January 12, 2013

On Thursday, the world learned that attackers were breaking into computers using a previously undocumented security hole in Java, a program that is installed on hundreds of millions of computers worldwide. This post aims to answer some of the most frequently asked questions about the vulnerability, and to outline simple steps that users can take to protect themselves.

Update, Jan. 13, 8:14 p.m. ET: Oracle just released a patch to fix this vulnerability. Read more here.

3bjavaQ: What is Java, anyway?
A: Java is a programming language and computing platform that powers programs including utilities, games, and business applications. According to Java maker Oracle Corp., Java runs on more than 850 million personal computers worldwide, and on billions of devices worldwide, including mobile and TV devices. It is required by some Web sites that use it to run interactive games and applications.

Q: So what is all the fuss about?
A: Researchers have discovered that cybercrooks are attacking a previously unknown security hole in Java 7 that can be used to seize control over a computer if a user visits a compromised or malicious Web site.

Q: Yikes. How do I protect my computer?
A: The version of Java that runs on most consumer PCs includes a browser plug-in. According to researchers at Carnegie Mellon University‘s CERT, unplugging the Java plugin from the browser essentially prevents exploitation of the vulnerability. Not long ago, disconnecting Java from the browser was not straightforward, but with the release of the latest version of Java 7 — Update 10 — Oracle included a very simple method for removing Java from the browser. You can find their instructions for doing this here.

Q: How do I know if I have Java installed, and if so, which version?
A: The simplest way is to visit this link and click the “Do I have Java” link, just below the big red “Download Java” button.

Q: I’m using Java 6. Does that mean I don’t have to worry about this?
A: There have been conflicting findings on this front. The description of this bug at the National Vulnerability Database (NVD), for example, states that the vulnerability is present in Java versions going back several years, including version 4 and 5. Analysts at vulnerability research firm Immunity say the bug could impact Java 6 and possibly earlier versions. But Will Dormann, a security expert who’s been examining this flaw closely for CERT, said the NVD’s advisory is incorrect: CERT maintains that this vulnerability stems from a component that Oracle introduced  with Java 7. Dormann points to a detailed technical analysis of the Java flaw by Adam Gowdiak of Security Explorations, a security research team that has alerted Java maker Oracle about a large number of flaws in Java. Gowdiak says Oracle tried to fix this particular flaw in a previous update but failed to address it completely.

Either way, it’s important not to get too hung up on which versions are affected, as this could become a moving target. Also, a new zero-day flaw is discovered in Java several times a year. That’s why I’ve urged readers to either uninstall Java completely or unplug it from the browser no matter what version you’re using.

Q: A site I use often requires the Java plugin to be enabled. What should I do?
A: You could downgrade to Java 6, but that is not a very good solution. Oracle will stop supporting Java 6 at the end of February 2013, and will soon be transitioning Java 6 users to Java 7 anyway. If you need Java for specific Web sites, a better solution is to adopt a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site(s) that require(s) it.

Q: I am using a Mac, so I should be okay, right?
A: Not exactly. Experts have found that this flaw in Java 7 can be exploited to foist malware on Mac and Linux systems, in addition to Microsoft Windows machines. Java is made to run programs across multiple platforms, which makes it especially dangerous when new flaws in it are discovered. For instance, the Flashback worm that infected more than 600,000 Macs wiggled into OS X systems via a Java flaw. Oracle’s instructions include advice on how to unplug Java from Safari. I should note that Apple has not provided a version of Java for OS X beyond 6, but users can still download and install Java 7 on Mac systems. However, it appears that in response to this threat, Apple has taken steps to block Java from running on OS X systems.

Q: I don’t browse random sites or visit dodgy porn sites, so I shouldn’t have to worry about this, correct?
A: Wrong. This vulnerability is mainly being exploited by exploit packs, which are crimeware tools made to be stitched into Web sites so that when visitors come to the site with vulnerable/outdated browser plugins (like this Java bug), the site can silently install malware on the visitor’s PC. Exploit packs can be just as easily stitched into porn sites as they can be inserted into legitimate, hacked Web sites. All it takes is for the attackers to be able to insert one line of code into a compromised Web site.

Q: I’ve read in several places that this is the first time that the U.S. government has urged computer users to remove or wholesale avoid using a particular piece of software because of a widespread threat. Is this true?
A: Not really. During previous high-alert situations, CERT has advised Windows users to avoid using Internet Explorer. In this case, CERT is not really recommending that users uninstall Java: just that users unplug Java from their Web browser.

Q: I’m pretty sure that my Windows PC has Java installed, but I can’t seem to locate the Java Control Panel from the Windows Start Menu or Windows Control Panel. What gives?
A: According to CERT’s Dormann, due to what appears to potentially be a bug in the Java installer, the Java Control Panel applet may be missing on some Windows systems. In such cases, the Java Control Panel applet may be launched by finding and executing javacpl.exe manually. This file is likely to be found in C:\Program Files\Java\jre7\bin  or  C:\Program Files (x86)\Java\jre7\bin.

Q: I can’t remember the last time I used Java, and it doesn’t look like I even need this program anymore. Should I keep it?
A: Java is not as widely used as it once was, and most users probably can get by without having the program installed at all. I have long recommended that users remove Java unless they have a specific use for it. If you discover later that you really do need Java, it is trivial and free to reinstall it.

Q: This is all well and good advice for consumers, but I manage many PCs in a business environment. Is there a way to deploy Java but keep the plugin disconnected from the browser? 
A: CERT advises that system administrators wishing to deploy Java 7 Update 10 or later with the “Enable Java content in the browser” feature disabled can invoke the Java installer with the WEB_JAVA=0 command-line option. More details are available in the Java documentation.

Q: Okay, I think I’m covered on Java. But what about Javascript?
A: Because of the unfortunate similarity of their names, many people confuse Java with Javascript. But these are two completely different things. Most Web sites use JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. To protect yourself, it is critically important to have an easy method of selecting which sites should be allowed to run JavaScript in the browser. It is true that selectively allowing JavaScript on known, “safe” sites won’t block all malicious scripting attacks: Even legitimate sites sometimes end up running malicious code when scammers figure out ways to sneak tainted, bogus ads into the major online ad networks. But disallowing JavaScript by default and selectively enabling it for specific sites remains a much safer option than letting all sites run JavaScript unrestricted all the time.

Firefox has many extensions and add-ons that make surfing the Web a safer experience. One extension that I have found indispensable is NoScript. This extension lets the user decide which sites should be allowed to run JavaScript, including Flash Player content. Users can choose to allow specific exceptions either permanently or for a single browsing session.

Chrome also includes similar script- and Flash blocking functionality that seems designed to minimize some of these challenges by providing fewer options. If you tell Chrome to block JavaScript on all sites by default, when you browse to a site that uses JavaScript, the upper right corner of the browser displays a box with a red “X” through it. If you click that and select “Always allow JavaScript on [site name]” it will permanently enable JavaScript for that site, but it doesn’t give you the option to block third-party JavaScript content on the site as Noscript does. In my testing, I had to manually refresh the page before Chrome allowed scripting on a site that I’d just whitelisted. In addition, there is a very handy add-on for Chrome called NotScripts that works very much like Noscript.

Selectively script blocking can take some getting used to. Most script-blocking add-ons will disable scripting by default on Web sites that you have not added to your trusted list. In some cases, it may take multiple tries to get a site that makes heavy use of Javascript to load properly.

Internet Explorer allows users to block scripts, but even the latest version of IE still doesn’t give the user much choice in handling JavaScript. In IE9, you can select among JavaScript on, off, or prompting you to load JavaScript. Turning JavaScript off isn’t much of an option, but leaving it completely open is unsafe. Choosing the “Prompt” option does nothing but serve incessant pop-up prompts to allow or disallow scripts (see the video below). The lack of a simpler approach to script blocking in IE is one of the main reasons I continue to steer readers toward Firefox and Chrome.


73 thoughts on “What You Need to Know About the Java Exploit

  1. Tim Sanders

    Thanks very much for cooperating in the effort to keep our browsers safe yet offer alternatives to enable those of use who use interactive sites and video sites on a regular basis. Your information is concise and clear and of great use if it works (I have not tried to install Chrome or Firefox on my Mac, although past attempts with Firefox led to massive problems). If you could follow up with any help for us not so computer literate Mac users on just how with a step by step procedure or a site referral that does so for each and every browser that would be great. I ask only because what is said in your article is often as a matter of course contradicted by other authors either through negligence or incompetence and results in more problems for the novice user. But again, THANKS! Mr. Krebs. Much appreciated.

      1. Nicholas Weaver

        {Reposting the idea as a reply}: However, unplugging is now less important (if you NEVER use Java, you should. But if you are forced to use Java, things are now much better): The patch also did a big change so that the JVM prompts on ALL Java applets: if the user doesn’t say ‘yes’, the applet never starts running.

        So although there are undoubtedly a ton of zero-days still lurking in the Java sandbox, its now far less useful for attackers to find them, because Java is structured such that signed applets, with a similar (and only slightly scarier) user prompt, already have full user privileges.

        So there is no longer a benefit for finding zero-days, as they can no longer be used for unprompted attacks, and if you can get the user to accept your prompt, why bother with a zero-day when you can just use signed Java?

  2. Bill

    Great article. A couple of questions. I have Java Quick Starter in my Firefox extensions. I disabled it some time ago, but wonder what it does.

    I also have Java Deployment Tool Kit in my FFX plugins, and wonder about what it does. Can it also be disabled?

    I assume Java installed these two items without asking whether I wanted them. I also suspect they will be re-enabled when I upgrade to Java 7.

    Thanks for all the work you do to protect us.

    1. WD

      Java Quick starter is supposed to improve the launch time of Java:

      The Java Deployment Toolkit extension can be used to launch Java applets, and is therefore one of the several attack vectors for Java vulnerabilities.

  3. Rick

    Thanks for your good work.

    In all of the info about this exploit, there is minimal explanation of how to check if you are ”infected”. (This is a common issue: there is some big exploit out there, but nobody says “This is how you check your computer to see if you are infected.”)

    I have current MS updates installed, plus using Secunia Personal Inspector, plus current Microsoft Security Essentials.

    Is there any way to check if a computer has been affected by this exploit?

    Thanks.

    1. JCitizen

      Typically when you’ve been a victim of a “drive by” like this, you will notice the effects; but the bugs are getting smarter, and you won’t necessarily recognize anything directly out of the ordinary.

      Usually the bug will block access to security related web sites, like Symantec, Avast, Avira, etc. They can also disable features on the Windows system like Control Panel, or a subset of such features. I just got done fighting a bug that shuts down the IDE controller on the optical drive and attempts to flash the firmware on said drive, if it has a match, or the drive has firmware at all.

      The only quick way I know for sure, is to do a boot scan of the system with Kaspersky’s Rescue 10 CD(If your drive is still operational – if not – try Hiren’s boot “CD”-actually a locked USB dongel). Try to burn it on a verifiable clean machine. This will get rid of most of the serious threats, MBR bugs, and root kits – but it won’t get rid of them all. A follow up with MBAM is the next step – however – if you find anything right off the bat with either of these, and you have critical infrastructure or other business related concerns; it may be prudent to wipe and re-install the drive OS and recover from an older backup. I always scan the backup files with Avast to assure they aren’t obviously infected as well. Keep in mind that even this occasionally(but rarely) does not get rid of malware hiding in the sectors of the hard drive marked as bad. See an IT professional to get rid of this problem; or replace the drive. Also keep in mind that in rare occasions any chip in the computer could possible be flashed and infected by malware/firmware replacements – this could include the Bios, PCI card, GPU chipsets, drive controllers, etc., etc. – you will be re-acquired and infected all over again, if this is the case. It can be very vexing indeed! 🙁

      There is no accounting for zero day threats though. Even Kaspersky can be a day or two late occasionally. Prevention and a good in-depth defense is the best policy. A good HIPs utility can usually detect these kind of file manipulations – just getting the alert, even if it is too late, is worth a pound of cure!!!

    2. Eric

      I don’t think so, because I think this is a particular vulnerability, a route to infection rather than an infection. What is put on as “the infection” is a matter of the payload chosen by the person or persons utilizing the exploit for this vulnerability.
      You can check and see if you’re vulnerable, but the only way to see if you’re infected is through the use of security software, Anti-Virus, Anti-Malware, etc.

  4. john

    This article is great. I told a few of my friends they should disable java and they just came up with excuse after excuse even though they don’t know much about computers.

    After pointing them to this article they all disabled java.

  5. Jeroen van Hoof

    Brian,

    Thanks for the clear description.
    Question: is only Oracle Java impacted? How about IBM Java?

    Jeroen

  6. Rabid Howler Monkey

    With regard to the difference of opinion between CERT and the National Vulnerability Database (i.e., NIST) on the vulnerability of Java SE versions prior to Java SE 7, inspection of the NIST link in the article indicates that Java SE 6 Update 35 and previous versions are vulnerable. Java SE 6 is currently at Update 38 and, therefore, would not be vulnerable.

    Thus, for Java SE 6 users, the safe thing to do is insure that you are running Update 38, and if not, update your Java to Update 38 from Oracle’s download site:

    http://www.oracle.com/technetwork/java/javase/downloads/index.html

    P.S. 1 Am not taking sides on the CERT NIST dispute.

    P.S. 2 Given that Oracle has been automatically migrating its Java SE 6 users to Java SE 7 starting as far back as November, 2012, it would appear that the miscreants may have timed their attack with this Java SE 7 exploit such that most Java SE users have the vulnerable version installed on their PCs. If true, then this whole thing could be characterized as an ambush. All the miscreants had to do was wait for Oracle to mostly complete the automatic migration of its Java SE 6 users to SE 7.

  7. Bill

    Using Firefox with the IcedTea-Web pligin that executes Java applets. No Adobe Java at all as far as I can tell (Linux system). Is this confiuration vulnerable to the recently found Java exploit?

  8. Mark

    After reading all of this, I unintsalled all things Java from my PC completely. From what I understand, it appears that Javascript is not a problem. Is there an easy way to reinstall just that without downloading the new, bad Java?

    1. Andrew

      You don’t have to “reinstall” javascript. Java and javascript aren’t related in that way – javascript is parsed by your web browser, not Java

  9. Kolth

    In my system I have OpenJDK Java 7 and the corresponding IcedTea Web control panel. Are these open versions of Java susceptible to the same vulnerabilities as Oracle’s Java?

    1. Eric

      I’m still trying to determine that myself. The Cert advisory says Oracle Java 7, but look at this from the OpenJDK site:
      “If you came here looking for Oracle JDK 7 product binaries for Solaris, Linux, Mac OS X or Windows, which are based largely on the same code, you can download them from java.oracle.com.”
      The part that worries me is the “…which are based largely on the same code”.

    2. WD

      Redhat has confirmed that OpenJDK is affected. Part of the confusion of whether or not it was affected are because 1) The exploit takes advantage of more than one weakness in Java to achieve code execution. 2) The PoC sample is crafted to work with Oracle Java, but the fact that it doesn’t work with OpenJDK doesn’t mean that OpenJDK isn’t vulnerable.
      https://bugzilla.redhat.com/show_bug.cgi?id=894172

  10. Michael

    Does this vulnerability apply to Android phones, which are java-based? I assume not, since I have not heard about that, but thought I’d ask. Excellent coverage of this serious issue, as always, Brian!

  11. Sam

    I don’t see any disabling option in safari browser in iPad, how do I disable it in iPad and mobile devices?

  12. Vee

    Not to further complicate things, but it should be noted that the Developer Previews of Java, like those found here http://jdk7.java.net/ (7 Update 12 right now) are just as vulnerable I’d imagine. But average user wouldn’t be using them anyway and those who do already keep up with Java news.

    Side note, I think everything should be treated like it has a zero day. Either the exploits that only a few know or the exploits that eventually come out like this latest one, they exist all the same whether you know about them or not and they will be discovered and used. That’s exactly why Krebs just recommends disabling/trashing them all together. I hope the average user will start getting that they’re just living in between “all clear” sirens and keep Java and a few other plugins disabled after this.

  13. James Edward Lewis II

    Long ago I switched from NotScripts to ScriptNo (now known as ScriptSafe), which was less taxing on the browser, easier to configure, and updated much more frequently; then again I haven’t checked the status of NotScripts lately…

  14. Robin

    very detailed and pretty useful article to know about this recent java vulnerability. thanks for the great write up adam.

    Robin.

  15. Hank Arnold (MVP)

    Brian, I’ve admired and referred your articles many times on my blog and FB page, but this is simply the best description of, and actions to take, bar none, of Java and the latest exploits I’ve seen to date. Kudos and thanks for all your support

  16. Din5dale

    “Din5dale” long time reader, first time commenter 🙂

    Great work as usual Brian.

  17. JohnP

    For desktops disabling Java is relatively simple. It is clear when you **need** it or not.

    But for servers, the decision is not as clear. Almost all our services are only available once inside the company firewall, so I’m not as worried about any java-based attacks, except our webmail solution is built on java. I can’t really just disable it. Since it is a package, disabling that may also disable all IMAP client access too – not good.

    I’m certain that the MTA doesn’t need java. For inbound SMTP email goes through a front-end server before being forwarded to the real box. MTAs do not really help much for end-users reading email.

    Thoughts? Suggestions?

    1. WD

      The vulnerability affects Java Applets (viewing web content), not Java Applications.

  18. AllenP

    Has anyone determined if EMET would be useful in situation like this?

    1. JCitizen

      I should; but how do you configure it properly? That is the question.

    2. WD

      It absolutely does not. It’s not a memory corruption bug, so EMET will not help.

      1. JCitizen

        Good to know WD – I have a feeling Secunia PSI is our best defense for those of us that have to use Java 7. We just have to be careful until the patch, if one ever comes!

  19. StuartJ

    Looks like Java 7 update 11 has been released. Presumably addresses the update but can’t see release notes. Thanks for the good article though – revising our policy on Java now based on this.

    1. Din5dale

      Thanks, link to rel notes for Java SE 7 u 11: http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html

      D/l link: http://www.oracle.com/technetwork/java/javase/downloads/index.html

      Oracle Security Alert for CVE-2013-0422 http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html

      “The fixes in this Alert include a change to the default Java Security Level setting from “Medium” to “High”. With the “High” setting, the user is always prompted before any unsigned Java applet or Java Web Start application is run.

      These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user’s system.”

      i’m no expert but this sounds like a temporary workaround (Q’uelle Surprise!!)

  20. Luca

    Q: I’m using Java 6. Does that mean I don’t have to worry about this?

    There are two different issues involved in this attack. (a) MBeanInstantiator affecting Java6 and Java7 and (b) Reflection API abuse affecting Java7 only

    That’s the reason for such a confusion. Btw, Adam Gowdiak confirmed it – being a world-class security expert for Java we can just listen him and agree.

    Q: I am using a Mac, so I should be okay, right?

    If you have installed Java using Apple’s bundle (e.g. going to Terminal, typing “java” and clicking “yes, install Java”) – then the exploit discovered in the wild won’t work on your machine. Apple’s bundle does not include MBeanInstantiator. Instead, if you have installed the official Oracle Java7, then yes…go and update.

    @_ikki

  21. Bill

    Hi – Great article.

    I think that I was actually infected due to this vulnerability. I was able to revert my computer to a previous date using the standard Windows7 built in System Restore functionality. After I restored, I ran Microsoft Security Essentials and it found some Malware and cleaned it. I did this about a week and a half ago and things have been fine.

    Do you think that this is sufficient or should I reformat the drive?

    Also, do you think that I should change all of my passwords?

  22. Erik

    If Java is uninstalled or disabled on a PC or Mac, but Java is enabled in a web browser, is the computer still vulnerable?

    1. Eric

      Erik, I don’t think it would be possible to be in the configuration you describe. If you have uninstalled or disabled it, it’s not possible that it would be available in the browser. Javascript, yes, but as has been said that’s a different thing.

  23. Peter

    Often when you run the “Do I have Java” it says you have an older version installed. But there is no Java entry in Add/Remove Programs to remove it. I do not know of any Java “cleaners” so maybe the safest is to install latest version and use the new disable (in all browsers) capability.

    1. Din5dale

      JavaRa http://singularlabs.com/software/javara/

      “JavaRa is an effective way to deploy, update and remove the Java Runtime Environment (JRE). Its most significant feature is the JRE Removal tool; which forcibly deletes files, directories and registry keys associated with the JRE. This can assist in repairing or removing Java when other methods fail.”

      Recommended.

  24. Tom

    What is the benefit of the two-browser approach? If the goal is to avoid accidentally visiting an untrusted site with Java enabled, it’s easier and safer to just enable Java on a per-site basis (e.g., in Firefox, http://support.mozilla.org/en-US/kb/how-to-use-java-if-its-been-blocked?esab=a&s=enable+java&r=15&as=s).

    If you run a malicious applet in Browser A, then the attacker gets to execute arbitrary code on your machine. That means your cookies and history in Browser B — and any other data on your computer — are no safer than your cookies and history in Browser A.

    1. BrianKrebs Post author

      The idea behind a 2-browser approach is that you are not just browsing the Web with the browser that has Java enabled. You’re using it only to access those sites that require it. The one without Java plugged in is the one you browse the Web with.

      1. Tom

        How is that better than using a single browser and only enabling Java when visiting those sites that require it?

        1. BrianKrebs Post author

          Most mere mortals surfing the Web aren’t going to always remember to unplug the plugins every time they leave a site that requires Java; they’ll just leave it plugged in. It’s kind of like trying to teach newbies how to use Noscript, only to find out that they found it more useable to simply allow scripting on all sites all the time. Security is a balance between usability and safety, and the two browser approach demands little else of the user than to remember which browser is the one to browse the site that requires Java.

          1. Peter

            Exactly. And helps avoid many other vulnerabilities. More browsers is even better: 1. Bank 2.email 3.facebook 4.favs 5.general surfing 6.unsafe/unknown stuff. Did I run out of decent browsers? There is always the Linux boot disk/drive…

  25. Din5dale

    Great work as usual Brian, ty! Another possible alternative to the “2 browser” solution you suggest for people like myself who only “like” 1 browser–my personal preference is Firefox–for sites requiring Java is to run a duplicate (or even other) OS in a Virtual Machine. I Have Win 7 Home Prem as host and guest (in VMWare Player) run FFox latest with Java uninstalled in the host & Java installed and enabled in the guest for sites that require Java.

    1. Eric

      I’ve considered the exact same kind of thing on my new computer. I’ve got Linux VMs (under VirtualBox running on Windows 7) for specific tasks (development). I like the idea from a security point of view since depending on your configuration they can be sand-boxed. It’s also easy to revert to an earlier snapshop or even create a clone of a VM that’s essentially disposable. I’ve been investigating the licensing requirements for Windows, though. How does one deal with that? I’ve got an old Windows XP home license I could upgrade, I suppose…

      1. Din5dale

        I have both ver of 7 installed & activated under 1 license (which is probably in violation of the EULA) thusly: Windows 7 Home Prem Gateway pre-installed OEM auto activates by SLP & guest installed using the Key # affixed to the bottom of the laptop- phone activation required, never so much as a burp when doing so.

        I also have done the same with an old Dell laptop that died a while back-installed in VM using the Key affixed to the laptop, activates by phone even on my Gateway laptop. I also have begun fooling with Ubuntu on the VM but the learning curve (being only a slightly above average user) is getting the better of me.

  26. Barbara B

    I don’t know where my manners disappeared to. Thanks WD for the help. Your info worked like a charm!

Comments are closed.