Security → Feds warn PC users to disable Java

I have Java installed on five systems, and decided not to uninstall it. Instead, I used the java control panel security tab to disable it in all browsers. That way I did not have to individual disable the plugins.

Added: One thing I forgot to mention is that disabling the browsers in the Java control panel also requires a restart to take effect. That's a small pain in the behind.

I installed update 11 on only the 32 bit browser, not the 64 bit I use most of the time. Even then, I have it disabled in the control panel.

Large scale attacks on banks from Iran, can they also target only USA computers??? Cyber attacks will increase going forward I believe.

Oh, and for anyone who has kids in school or University, ALEKS used for thier schoolwork requires Java and boy is it a pain.

Virtually every nation-state has its enemies somewhere... and most exploits are equal-opportunity - they don't care whose computers they infect or where, if only to enlist them as part of global bot networks or to try to infect still other systems. I think the key safe-hex thing to do is employ a triage mindset:
1) if you don't actually need Java, get rid of it (including all its versions)
2) if you do truly need Java at times, keep it in chains (that is, disable it for browsing using the Java Control Panel, until it's specifically needed - then afterwards, disable it again... immediately)
3) make sure you only have the latest Java version installed (the rare exception should only be made when the user absolutely knows that an older version is required - which will exclude most Java users)
4) keep Java updated as soon as patches are released (given its favored-program status for hacking, it gets instant hacker attention when exploits are discovered)

Or block the plugin at a network level to protect users at your IP address. You can VPN past it yourself, but most friends aren't that savvy. If they were, I'd just block the port except for my status IPs or the destination of all known VPN hosts except mine(unless they get my permission, which granny is not getting with how much I have cleaned her computer, only to see her reinfected the next week due to weak security practices). She is a good lady, but treats a computer like a toaster in terms of security and updates. Installs a bunch of crap that has clean alternatives. In the insecure IE days, it only took me 3 years to get her to try Firefox or Chromium(now she is behind the times because Webkit has had better security of built-in sandboxing and better rendering), but she did pull away from IE. Progress, folks. Yes, I have a right to setup my network to be protective from my home so nothing bad is coming from my IP address. I feel it to be a responsibility to do that. They will do what they want at home lol

Have her use a VM for browsing. Blow it away and replace with fresh VM regularly.

There are only a couple of sites where I have used Java. One is here (dslreports.com) for the Java speed test. The other was secunia.com for their OSI (Online Software Inspector). However, the flash speed test works better for me now since I have a newer used computer and I use the PSI, which is installed locally and does not require Java. I could probably completely uninstall Java, for that matter. I will be thinking about that.

Added: I just uninstalled it from a Win 7 Pro 64-bit system. I had already disabled it for browsers, but had not restarted. I can't restart this system just any time, so I thought I'd just remove Java entirely. That worked fine and did not require a restart.

Just came across this article regarding Java and Internet Explorer.

Essentially, the gist is that there are two ways for Java to execute in IE, one as an active X control, and the other way as an applet.

Since there are two ways to run Java, there should be two things done to shut it down (if needed). One would be to go to manage addons and disable the Java related addons. That takes care of the Active X.

Then, dealing with Java being called for as an applet would need to be dealt with. As the article explains, this can be dealt with in Group Policy. Since I have XP professional, that's how I dealt with it. You should be aware that if you want to shut Java down for a particular zone, that setting didn't show in my IE8. So, I backed up HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\JAVAPER and then ran the registry file indicated in the article and the Java setting for the individual internet zones now shows in the IE control panel for the individual IE zones.

So, just wanted to point out that in IE, Java can be invoked either by Active X, or by applet. Perhaps the setting in the Oracle Java control panel to not run Java in Internet Explorer is sufficient to shut Java down, but if one doesn't want to have a single point of failure, there are other things that can be done. Until I read that article, I thought disabling the Java addons was enough, but that apparently only shuts off the Active X invocation.

OS: XP professional
IE: IE8

Edit: I'm not vouching for that registry file. I installed it, and everything looked good. In the Internet Zone, my ability to change the Java setting was disabled since I had a setting in Group Policy. However, in the Restricted Zone, even though I also disabled Java in that Zone, in the browser control panel, the setting wasn't disabled.

Conclusion: This affirms my decision to buy professional products that can be administrated, as opposed to home user products.

2nd edit: I had previously disabled Java applets in Group Policy at the Computer configuration level. I went back in and disabled Java in the Internet and Restricted zones at the User Configuration level, and this time, the setting in the browser for the Restricted zone was disabled. So, if one wants to disable Java applets in IE for any of the zones, I recommend applying the settings at both the Computer configuration and User configuration levels.

You might want to read Woody's article,

»www.infoworld.com/t/web- ··· page=0,0

weep, and then use the CERT registry file.

From Woody's article:

"You can disable Java in all of your browsers, simultaneously. Disabling Java in Chrome and Firefox is easy, but as best I can tell there's no way on heaven or earth to reliably disable Java in Internet Explorer, short of a complex procedure documented by the CERT team working on the latest attacks. Even then, I couldn't find any security experts willing to bet that CERT caught all of the potential vulnerable spots.

It gets worse. According to CERT, Microsoft botched its instructions for blocking Java in IE:

'Disabling the Java plug-in for Internet Explorer is significantly more complicated than with other browsers. There are multiple ways for a web page to invoke a Java applet, and multiple ways to configure Java Plug-in support. Microsoft has released KB article 2751647, which describes how to disable the Java plug-in for Internet Explorer. However, we have found that due to the multitude of ways that Java can be invoked in Internet Explorer, their guidance (as well as our prior guidance) does not completely disable Java.'

The Microsoft instructions kill about 20 Java CLSIDs. The CERT method kills almost 800 of them".

I didn't know anything about the Next Generation Java Plugin in IE and I had no idea that Java can now be invoked outside IE:

"is a newer version of the Java plug-in that execute outside the process space of the web browser. Note that this means that when invoked via the next-generation Java plug-in, Java executes outside any restrictions of the browser, such as DEP,
Protected Mode, or other sandboxing." According to CERT, the only way to stop this newer version of the Java plug-in in IE is to remove the file. Then IE reverts to using the OLDER Java Plug-in which operates within the confounds of the browser.

I also did not realize I would need to prevent IE from automatically opening JNLP files. CERT has a registry fix for this.

"A registry file that Disables the element in the IE "Internet Zone", sets the kill bit for all of the Java CLSIDs through Java 7 update 6, the Java Web Start ActiveX control, the Java Deployment Toolkit ActiveX controls, as well as prevents IE from automatically opening JNLP files, as described above, is available for download here:

»www.kb.cert.org/CERT_WEB ··· P_IE.reg

quote:

---

I find this warning strangely funny. I work in an industry that REQUIRES federal reporting and the only way to report is via an online Java application...

---

Yes and alot of ppl do!!!

Why is HOMELAND SECURITY telling ppl this INSTEAD OF SUN? (Oracle) -- I think there IS an agenda here!! (To get compromised versions of Java on ppls computer so they have a backdoor way in!!)

NO ONE SHOULD DO ANYTHING!!!!

Because Oracle (there is no more Sun..they were bought by Oracle) did NOTHING for months and months while a known exploit was out in the wild. Doing nothing is irresponsible advice. You ready to pay for all the damage that advice might cause? I didn't think so.