Sophos Cloud Optix
As if advice from SophosLabs own Fraser Howard and the US Department of Homeland Security are not enough reason to ditch Java, Apple and Mozilla have both decided to join the party.
This afternoon, Friday January 11th here on the North American West coast, Apple released an updated malware definition list for their XProtect pseudo-antivirus protection in OS X Snow Leopard and newer.
Instead of identifying a new virus, this updated definition temporarily disabled the Java Web Start browser plugin that enables Java applications to run inside of Safari/Firefox/Chrome.
While the reports have been stating the issue is with Java 7, there are reports from researchers that Java versions 1.4 and higher are all vulnerable to this flaw.
It appears that Apple has learned an important lesson from this time last year. CVE-2012-0507 was fixed by Oracle in February, but Apple didn’t make the patch available until April.
The result? Over 600,000 Macs were infected with malware in the interim.
Mozilla is no slouch when it comes to security and has implemented an almost identical procedure. Mozilla has added all current releases of Java to its add-on blocklist.
In Mozilla’s announcement they explain that plugins on the blocklist are forced into utilizing Firefox’s Click to Play functionality.
This can be a double-edged sword when it comes to known vulnerable plugins.
The advantage to this approach is that you are prompted every time a website wants to launch a Java applet and you can make an informed decision as to whether you truly need that applet.
The problem is you need to be informed and know enough to choose the right option. Most people are conditioned to click through warning messages and may not get the protect they need against drive-by attacks.
It is good to see everyone agree on the risk this vulnerability poses and getting the word out or actively protecting users against the threat.
Want to understand more about Java? Why Java isn’t JavaScript? Listen to this Techknow where Paul Ducklin and I explain what you need to know.
Listen now:
(31 August 2012, duration 16’19”, size 11MBytes)
Many banks application are using java applets. So this movement can be painful when one "lucky day", it blocks you access to your client-bank.
Maybe it’s about time banks start moving away from the insecure Java applets and onto something better.
I wish they did, but it would probably require too much money for them…
hi, i am not that computer savy..but i have what shows in my computer as java 2 runtime enviroment. this is on my laptop. i do use java for work on this computer. should i delete that one? thanks Jr
You should update Java to the newest at the least- that’s way way old!
If your bank uses java while handling your private details you should probably find a new bank.
I’m the defacto IT person at my son’s very small private school. Any advice on how to avoid being murdered by the mob of kids when I tell them they can’t play minecraft? It uses the JRE. Wouldn’t this be safe to play as long as you are offline?
Minecraft.com is down right now.
*sigh*
@marigoldmama
You don't need to remove Java for local applications, you only need to disable "Java Web Start" which is the browser plugin. I don't know much about Minecraft, but if it is a Java application that runs outside the browser you should be fine.
Minecraft also runs as a free 'Demo' which is inside a Java applet. That may be what marigoldmama is referring too.
Is this vulnerability also affecting IcedTea OpenJDK Java 7?
Good read. There are vulnerabilities in every application or web browser, nothing is infallible. Even this sentence
"The problem is you need to be informed and know enough to choose the right option. Most people are conditioned to click through warning messages and may not get the protect they need against drive-by attacks."
has a mistake but it doesn't take anything away from the content. An educate user is key to averting vulnerabilities.
I use Jdownloader download manager and it uses a Java platform. With Windows 7 I was using McAfee firewall and it was never blocked. When I upgraded to 8 I went to Windows Firewall and the first time I started Jdownloader it told me that it was blocked. I had to tell the Firewall to allow incoming to download with Jdownloader. I do not have the plug in installed in Firefox. Is Java safe to use with only Jdownloader?