Java Zero-Day Exploit, Time to Disable/Remove Java!

Corrine

Administrator,
Microsoft MVP,
Security Analyst
Staff member
Joined
Feb 22, 2012
Posts
12,519
Location
Upstate, NY
Once again there are reports of a Java zero-day vulnerability being actively exploited in the wild. All versions of Java are impacted, including the most recent release, JRE 7, Update 10.

With any version of Java installed on your computer, visiting a malicious link can result in a serious malware infection. Significantly, the exploit is not operating system and, although currently targeting Windows systems, can also run the same code on Mac OS X or Linux.

Recommendations in my blog post at Java Zero-Day (Again), Time To Disable/Remove Java
 
Apple has disabled Java in OS X Snow Leopard and newer via an updated malware definition list for their XProtect pseudo-antivirus.

Mozilla blacklisted the Java plug-in by adding it to the "Click-to-Play" function. This means that if you receive a prompt at a website you are visiting that Java is needed, if you have any doubts, get out of there! :)

More:

Apple and Mozilla – ‘Just say no to Java’ | Naked Security

Protecting Users Against Java Vulnerability | Mozilla Security Blog

Corrine,
Thanks for the heads up as I thought both laptop and desktop were rid of JAVA files and sure enough I had one leftover on laptop which I immediately removed.

See...an old dog can learn new tricks.
DW
 
For Windows users who must use Java regularly for desktop software but not in a browser, since Java 7 Update 10 this is now (claimed to be) possible from the Java control panel - see https://www.java.com/en/download/help/disable_browser.xml

See also https://www.kb.cert.org/vuls/id/625617
Note: Due to what appears to potentially be a bug in the Java installer, the Java Control Panel applet may be missing on some Windows systems. In such cases, the Java Control Panel applet may be launched by finding and executing javacpl.exe manually. This file is likely to be found in C:\Program Files\Java\jre7\bin or C:\Program Files (x86)\Java\jre7\bin.
Also note that we have encountered situations where Java will crash if it has been disabled in the web browser as described above and then subsequently re-enabled. Reinstalling Java appears to correct this situation.
System administrators wishing to deploy Java 7 Update 10 or later with the "Enable Java content in the browser" feature disabled can invoke the Java installer with the WEB_JAVA=0 command-line option.
Prior to Java 7 update 10, fully disabling Java in IE was not easy.
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top