US-CERT Java Warning
On January 10, 2013, US-CERT (United States Computer Emergency Readiness Team, part of the Department of Homeland Security) reported the discovery of a new vulnerability in the Java Runtime Environment (JRE), version 7. CERT took the unusual step of recommending that Java be temporarily disabled in web browsers “due to the number and severity of this and prior Java vulnerabilities”. According to the Cert Vulnerability Note:
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system. Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for this vulnerability.
Java is in use on millions of computers running Windows, MacOS and Linux. It’s purpose is to run interactive web content and to run applications that are downloaded across the Internet. Keep in mind that your computer is in no danger unless you download and run an infected Java program. A malicious program will probably try to run without your knowledge or permission.
Note too that Java is not JavaScript. While they are both programming languages that can run in a web browser, this vulnerability does not affect JavaScript.
Your Options
Uninstall Java completely from your computer by following these instructions from Java.com for Windows, Mac or Linux.
Disable Java to prevent it from from running in your web browser by following these instructions.
Make sure that your web browser asks for permission before running any Java programs. The latest versions of Chrome and Firefox will do this automatically. Internet Explorer does not provide this option, so you will need to follow one of the links above to uninstall or disable Java (or switch browsers – a highly recommended option).
You can follow this link to safely test for the presence of Java on your computer.
Next Steps
Oracle, the company that develops Java has only said that a fix will be “available shortly”. Users will be notified through the update process that is built in to Java. In the meantime, take the necessary steps to insure that Java does not run any programs that are unknown to you. The only way to do that with certainty is to uninstall Java completely.
For many users, Java will not be missed, making removal a good option. If you choose to leave Java installed on your computer, do not use Internet Explorer until the vulnerability has been fixed. Use web browsers that only run Java programs with your explicit permission.
Update: Oracle has released a patch that closes this vulnerability. It is available through Oracle’s website and through the Java Control Panel of an active installation.