In the past few months, Oracle has garnered much attention because of a security flaw in its Java plug-in for web browsers. The situation got so bad the Department of Homeland Security (DHS) issued an alert advising you to actually disable Java on your computer.
You can read the alert at
www.us-cert.gov/cas/techalerts/
TA13-010A.html.
In it, DHS warns, “An attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious Java applet. An attacker could also compromise a legitimate web site and upload a malicious Java applet (a “drive-by download” attack).”
That means if you have Java installed on your computer, and you visit a compromised site while leaving your security settings at default, then your computer can be infected without your having to click anything at all. Of course, Oracle quickly released an update that changed the default security setting of its Java software to “High.” But what does that really do?
Basically, it means that when you visit a website that has a Java applet running, you must now make a decision. Do you want to allow the website to run the applet, or do you not? You should be prompted. The bigger question is, how will you know whether or not that applet is something that should be running? I’m afraid the answer is, you just might not. And furthermore, what is this “Java” thing anyway? How do you know if you have it installed?
First, take a moment to see if you have Java installed. You can do this in Windows 7 by going into your Control Panel, clicking on Programs, and then clicking on Programs and Features. For other Windows-based operating systems, the path is similar albeit slightly different. When you get to the list of programs, it may take a moment to fully populate the window. After it does, scroll down and look for a program that says “Java” at the beginning. If you find it, then you have Java installed. The rest of the name of the program should tell you what version you have. If it’s anything under “Java 7 Update 11” then your computer is probably vulnerable to the drive-by attack mentioned earlier.
You should update immediately! To run the update open your browser and go to www.java.com, then follow the instructions on the site. Of course, another option is to simply uninstall the program. Be warned though, if you don’t have Java installed, some websites might not load appropriately. Of course, not showing certain content might very well be completely ok with you to ensure you aren’t getting infected. So, what kinds of things can you miss out on by not having Java?
Many websites use Java applets to enhance your experience. If you are a stock trader, you might find that you can’t place orders online. Have kids that like to play little browser-based games? Some of the ones they’re playing probably use Java. While it isn’t necessary to have Java installed for every website, when you uninstall it you’ll probably notice some of the sites you’re used to visiting just don’t work the same anymore. They might even appear to be broken.
So, what should you do? Basically, it boils down to making a decision to either keep Java and setting the security settings to ask you every time something tries to run an applet, or to uninstall it and live without Java applets running on websites. If you decide to keep it, definitely run the update, and then continually check back for updates and run those as well.
Either way, you should always keep all the software on your computer up-to-date to avoid security problems.