Java, the new Adobe (+How To Protect Yourself)
Sun’s Java Earns Unhappy Distinction — The Hackers’ Favorite Target
Cybercriminal exploit attacks on Java have multiplied tremendously in number and they are proving to be incredibly effective.
First reported by Krebs On Security last week, now the Microsoft Malware Protection Center has a notice about the wave of Java exploitation they found when reviewing their monitoring data. In fact, the MMPC discovered that by the beginning of this year the number of exploits on Java code vulnerabilities well surpassed the number of Adobe exploits they monitored.
“What I discovered was that some of our exploit “malware” families were telling a scary story – an unprecedented wave of Java exploitation. In fact, by the beginning of this year, the number of Java exploits (and by that I mean attacks on vulnerable Java code, not attacks using JavaScript) had well surpassed the total number of Adobe-related exploits we monitored.”
Java is everywhere, but few people know what it is, or that it is even installed, as Java runs in the background. Java is used in a wide variety of computing platforms: from embedded devices and mobile phones on the low end, to enterprise servers and supercomputers on the high end.
What you should do: As I have mentioned here many times, the way these “exploits” get stopped is via vendor-released “patches” – better known as updates. Updates are your friend, and you want them.
(As a matter of fact, the Java patches have been out for some time..)
Keep your software up-to-date. Here’s the how to for Java.
1) Click the Start button then Control Panel.
2) Locate and click the Java icon
3) The Java “control panel” will open. Click on the Update tab.
4) Click the Update Now button. Then, OK.
Did you notice how the “Check for Updates Automatically” description says that Java will check for patches and hacker fixes on the 14th of each month?
In today’s world, that’s ridiculous. Once a month? C’mon.
So let’ fix that.
5) Click the Advanced button…
.. and change the radio button to either Weekly, or better yet, Daily. Then click OK.
Then click Apply and then OK again.
Sadly, folks, you are not done. Java has a nasty habit of leaving old versions of itself behind when it updates (why is that, Sun? Huh? Huh?) and these need to be removed.
1) You should still be in Control Panel so click on Programs and Features (“Add/Remove Programs” in Windows XP/Older)
1a.) Click “Uninstall or change a program” if you have to.
2) A list of the installed programs will “populate”. Look for, and then remove (click Uninstall) all but the most recent version of Java you find in the list. That is, all but the highest numbered one. There may be several entries…
Okay. now you’re done.
I know, I know! Seems like a pain. Sun could do a much better job with this. But, listen, please. Safety and security measures are always a bit inconvenient and require extra attention and effort. Your computer is no different. Take the time. Make the effort.
When you cross the street, you look both ways to make sure it’s safe. Staying safe on the Internet is similar. It takes some common sense steps — Stop. Think. Connect.
- Stop: Before you use the Internet, take time to understand the risks and learn how to spot potential problems.
- Think: Take a moment to be certain the path is clear ahead. Watch for warning signs and consider how your actions online could impact your safety, or your family’s.
- Connect: Enjoy the Internet with greater confidence, knowing you’ve taken the right steps to safeguard yourself and your computer.
STOP. THINK. CONNECT. Protect yourself and help keep the web a safer place for everyone.
* My thanks to Bryce at Technibble for the great write up which brought this to my attention.
Copyright 2007-2010 © “Tech Paul” (Paul Eckstrom). All Rights Reserved.
>> Folks, don’t miss an article! To get Tech – for Everyone articles delivered to your e-mail Inbox, click here, or to subscribe in your RSS reader, click here. <<
| Share this post : |  |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
17 Comments »
Post your Comment/Question
• About Tech Paul
I am a Retired computer & network technician. I used to think the machines were pretty cool. Now I don’t.
They’re anything but.
I regularly posted how-to’s and tricks & tips and general computing advice here starting in 2007. (Use the Search tool to find answers. But be aware, many are rather dated.) Sometimes I answered (your) specific questions in an article if I believed the answer was generally helpful to “everyone”. All the writing you see was my own, typos and all. There always is/was an implied “IMHO” in what you see here.
Note: You are responsible for using this blog and its content. I am in no way liable for any losses caused by user error, viruses and/or other malware, hardware or software failure, or any other conceivable reason.
-
Say "thank you!" Buy Tech Paul a cup of coffee (and keep T4E ad free).
-
-
McAfee® Cybersafety Resource Portal, an online help center designed to assist victims of computer crime and provide information on how to avoid becoming a victim.
-
Subscribe to Tech--for Everyone by EmailRecent Comments
-
-
-
-
Also:
-
-
Tech - for Everyone 
Hi Paul,
I have seen many tech sites that advocate disabling java in your browser.
I run Linux Ubuntu (I’m not a techie) and because of this, would it make me any safer disabling java because I don’t run windows? Or should I just leave it enabled as Linux is supposed to be relatively impervious to viruses?
Paul
LikeLike
Paul Andrew Russell,
I think I need to clear up a few things…
1) Java and JavaScript are two different animals (despite the similar names). It is the latter you want to limit/restrict or disable/block.
2) No (software) operating system is immune.
That said, I know of no (in my admittedly limited experience) “viruses”, nor “drive-by exploits”, currently targeting the Linux or Mac OSes.
(I think that’s due to change.. but that is another story for another time..)
With that said.. it is still “good policy” to keep your software up-to-date with the latest versions, and ‘patched’ with the latest updates — regardless of OS. And uninstall any unused and/or obsolete programs (this is called “reducing the attack surface”) as well.
My answer may not sound like it.. but surfing the Web with an “alternative” browser on Linux is about the safest way to do it these days… by default.
So. Java. I would uninstall it if I did not need it. Or keep it up-to-date if I did.
Hope that helped!
LikeLike
Thanks Paul. I just assumed Java was Javascript, just different terms used by different people for the same thing.
I use Firefox to browse, simply because it’s included in Linux. I used to use Opera but wasn’t sure about using it on Linux.
Can you recommend a good ‘alternative’ browser?
Thanks
Paul
LikeLike
Paul Andrew Russell,
Don’t feel bad, I’ve been doing this for decades and I get confused sometimes. Jargon and babble, it often seems to me (geekspeak, that is).
Okay, your question! “Alternative” translates to “anything other than Internet Explorer” (As IE comes with Windows, and the others have to be downloaded and installed). So you already are using an “alternative browser” by using Mozilla’s Firefox.
Choosing a Web browser is – quite frankly – a matter of personal tastes. (They all do pretty much the same thing… render HTML into view-able web pages).
My choice, currently, is Firefox.
Because of the wide variety of Add-ons, frankly (namely, NoScript).
But it used to be Avant.
Before that it was Opera.
Many people I know swear by Chrome. They say it’s fast and it’s uncluttered.
Some Mac users who are forced to use a Windows machine (maybe at work.. or for some other reason) are glad that Safari is available, as that’s what they are comfortable/familiar with.
… and, BION (Believe It Or Not), some Über Geeks I know are now switching back to Internet Explorer.
Now that IE 9 is here.
How was that for a non-answer?
(If you’re asking which one is safest from hackers, well, that’s a pretty hot debate. I believe, at their default settings, Internet Explorer is actually now the safest. But maybe that was last month…)
LikeLike
Paul,
Thanks for taking the time to answer my question. I really appreciate it.
I really used to love Opera but when they updated I had problems with it. I think I may try it again. I do like Firefox but I was more comfortable with Opera.
It’s good to hear Internet Explorer is better now but I’m one of those people who is wary of Microsoft and Google’s applications lol I don’t like the power they have over information, although I have loved using their products in the past lol
Once again Paul, thank you.
LikeLike
Paul Andrew Russell,
You’re quite welcome.
As for Opera, yes, I have heard that, but that was some time ago. I have no experience with the latest Opera running/trying to run on the latest Ubuntu, so all I can suggest is .. give it a test drive!
(I do use Opera Mini on my cell phone, but..)
LikeLike
Thanks for the heads up Paul. Fortunately, I have the latest version and it was the only one installed!
LikeLike
In the spirit of Cybersecurity Awareness Month (and because I am in a good mood this evening) I am awarding you a gold star for taking the time to check your computer’s security.
It is up to each of us to take responsibility for our machines, and secure them against criminals to the best of our ability. (Yes Virginia, there is no computer “Safety Fairy”.)
Congratulations!
LikeLike
Thanks my friend. I want to stay on top of these issues, but I admit that a lot of it is over my head. Thank you for making this one easy.
BTW, I read that MS has helped clear the “Zeus” thing from a lot of PCs by updating their malicious software removal tool. While I don’t know anything about “Zeus,” I do know that I got an update for the malicious software removal tool last week. However, I can’t figure out where it is or how to run it. I’d appreciate your thoughts.
LikeLike
IzaakMak,
The MSRT is run every “Patch Tuesday” as part of Windows Update.
However, we can download and run a “standalone version” – at any time – by visiting Microsoft Security online (click here)
… that Zeus trojan almost was today’s topic. I may yet get to it …
LikeLike
Thanks Paul.
LikeLike
Thanks Paul.
Thanks,
Grr
LikeLike
Grr,
Good to see you here again!
LikeLike
Paul:
Thanks for the easy instructions on Java Updates.
g.
LikeLike
Gaia,
I appreciate your support!
LikeLike
Hi Paul—thanks for the reminder to update Java and protect against cyber attacks. Do you know if any browser in particular has been hit more than others? Right now, I have Firefox, Chrome and Internet Explorer installed, but I’m not sure if I should just stick to running Java on one of these.
LikeLike
TuneUp,
Good to see you here again, and thank you for the support.
I do not have access to the data, and the articles I read did not specify. My guess is because this is an exploit against installed code (either you have it or you don’t.. most folks do) and not a use of a JavaScript trick/weakness.
As for the larger question: which browser is being exploited most frequently? Well, there’s quite some debate. (And all should be patched and kept up-to-date!) However, in the last few Pwn2Own “hacking contests”, only Chrome passed the test. (see, Google’s Chrome Escapes Hack Contest Untouched and/or IPhone, Safari Browser Hacked at Pwn2Own Contest.)
Does that mean Chrome users won’t get “hacked” and/or “exploited”? Not hardly. But, it just may be safer against certain kinds of online attacks.
LikeLike