Reacting To JAVA Vulnerability Media Hysteria!

Recently there have been several stories in the media about a zero-day exploit vulnerability in Java.  I think it’s appropriate to fill in some of the details a little to limit any undue excitement out there.

Yes, several recent versions of Java have this zero day vulnerability.  The vulnerability affects Java 7 (1.7.0 and up). It does not affect Java 6 and earlier.  This vulnerability has been around since at least October when Oracle released an incomplete patch to fix the problem.  Earlier versions of Java do NOT have this vulnerability so it depends upon which Java release is loaded on your PC.

 Is this a serious problem?

We think it’s being over-hyped because it’s been around for a few months with little impact so far.  But!  The vulnerability is serious and based upon the pressure on Oracle to fix it, there should be a fix out pretty quickly. 

NOT EVERYONE HAS THE VULNERABLE VERSION OF JAVA LOADED.  You may not be vulnerable if you’re running any version of Java earlier than Java 1.7.0.

 

What does Java do?

It's a plug-in utility that most web site authors use to enhance features on their web sites to make them more interactive and user friendly.  It's also used in many browser-based programs that may run on a computer network.

 How do I know which version of Java I am using?

http://javatester.org/version.html  will give you that information.

Is this a Microsoft Windows thing? 

No, almost all browsers on all operating systems including Windows, Apple OS X, and Linux are vulnerable because Java is used by them all.

How are you exposed?

Visiting a web site infected with malware that use this exploit can lead to infection by any number of malicious programs that can launch Denial of Service attacks, steal information or propagate spam using your computer.

What can you do?

 At the extreme, you can disable the Java plugin  in your browser(s).  Here’s a link to do that but we don’t recommend it. 

 Here is the link to disable Java:   http://www.java.com/en/download/help/disable_browser.xml

This is an extreme reaction to the problem but if you visit a lot of new web sites each day and are concerned, this will reduce your exposure until the patch is released.  Be aware, though, that many web sites rely on Java to run correctly so you’ll probably not be able to access some sites if you do this.

 

Another alternative is to uninstall Java 7 (1.7) using your Add/Remove Programs option in Control Panel in Windows and the load an earlier version.  You can remove Java 1.7 and then install an earlier version:

Here is a link to the old version of the 32 bit download: http://www.filehippo.com/download_jre_32/13883/

And the 64 bit version:  http://www.filehippo.com/download_jre_64/13884/

This will allow you to use Java but not the most recent version when browsing.  Be aware that when you are prompted to update Java, say “No” because Java is a program that will keep trying to update itself.  Don’t say “Yes” until the patch release is announced by Oracle.

The final alternative is to just wait until next week and limit your use of unfamiliar web sites on the Internet.

Unfortunately, there’s no easy way for us to release a mass update to all of your computers to fix this but hopefully this will ease your concerns a little.

 Thanks

 Jeff and the gang at ACT