Java zero day = time to disable Java, in your browser at least

Now is the time to disable Java in your web browser, or even remove it from your system if that is practical. Why? The bad guys are hard at work trying to exploit a zero day vulnerability in the latest version of Java (version 1.7, Update 6.). This vulnerability is the subject of a US-CERT Alert (TA12-240A) and ESET researchers have been able to confirm that the Blackhole exploit kit, popular with malware makers, now has the ability to take advantage of the vulnerability.

We hope to publish a detailed technical analysis of the vulnerability (officially known as  CVE-2012-4681) here on the blog fairly soon, but in the meantime we wanted to provide some practical advice on how to avoid becoming a victim of the malware that is already being deployed to exploit it. The first line of defense is to turn off Java in your web browser, so we have rounded up instructions on how to do that in the major browsers (Chrome, Firefox, Safari, Opera, and Internet Explorer).

[UPDATE 8/30/2012: Oracle has just announced a Java security update. Although this will fix the CVE-2012-4681 zero day vulnerabilities that prompted this blog post, it does not change our advice that you try living without Java in your browser. If you have Java installed on your Windows system you may want to update to the latest version and then disable it, following the browser disable instructions below. This ensure that any malicious calls to Java which attempt to bypass your browser will encounter the patched version. Mac OS X users who have upgraded to Java 7   should also update to the latest version, but those using Java 6, which was not affected by this latest problem, may want to wait until Apple issues an update.]

Disabling Java in Google Chrome

Google Chrome calls Java a “Plug-in” and to disable Java in Chrome you  can  access your Plug-in settings by entering “chrome://plugins” in the address field (without the quotation marks) as shown here:

As you can see, Chrome lets you enable or disable each Plug-in that has been installed. Clicking Disable will gray out the Plug-in and prevent it running. As an extra precaution,  restart Chrome after disabling the Java Plug-in.

Note that  Chrome has an “Always allowed” setting for Plug-ins that are enabled. That’s because Chrome will not, by  default,  automatically execute potentially risky Plug-ins even if they are enabled. Instead, as a security measure,  Chrome will ask permission to execute Plug-ins like Java. You can give permission on a site-by-site basis or activate the “Always allowed” setting. However, I  suggest you  do not choose the “Always allowed” setting, and go ahead with disabling Java anyway.

Also note that some versions of Chrome  exhibit anomalies in the description of  the Java Plug-in displayed on this page. Don’t be distracted by these, just go ahead and disable.

Disabling Java in Firefox

The Firefox browser also thinks of Java as a plugin but you disable it through the Add-ons Manager, shown below. You can get to the  Firefox Add-ons Manager by clicking  on the Firefox button at the top of the browser (use the Tools menu if you are using Firefox on Windows XP), and then click Add-ons. The Add-ons Manager tab will open. In the Add-ons Manager tab, select the Plugins panel:

You may have read that Java can be disabled in Firefox for Windows by using the Windows Control Panel. We don’t recommend that  method as it may not be reliable.

Disabling Java in Safari

The instructions for disabling Java in Safari on a Mac  can be found on this Apple Support page. If you are using Safari on Windows you can disable Java if you select Edit from the main  menu (use the Alt key to display the menu), followed by Preferences. That will get you to the  following dialog box (or use the shortcut keystroke combination of Control  plus the comma key):

Note that the version of Java  in which this latest vulnerability appears (version 1.7)  may not be installed on your Mac.  Most Macs running Lion or Mountain Lion are running Java 1.6 which is not affected by this particular problem. Apple has not pushed 1.7 to customers and you will only be running Java 1.7 if you  went through the installation process yourself.  Ironically, this is one of those times when the general advice of experts to “upgrade to the latest version to be secure” does not apply.  However, given the eagerness with which the bad guys are digging for vulnerabilities across all versions of Java right now, it makes sense to disable Java in browsers on your Mac regardless of which version you  have installed.

Disabling Java in Opera

You can quickly access and change the plug-in settings in the Opera browser by entering “about:plugins” in the address bar (without quotation marks)  to display this screen:

Disabling Java in IE

I’d like to say we’ve saved the best for last, but there’s not much to like about disabling Java in IE, something that is clear from the language of the  US-CERT in its notes on this latest Java issue. According to Vulnerability Note VU#636312:

“Disabling the Java plug-in for Internet Explorer is significantly more complicated than with other browsers. There are multiple ways for a web page to invoke a Java applet, and multiple ways to configure Java Plug-in support.”

In fact, the task is more than  “complicated” because  one of the widely-cited methods  for turning off Java in IE–using the Programs section of the Control Panel in Windows 7–is not reliable. We tried turning off Java this way on several different machines and found that  the  setting was ignored. The detailed  instructions provided by US-CERT can be quite daunting for the average user, so seek help with this if you are not familiar with editing the Registry.

Until you can disable Java in IE, avoid using IE as your browser and make sure it is not your default browser (some malware will attempt to execute via  the default browser even if you are not using it).  The easiest way to make a browser other than IE the default in Windows  is to load the browser you want (e.g. Chrome, Safari, or Opera) and make it the default. The steps for doing this vary by browser, but there is a good guide to the  default browser settings here.

Removing Java Completely

Of course, one solution to the whole  Java-in-my-browser problem is to remove Java  from your computer. The only drawback to this solution is that some applications on your system may require Java. For example, your company may have an internal application it developed with Java or you may use one of the “OpenOffice” productivity suites such as LibreOffice. If you can do without Java completely, use the Programs item on the Windows Control Panel to uninstall any item that begins with “Java”:

What’s Next for Java Malware?

We do expect that Oracle will release a fix for this vulnerability in the near future so stay tuned for updates on this topic. (Not that we have heard from Oracle on the timing of a patch, but it makes sense that they will release one sooner rather than later, otherwise there won’t be many Java users left to update.)

We also expect more zero day Java vulnerabilities to appear. And exploitation of those vulnerabilities will happen with considerable speed, as in this case. Why? Because malware is now an industry and as such reaps the rewards of industrial processes, something discussed recently in this article over on SC Magazine’s Cybercrime Corner.

Author Stephen Cobb, ESET

  • R D Gates

    My Firefox shows the Java Platform at revision SE ^ not SE 7.  Do I have to disable it?
    Thanks
     

  • R D Gates

    Darn it – that's SE 6 not SE ^

    • David Harley

      R.D. Gates: Understood. 1.7 update 6 is vulnerable.

  • Rahim Ali

    Correction Re: Disabling Java in Opera:
    "You can quickly access and change the plug-in settings in the Opera browser by entering “about.config” in the address bar (without quotation marks) to display this screen"
    should actually be 
    "You can quickly access and change the plug-in settings in the Opera browser by entering “about:plugins” in the address bar (without quotation marks) to display this screen"

    • Stephen Cobb

      Great catch Rahim and gumbly! We have edited the blog to use “about:plugins” although “opera:config” does also work as you point out. BTW, as you probably know, Opera has a very handy option to disable all plug-ins at once on that plug-ins page. Very useful for debugging and for security.

  • Rahim Ali

    Otherwise, very helpful.  Comprehensive guide to disabling Java in most commonly used browsers in one place.  Thanks a lot!

  • gumbly

    quick note re: Opera… the article states that
    "You can quickly access and change the plug-in settings in the Opera browser by entering “about.config” in the address bar (without quotation marks) to display this screen:"
    the "about.config" bit is incorrect (note the period)
    enter "about:config" (colon between words, without quotes) in the address bar to view the prefences editor
    "opera:config" also works
    otherwise, great info… thanks
     

    • David Harley

      Thanks @gumbly and @Rahim.

  • Susan

    In Chrome, mine for Java 6.0.260.3, says, "Download Critical Security Update." And thanks!

  • jake

    How will this affect the people that use Serato, Virtual DJ, or Traktor ? Also, will this affect Ubuntu users ?

    • David Harley

      We can’t really advise on individual apps that we haven’t tested (and we probably aren’t going to test everything). However, the first priority is to disable it in browsers. I’m not aware of malware using this vulnerability to target Linux at present: of course, it could happen, but Windows is the prime target.

  • LittleboyBlue

    How will I play runescapes :'[

    • David Harley

      I don’t know the game, but if it requires Java, I guess that’s a problem. If you only have Java disabled in your browser(s), that makes you a lot safer even if you have it enabled for specific apps, though.

  • Fireshard

    I have read about 2 days ago about this flaw in Java. The way it was put there, it was only seen on Windows platforms, but the the way the bug works allows attacks on ANY platform. It basically works by allowing applications to download stuff into your computer and run them, if i read this correctly. Meaning it could do this on any platform, if the said application has it as its purpose.

  • Lasse

    Hi in my firefox i have QuickJava 1.8.0   shall i also deactivate it ?
     

    • David Harley

      @Lasse, do you mean use it deactivate Java? That might not be necessary once you’ve used the patches now available.

  • lxw

    any popular platform will have same issue, someone will break it at some time, should you say 'let's disable Windows' or 'let's not use OSX"?

    • David Harley

      The difference is that many people don’t _need_ Java. You can’t do much without an operating system. :) And in fact, the option isn’t necessarily to disable Java permanently, though obviously some people are considering it.

  • spraulin

    Time to disable Adobe Flash as well. I did it and my browsers are not constantly crashing or lagging anymore :D
    The sooner these 2 forms of evil bloatware fall off the map the better!!!

  • sarabjeet

    i really like that you are giving information on core and advance java concepts. Being enrolled at i found your information very helpful indeed.thanks for it.

  • andyusfr.nooz@gmail.com

    I am a full fledged 70 y.o beginner at this whole PC/net/web thing. You say remove Java (and/or Adobe Flash), but what replaces it (them)? Don’t I have to have it (them) to use my PC correctly? I have XP Prof., Sp3, use FF, Office 2010 Pro. Next month am “moving in” to a new custom built PC with Windows 8 Pro., Office 2013 Pro.. Should I anticipate some action about Java (and/or Adobe Flash)? I am certain that you all have forgotten more than I will ever know about all this, so please forgive me if my question is, as I am, amateur! Thank you, in advance, for your advice…a. 05 mai 2013 12h51 pm

    • dharleyatESET

      You don’t need Java or Flash for your PC to work, in principle. However, you may need to have them enabled in order to access some sites, data and applications. If that’s likely to apply to you, it’s probably better to disable them by default and enable them temporarily when you need them, and Stephen’s article does address ways of disabling Java in the most common-used browsers.

      • andyusfr.nooz@gmail.com

        Thank you, dharley…, for your reply. The only problem now, I read so much yesterday, could you give me the “How to” to refind “Stephen’s article?” I am sure I bookmarked it somewhere, but this old brain can’t remember where! While I am imposing…It took me about 20 min. to open this. Would you have the patience to tell me how to go back to where I was when I wrote my first “Post?” I tried clicking on everything on the e mail, everytime I had the message “Server not found.” I did say I am “The” beginner. In any event, thank you for replying. Have a nice day…A. 06 Mai 2013 15h28.

  • dan

    Should I delete the “Soft Java” folders within the registry editor, as well? Thank you.

Follow Us

Sign up to our newsletter

The latest security news direct to your inbox

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.