. After all, everyone is constantly nagging about how one needs to take the updates to stay secure. Why shouldn’t a software company do the same? Sounds a bit ‘flashy’ to me.

    • prairie_sailor

      I’d put the old version on a disk and if you run into problems install it only if the support rep asks what version of Java you’re using. And as soon as you’re done with support go back to the latest version. I used to work tech support and I’d get around the official support boundaries by not asking until I got to the poit that something I was going to do would fail if the supported configuration was altered (rare). I’d also be writing to the management of the company complaining about lack of support for newer versions. Insist that if they don’t start supporting it you’re going to find another software to do the job and sue for a refund from them.

  8. It should be noted that NoScript has options to block Java, Flash, Silverlight and other plugins and other potentially dangerous elements. These blocks work just like the JavaScript blocks, allowing you to choose which sites are able to use these features.

    I need Java support for a few things, but running Fedora 13 (Linux), keeping my system updated and using NoScript, along with other protective measures, I really do not feel concerned about having the OpenJDK plugin on my system.

    Windows users running Secunia’s PSI will be alerted to any old Java versions that may be lingering on their systems, along with any other recognized vulnerable programs.

  9. I very much agree. Not only is Java useless on most computers, the update process is horrible which pretty much guarantees that less experienced users never update it. This is why I have been removing Java from the computers I help maintain. Unfortunately, some applications simply install Java without asking (preferably extremely outdated versions of course).

    • And Open Office is one program that requires Java, installing it if you don’t have it. Not recommended.

  10. We’re in contact with quite a lot of people who tell us they never use Java. We never use it either. We also know of lots of people who remove it from their systems. We’re also in contact with a lot of people who never use IE or Windows for the same reason, no advanced logic in play there either.

    It’s a shame something as promising as Gosling’s Java should fall into such disrepair and disrepute. Yet if most sploits target IE then the same paradigm should hold – you absolutely don’t need it, so junk it. Stats in general also show that most (if not all) sploits hit Windows, so the same paradigm should hold there as well, even if the community here would rather disconnect than follow through logically.

    The stats seem to show most visitors are using IE, and this might seem skewed, but it doesn’t have to be all that far fetched: security gurus such as Bruce S and Dan G have been warning people against IE for years – it’s inevitable that the more aware surfers should get a clue, whilst the noobs who don’t have a clue can be expected to visit the shadier side of the net, oblivious to the dangers that await them.

  11. A common “site” that uses Java applets is the Vista educational CMS that is used by many educational institutions. Then there are the many router and printer embedded management interfaces…

    It’s a bit funny to see someone recommend ditching Java before they recommend ditching Flash. Which one has the worst security record? Flash by far. And, importantly, Flash vulnerabilities usually seem to be a result of poor programming/architecture within Flash (e.g. buffer overflows) and aren’t reliant on a bad browser implementation. And what about Acrobat? High time to recommend ditching that and installing one of the other readers out there.

    Cleaning up the old JRE versions is a great idea though; hooray that they finally fixed the installers! It would be great to have a better management features in the JRE as far as auto-update goes. But then, that goes for adobe products too; so far as I can tell, there is no way to automate and force silent upgrades across many machines without using an expensive management server like SMS/ConfigMgr

    • Lately, actually, Java has been much worse than flash. It has been a problem for quite a long time, but the exploits weren’t in the popular drive-by malware infection kits so it was flying under the radar–that has changed now and it’s open season on Java. As far as security architecture goes, it’s only been a few years since Sun changed the applet handler so that an applet couldn’t request to run under *any particular version of the runtime*. Ponder that for a minute–Sun designed an internet-facing sandbox in which the untrusted code could *choose* to run in an exploitable version of the sandbox. A similar issue cropped up in the JNLP handler. Both are now fixed (mostly, unless the bad guy has a signing key, or unless the user clicks “ok” on a security warning in certain cases) but the same sorts of issues keep cropping up. I have been watching this story unfold quite literally for years, and the only surprise is that it’s taken this long for the “ditch java” meme to get rolling. Sun has not taken security in the Java platform seriously, skating between “it’s fixed in the latest release” to “we don’t recommend people upgrade until they test their software on the new version” to “we don’t release security patches, only feature updates”. Something has got to give (and has, if you look at the malware stats).

      I also think that compatibility issues which make third party software vendors force users to stay on vulnerable JREs will sink the platform. At this point, if you’re not running the latest JRE and you use the internet, you will eventually get infected. If the person you’re buying your Java program from tells you that you can’t upgrade the JRE, ask them to indemnify you for the risk they are asking you to take. (You’ll never get them to agree, by the way.) It’s probably easier for them to redesign the application (using pure HTML/JS) than to figure out how to support the JRE merry-go-round.

      • prairie_sailor

        I think the better way to get to these devlopers is to hit them in the wallet – if they won’t fix their software to run in the latest JRE make them refund your money for forcing you to use an out of date, inseucre version and tell them that you’re going to find a different software that does care about security.

        • That’s the ideal solution, but the people choosing the software rarely seem to care about this sort of thing. There often aren’t many competitors, and those that do exist are usually just as bad. The people most affected (e.g., students forced to use some lousy java app at their college) have basically no leverage. It’s a mess.

          • prairie_sailor

            I wonder if there is something in the laws that would allow a person/organization to sue to recoup losses. I know the licence agreements block nearly all paths of getting anything out of a software vendor. But I wonder if there is an implied resonable expectation of security that could be used as leverage? I think that falls under failure of due dilligence if I recall my security college class from a few years ago correctly. Any law savy people here want to comment? I think the only way to wake some of these companies up is to make them loose money in one way or another.

  12. My Opera browser has Java disabled and Secunia PSI doesn’t flag any other ap. Can I assume that no other ap like IE, Chrome, etc., has it embedded?

    I only use IE8 for MS updates.

  13. Question for anyone: Would opening the Java control panel, clicking on the “Java” tab, clicking on “view” (to open runtime environment settings), and then unchecking the “enable” box under both the “user” and “system” tabs accomplish the same thing–albeit temporarily–as “junking” Java entirely?

  14. Ditch Java? Really? Are you getting a kickback from Adobe, Microsoft of both? You might as well ditch your Flash player, Internet Explorer, Windows, IIS, etc…

    Think things through before you write them down.

    • Drew:

      Why don’t you read carefully and think before you post.

      BK says to ditch Java (and other susceptible programs) – IF YOU DON’T USE THEM.

      Maybe you missed the name of the blog, it’s: “Krebs on Security.”

    • Drew,

      I take it you use Java for specific applications? My blog post was meant as a prompt for those who have no use for it. Maybe you can share what you use Java for?

      Bk

  15. I have Java pretty much only for Open Office, but I just discovered it is apparently optional for OO: http://wiki.services.openoffice.org/wiki/Java_and_OpenOffice.org.

    Maybe I will consider not installing it next time around.

    • Rob,
      Wow, that’s great news, thanks for posting it. OpenOffice is the one application I really like that I thought required Java.

  16. Until there is a sufficient replacement to java suggesting people to dump is just retarded IMO.

    I cannot count all the things you need java for, it is true that older version of java can be exploited but it very easy to fix this problem using a little not so known program called JAVARA(look it up), or you could go and just uninstall all but the last version of java manually.

    @brain
    You don’t even mention that those exploits don’t necessarily target Java,the software.., they could target any program and be written as java code so that programs that run java scripts will run this malicious java code in order to do hacker things from getting a command mode access to downloading a Trojan to launching hidden IE to some random web site which have other exploits on it.

    It true that if you didn’t have java you wont be vulnerable to java exploits, but you could just disconnect yourself from the internet and you will immune to all online threats.

    Uninstalling java cause it is possible to exploit this program and write exploits in java is retarded, if you use you computer at all you 99% need java installed, it even comes with windows!

    • Suggesting people dump a highly targeted program if they’re not using it is “retarded”? I would argue just the opposite, and I think I have.

      It’s not like people can’t just reinstall Java if they find later that they have a need for it. You act like I’m telling people to renounce their citizenship or something.

      What’s your argument? Tell us what you use Java for? You obviously can’t do without it.

      But I assure you the exploit kits are targeting very real vulnerabilities in Java, including the one Oracle/Sun patched in April. You can always download and older version and visit one of those sites listed in the blog post if you’d like to investigate further ๐Ÿ˜‰

      • I may have sounded a bit aggressive but I did not mean it, it isn’t the point anyway I only wish to learn and possibly benefit others who read the blog.

        How about Jdownloader,quake live and many other things that do require java, I do not spend time checking what on my computer has java requirement.

        Java comes with windows and there is a reason for that, and tho I have never tried going to the windows update website for example w/o java I suspect it will send me to install it.

        • QQ:

          What reason does Microsoft have for including Java with Windows? Do you know or are you just guessing?

          All kinds of junk comes with Windows, and the computer manufacturers add a lot more, unless you buy a naked machine. That doesn’t mean that those programs are needed by the user. Sometimes the reason is purely economic, for example.

          A computer savvy person will delete every program that they don’t use.

          • I’m not sure for the reason but any XP installation comes with it and as unite member when I cleaned malware I had to take it under consideration and instructed to remove it with javara and installing the latest java version as agreed solution given in MVP managed forum. Vista and 7 don’t come with java.

            As for deleting anything you don’t use, its a sound advice but I already do that there nothing I don’t need and I use Open office too as Rob said it too requires java.

            And argument about this issue is pointless, I suppose some people don’t need java so let them uninstall it and be happy ever after, I do not see uninstalling java as practical advise and i’m fairly certain that i’m not the only person in the world with this opinion.

        • Ahem! The last version of Windows that included Java was the initial release of Windows XP (before any service pack). And it included MS Java, Microsoft’s version that was deep sixed after Sun successfully sued them. After that the ONLY version of Java on a Windows system may be a version of Sun (now Oracle) Java that an OEM installed.

          And no, Windows Update or Microsoft Update will NOT in any way attempt to install Java, nor do they need it to function. They only require ActiveX controls which is why they only work with IE.

          Respectfully, your comments may be taken more seriously if you knew what you’re talking about.

          • Cool you can Google, It is correct but it did come with XP at some point and it shouldn’t be ignored and I’m fairly certain I installed XPsp3 and it had java on it but I never checked.

            The fact that sun sued MS is relevant how?

            I don’t need you to take my comments seriously, I haven’t said anything which wasn’t true here and just cause some people tagged it with a red thumb doesn’t mean I shouldn’t be respected even if I’m wrong we are just having a discussion.

          • prairie_sailor

            @QQ
            Microsoft did write a Java substitute called the Microsoft Virtual Machine – but because it stepped on Sun’s copyrights and trademarks, Sun succesfully sued to have it removed. Now any time you find Sun on a computer it is ALWAYS installed by the computer manufacturer or the end user. Never by Microsoft.

  17. The National Weather Service uses Java for their animated satellite, radar and weather maps. I would have hard time living without it as I am a big weather geek and use them many times a day.

    • Intellicast has some excellent maps, although they require Flash Player. ๐Ÿ™‚

      • Weather Underground has interactive, animated maps that work without Java or Flash. ๐Ÿ˜‰

        • True. I did use their maps until I came across Intellicast. Their full screen interactive weather map is the bomb, HD, high resolution with all kinds of features. They recently added a map of the gulf oil spill (enable under “Overlays” in the upper right). I still use Weather Underground for severe weather alerts and overall forecast though. ๐Ÿ™‚

  18. The Wall Street Journal crossword puzzle requires Java. This is why I have it installed on my PC.

    • It’s a trade off. Is the crossword puzzle worth the security risk that Java may cause to your system? It’s the same thing for me with Flash Player, which I choose to use. Although, Flash Player doesn’t have nearly the risk as Java, nor the bloat or multiple installed version issues and can be easily and quickly disabled. So, I feel the risk to benefit ratio is acceptable. Can’t say the same for Java though. For me, there is nothing worth the risk of having Java installed. If something requires it, I move on and find an alternative that doesn’t. That’s something that each person will have to make an education decision on. ๐Ÿ™‚

      • My wife likes to play several games on a site called Think.com that requires JAVA. She also likes to watch TV episodes on Hulu, which requires flash. So instead of allowing these plug-ins on her main system, which she uses to run her business, I created a VMware virtual machine that she uses for entertainment purposes. Even in the virtual machine, all programs that connect to the Internet run untrusted in a DefenseWall HIPS sandbox.

        • P.S. My wife’s company does absolutely zero on-line banking, thanks in very large part to Brian’s enlightening articles.

  19. I think Krebs’ advice of ditching Java if people do not use it has all good intentions. Unfortunately,
    it is not obvious to judge if one needs Java or not, especially for the average user with no much knowledge of computers, software, etc. Personally, I use LogMeIn to access my computers remotely, which requires Java Runtime. Although, some times I come across with applications or web sites that requires Java that I am not aware of. Thus, ditching Java seems a bit radical and some comments have expressed that like better unplug from internet, so one is all safe. It is more than clear that using internet is the Wild Wild West, the largest anarchy experiment ever created.
    There is danger of being hacked, flash, java, IE, etc., but we need to use internet some times essential.
    It is better being up to date with OS, applications, etc., and check alerts like this stupendous blog.

  20. After a nightmare trying to update to JRE 1.6.0.19 only to read a few days later about another exploit in Java it was off my Dell . Still surfing the web no problems so far, 80GB drive five years old no OS reinstalls in that time with 90% free space on hard drive. As Brian says lower your attack surface area if you do not need it uninstall, be a software minimalist you know it makes sense.

  21. I got burned a few years ago when I saw all the outdated versions of Java on my PC that had not been uninstalled and decided to uninstall them manually. One of them was the MS Java that came with XP.

    What I didn’t realize was that because of the Sun litigation, MS was no longer making it available. When I found some websites I used regularly were crippled, I was unable to download another copy. I had to deal with semifunctional websites until they finally migrated away from requiring MS Java. (And forget trying to convince their Microsoft fanboy webmasters that they should reconsider their commitment to an obsolete Microsoft product; they all broke into the “It’s the industry standard” song in 4 part harmony any time I tried. I’m coping with the same issue now with a work-related web application that requires IE 6.)

  22. Hi Brian I really don’t think java is needed!
    I’m sure all it dos is sit in the Program Files and do nothing.

    Mark2

    • Brian

      Heres a question is java on all of the other Systems that i own?
      I checked Windows7x64 and can’t find anything that says Java.
      Also got Linux
      Win7 x64
      Vista64
      Winxp-pro x86
      I think i got enough Systems…………….Mark2

  23. Brian
    I know i need javaScript but most of the time Firefox with noscript takes care of it…………
    I Mainly need it for Web-sites thats all.
    ABOUT THE XP PATCH
    I went to sp3 noproblems i think its faster.
    I answer alot of Questions on a few Q&A-S
    The Diehards that use XP are still trying to hang on to the old SP2…………………………………………
    I use alot of Plugins like NoScript NoRedirect
    JavaScript Deobfuscator for checking live JavaScript.
    Security is what i try to pass along to the Novices and some old timers………I do talk to alot of Ethical Hackers.That are trying to bring the Name Hacker back or take the name back to stand for the good guys. Mark2 Brian Surf safe out there.

  24. Back when I had time to phry phish with the now-defunct PIRT Squad, we used a couple of sandbox techniques from which to do all surfing. If you must use IE, take a look at Sandboxie.

  25. I’ll grant you this BK, the universe needs a recognizable junk pile. Whether software is the ‘next big thing’ or vile malware it is all offered as ‘must have’.

    Software should be acquired and disposed of as ‘can use’.

  26. I used to like this blog but this story and the story about the 100k$ mac really made me reconsider, they are on the boarder of ridicules.

    It won’t surprise me if Brain krebs is being paid by Apple, as he basically goes against Java 3 days or so after Steve jobs brought it up on some lecture, and it is not like security issues with java were unknown to man kind, stories like this are made by people who are so paranoid of hackers to a level they will hurt their own pleasure from the PC as home user you might as well run with online armor,app guard and few others like this so your PC fun time will involve clicking ok and entering passwords for every file that enters the memory.

    Java plays a role in the development of the internet without it, it wouldn’t be the same.
    next time you can suggest everybody to go back to dial-up modems so botnets aren’t a threat anymore…or never play any online games cause your password can be stolen with trojans… or stop going with the subway to screw the subway company.

    • @ “QQ”

      It’s very easy to hide behind a pseudonym and slander someone you don’t know anything about. If I were the webmaster, I’d ban you from posting on this site. And, no, Brian didn’t pay me to post this.

      • I can assure you I would say the same things in person i’m hiding from anybody, you didnt even read what I wrote.

        You are also behind a pseudonym are you not? what exactly are you saying here?

    • QQ, it would serve you much better to be more cordial here. I don’t understand why you’re taking things so personally. Because many don’t agree with your opinion and have given your posts poor ratings? Itโ€™s happened to me at times. You have to move on and respectfully agree to disagree. Besides, no one is saying you can’t use Java if you have a need for it. The entire premise of the post was to say get rid of it IF you don’t need it, something many of us have been able to do.

      I too have had times where I’ve been disappointed with the content on this blog, but you have to respect it is Brian’s blog and that he continues to allow us to post comments and have lively debate, debate that should remain respectful and free of personal attacks. ๐Ÿ™‚

      • Thing is I don’t take it personally at all, one of my goals was replays from Brain and you..as it is really interesting to see what you say on the technical level without smirk cliche remarks about pseudonyms.

        I just want to know the real reason so I keep up with the security since its a subject that frequently changes.

        Besides a bit of argument with different perceptions is challnging and interetsting dont you agree?
        I base mine on experience which is rather specific for pretty much removal of malware and general security from forum admin position.

        And @brain i’ll check up what you linked later but it sounds better than your previous replay.

    • QQ — Those are some pretty serious allegations. The idea that Apple would pay me to do anything or that I would take their money is laughable.

      I think readers who have been following my work not just here but when I was at The Washington Post will tell you that I have had no love for Java, and have frequently urged people to do without it if they think they can, rather than deal with what has traditionally been one of the more complex and opaque update processes among any widely-used software packages today. Sun (now Oracle) has long served mainly the corporate environment, and over the years has been slow to acknowledge that it has a massive install base among regular end users.

      If you’d care to review my record on Java, I’m confident you’ll find that what I’m saying here is true.

      http://krebsonsecurity.com/?s=java&x=0&y=0

      http://voices.washingtonpost.com/cgi-bin/mt/mt-search.cgi?search=java&blog_id=66&MaxResults=100

    • I run Java and I’m pretty horrified at what you’re saying. IMO your comments have been hammered (I have not) because of your inability to play with others and not for lack of technical expertise. You may be a very smart person but it counts for naught if you can’t play with others.

  27. Whatever I learn about security issues on the web is thanks to you, Brian. And that means a great deal is learned…

    Correct me if I’m wrong, but doesn’t Secunia PSI, that useful monitor, require Java to function? If not, I would appreciate your guidance. It does seem a shame to lose the usefulness of PSI, but I gather having Java on one’s system is just not a good option.–David

  28. I have Java installed, but disabled it in both Chrome and IE8. I really can’t think of a use that I have, at least at the moment, for Java. The only site I know if that requires it is a photo site, but I think it’s only to launch a song in the background, something that I really don’t want/need.

  29. As a couple of readers have pointed out, it seems I’m not alone among those now suggesting people simply uninstall Java if they don’t have a use for it.

    Java Exploits on the Rise
    http://www.sophos.com/blogs/sophoslabs/?p=9974

    Twitter Attack
    http://www.f-secure.com/weblog/archives/00001954.html

  30. Um… My bank uses java for online banking.

    What should I do?