What’s the scoop on JAVA Runtime being an easy door into our computers? I was advised to delete JAVA totally.
Go ahead, if you do not need Java (i.e., if you do not use any Java app) uninstall it.
Unfortunatelly, I had to have it to use even my internet banking …
Failure Java threat of Internet Banking users in Brazil
There’s an ongoing thread about it at Community Feedback (former MSN Group). If you only need Java occasionally, there is a link to a portable version at portableapps.com.
http://www.community-feedback.com/topic/27205-java-still-too-vulnerable-to-malware/
Java runtime has an ineffective update process that makes it a pain to regularly keep up to date. It doesn’t help that most people don’t even know they have Java b/c a lot of times it just piggbacks on programs that require it, so they don’t even try to keep it updated if they prompted to.
Even if Java is up to date, b/c of its prevalence on cross platform computers it is the most exploited attack vector. As such there is zero day vulnerability in the wild being actively exploited as we speak which of course has not been patched by Oracle yet.
If you don’t have any programs that need it, uninstall it to save yourself the trouble. If you need it, then disable the plugin when you don’t need it (that’s how people get infected) or better yet use a different profile just for Java. All you have to do get infected is to visit an infected site while having the Java runtime plugin enabled in your browser.
Even if you need Java, there is a easy way to protect yourself by separate profiles just to use Java in your browser drastically cutting down risk. Firefox and I think Chrome have built in profile managers. Create your “java enabled” profile with the Java runtime enabled, then only use that profile to visit your bank or whatever, then revert back to normal profile with java disabled for everything else.
Creating different Firefox profile, and even running them at the same time
http://www.callum-macdonald.com/about/faq/multiple-firefox-instances/
Chrome multiple Profiles
http://support.google.com/chrome/bin/answer.py?hl=en&answer=2364824
I lean on Java myself, for example Box.com requires java if you upload more than a certain number limit of files in one instance. There are also a lot programs written in Java for crossplatform sakes.
Java 7(11) allows user to enable/disable Java use by web browsers. This is the in the security tab of the Java control panel applet in Windows.
This is great because I have application software which depends on Java but I do not need Java for web purposes.
I have a hint for Avast! developers. Agnitum Outpost ‘Web Control’ allows site by site permissions to control the use of Java on the web. Why not Avast! also?
JRE7 U10 had the same method of disabling Java in the browsers. I’ve updated to JRE U11, but still don’t consider it safe. Oracle patched 2 out of 84 known vulnerabilities. In it’s default setting, Java will ask the user if a site attempts to run an unsigned applet whether they want to allow it. How many people will simply click OK, as most will click on anything?
Firefox with NoScript will only allow scripts and plugins to run on whitelisted site. Any site can be compromised, so none can be considered fully trusted. However, it does limit the exposure considerably. If you can’t name the site that you really need Java for, then there’s no need for Java in the browser at all.
Yeah that would be a great addition to Avast…hmmm…I think I saw something cooking about Avast and Agnitum on the firewall improvement last year…may be wrong though…
http://s14.postimage.org/kzymljxx9/image.jpg
On Java 7 Update 11, http://betanews.com/2013/01/14/java-7-update-11-security-patch-fixes-nothing/
Hi Mundungas,
The problems so far only are for the java browser plug-in. The other applications of java are more solid and much more stable. Firefox took the right step to disable the plug-ins by default and only allow the use if a user willingly click to install the plug-in. Users are advised to use java in the browser only when they cannot circumvent the use of it otherwise. Users should be aware what application to shun like java in the browser for instance or using QuickTime,
polonus
I have now amended my clean up advice with the following
: Keep Java Updated :
WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)
Thanks for the heads up on this. Have disabled Java on both my Firefox and Chrome. (I never use IE)
http://mashable.com/2013/01/13/java-exploit/
This was added to my virus definition update a few minutes ago.
I always keep Java updated and I have to have it in order to access my bank accounts.
Also,
http://abcnews.go.com/Technology/wireStory/oracle-java-patch-fixes-security-problem-18213251
I’m keeping Java disabled in the browser using the Java Control Panel. Disabled this way, it doesn’t even show up in Firefox or Opera’s plugins at all.
I use a separate Windows User account exclusively for my financial sites. Luckily, none so far require Java. Some do require Adobe Flash, which is another issue.
Edited to add 2nd URL.
Is Avast coming with an update to check for this vulnerability ? I have a friend who has Norton and he claims he is protected.
There have been updates for various Java infections all along. See http://www.avast.com/virus-update-history. Any that start with Java: are directly detected. The problem is that signatures are reactive, and the malware is constantly evolving. Java is and will likely be vulnerable for some time.
https://isc.sans.edu/diary/Java+7+Update+11+Still+has+a+Flaw/14983