Do you need to uninstall Java to be safe from its vulnerabilities? - Techist - Tech Forum

Go Back   Techist - Tech Forum > Techist Forum Information > News > Software
Click Here to Login
Reply
 
Thread Tools Display Modes
 
Old 01-16-2013, 10:10 PM   #1 (permalink)
Destroyer of headlines
 
Megatron's Avatar
 
Join Date: Jan 2011
Location: Headlines
Posts: 629
Default Do you need to uninstall Java to be safe from its vulnerabilities?

Lately Java has been getting a bit of bad press, thanks to several consecutive security holes that have been exploited by malware developers. One notable occurrence was the Flashback malware threat that affected a number of OS X users, which (though due in part to Apple's negligence about Java upkeep) was rooted in the Java runtime. More recently, Java 7 has seen a new zero-day vulnerability that has been circulating in exploit kits.

In response to these threats, many in the tech community have recommended that people uninstall Java altogether. However, this can be impractical for some, as many people need Java to run applications, including Web apps and a number of technical and creative development tools.

When it comes to the security of your system, uninstalling Java completely is certainly one way to avoid problems arising from it, but it is a bit of an extreme measure. So, how do you secure your system while keeping a potentially faulty runtime installed?

There are two aspects to Oracle's Java installation. The first is the runtime itself, which consists of the libraries and execution environment that allow your system to execute Java programs. The second component of the installation is the Web plug-in, which interfaces these libraries with the browser to allow hosted Web applets to run.

The vast majority of Java's security problems revolve around the use of the Java plug-in. While the vulnerabilities ultimately exist in the runtime, the plug-in is the avenue that malware developers use to exploit these remotely. You are somehow tricked into loading a Web page that contains a malicious Java applet, which exploits the fault and loads malware on to your system. If you close this off or otherwise manage it, then you will vastly improve the security of your system, and can continue to use Java for other purposes without needing to remove it completely.

There are several ways to do this. In the latest Java runtime, you can access the Java Control Panel and in the security settings uncheck the option to "Enable Java content in the browser." This will effectively close the door between Java and Web sites you visit, so Java applets will not run. While technically the security vulnerabilities are still open with this setting, you would need to manually download a Java executable and purposely run it on your system.

The second option is the use of security levels in determining which Java code is allowed to run. Similar to Apple's Gatekeeper feature in Mountain Lion, which can restrict running applications to signed code or apps specifically from the Mac App Store, Java's security levels can require that you approve any unsigned applications or even approve all code regardless of its signature. To do this, in the same Security section of the Java control panel, you can drag the security level slider to High, which allows only signed programs to run, or Very High, which requires approval for all code.

Beyond Java's built-in security measures, you can also use some third-party tools to help prevent malicious Java applets from running on your system. While disabling the Java plug-in is perhaps best, if you regularly visit Web sites that require Java, then doing this can be a burden to your work flow. Therefore, instead use a plug-in manager such as ClickToPlugin that will block not only Java but also Flash and other plug-in content as well. The benefit here is instead runnng of the blocked content, you'll receive a notification that you can click to quickly allow it to run. Also, you can customize a whitelist of sites that are automatically allowed to work.

Some browsers like Chrome come with a click-to-play option, which can be seen by going to Chrome's content settings (Copy and paste this URL into Chrome to get to these settings: chrome://chrome/settings/content#click) and selecting the "Click to play" option in the Plug-ins section. For those who use Firefox, the NoScript plug-in is a very effective approach to managing unwanted execution of plug-ins and other Web-based content.

A final approach to help protect your system is to monitor outgoing traffic using a reverse firewall tool like Little Snitch. With such a tool installed, whenever a program tries to contact an external server, the system will notify you and give you options to allow or deny the attempt, and also provide you with information to investigate what process is making the request.

While this is a bit of a tangential approach to dealing with faults in Java, it has been a very useful and effective way to detect malicious behavior on systems in the past and was integral to the early detection of the Flashback malware in OS X. While such firewalls may not prevent malware from exploiting your system, they can prevent it from carrying out its primary purpose, which is to communicate personal information to an external server and open up unwanted command and control ports in the system.

Overall, while Java has seen its fair share of problems and exploits recently, and although the most secure route is to uninstall Java and avoid using it, this is not necessary to keep your system secure. With plug-in management, higher security settings for Java, and reverse firewalls to detect malicious activity, you can still keep Java installed for the purposes you need while giving yourself an advantage in fighting the tricks that malware uses to cause problems in your system.

Source
__________________

Megatron is offline   Reply With Quote
Old 01-17-2013, 03:48 AM   #2 (permalink)
Super Techie
 
Join Date: Dec 2011
Location: Newcastle, England
Posts: 268
Default Re: Do you need to uninstall Java to be safe from its vulnerabilities?

I don't know why they don't all get together and create a company similar to FACT, I can't remember what the US equivalent is called.
But make it a global legal operation, combine this with global internet laws and people who create viruses will start having to hide under rocks.
Rather than removing software like java, more of a proactive stance should be taken against removing people from society who create any form of virus, or publicly reveal exploits.

But for anyone who does need to have java for internal software on a corporate level, or even home use, and they do not require java to access the internet, they could just restrict the application and all associated file from being able to connect to the internet, just shut it out completely.
Including stopping the system from installing or using applets or adding runtime files that are not needed.
I know this takes a bit of planning and you have to constantly be on top of this, but if your organisation is large enough or deal with sensitive information then you have no choice sometimes, as security is a major priority.

In short we don't blame microsoft or apple when a virus is created for vulnerabilities in their OS, and start shouting for these OS's to be removed and replaced, we use what ever means we have to our disposal to cover up these holes, until an official fix is released.
At the end of the day it is our jobs(IT Staff), to make sure our systems are safe and only in an extreme circumstance would we decide to fully remove software.
For me more needs to be done to catch the people who are creating the viruses, and have strict global laws to make sure a strong message is sent out that would deter a number of wannabe virus writers from creating what they see as a bit of fun, or for financial gain, being caught by a global legal team, having all their assets stripped and given 25 years in jail would stop most of these vulnerabilities from being exploited.
It costs billions each year to fix damage done by viruses, why not pay some of that money to a central organisation that would catch the people doing it.
__________________

Frosty is a Snowman is offline   Reply With Quote
Old 01-17-2013, 10:45 AM   #3 (permalink)
Private Joker
 
carnageX's Avatar
 
Join Date: Feb 2007
Location: South Dakota
Posts: 24,515
Default Re: Do you need to uninstall Java to be safe from its vulnerabilities?

Quote:
Originally Posted by Frosty is a Snowman View Post
I don't know why they don't all get together and create a company similar to FACT, I can't remember what the US equivalent is called.
But make it a global legal operation, combine this with global internet laws and people who create viruses will start having to hide under rocks.
Rather than removing software like java, more of a proactive stance should be taken against removing people from society who create any form of virus, or publicly reveal exploits.

But for anyone who does need to have java for internal software on a corporate level, or even home use, and they do not require java to access the internet, they could just restrict the application and all associated file from being able to connect to the internet, just shut it out completely.
Including stopping the system from installing or using applets or adding runtime files that are not needed.
I know this takes a bit of planning and you have to constantly be on top of this, but if your organisation is large enough or deal with sensitive information then you have no choice sometimes, as security is a major priority.

In short we don't blame microsoft or apple when a virus is created for vulnerabilities in their OS, and start shouting for these OS's to be removed and replaced, we use what ever means we have to our disposal to cover up these holes, until an official fix is released.
At the end of the day it is our jobs(IT Staff), to make sure our systems are safe and only in an extreme circumstance would we decide to fully remove software.
For me more needs to be done to catch the people who are creating the viruses, and have strict global laws to make sure a strong message is sent out that would deter a number of wannabe virus writers from creating what they see as a bit of fun, or for financial gain, being caught by a global legal team, having all their assets stripped and given 25 years in jail would stop most of these vulnerabilities from being exploited.
It costs billions each year to fix damage done by viruses, why not pay some of that money to a central organisation that would catch the people doing it.
It's already illegal in most countries... there are only a few that do not have laws (Russia I think is one of them, hence why a lot of malware comes out of Russia).
__________________
Laptop: MSI GT70 2OC-059us | i7-4700MQ | 16GB | GTX 770m | 500GB SSD / 750GB HDD | 17.3" | Win10 Pro
Desktop: 4690k | 12GB g.Skill RipJaws | GTX 970 | 520hx | Z87X-UD4H | Corsair Vengeance C70 | Corsair H110 | Acer 25" | Acer 22" | Win10
Mobile: Samsung Galaxy Note 5


If I help you, or you just like what I said, rep me by clicking the under my post
carnageX is offline   Reply With Quote
Old 01-18-2013, 01:28 AM   #4 (permalink)
Build Guru
 
PP Mguire's Avatar
 
Join Date: Dec 2004
Location: Fort Worth, Texas
Posts: 28,310
Default Re: Do you need to uninstall Java to be safe from its vulnerabilities?

Quote:
Originally Posted by Frosty is a Snowman View Post
I don't know why they don't all get together and create a company similar to FACT, I can't remember what the US equivalent is called.
But make it a global legal operation, combine this with global internet laws and people who create viruses will start having to hide under rocks.
Rather than removing software like java, more of a proactive stance should be taken against removing people from society who create any form of virus, or publicly reveal exploits.

But for anyone who does need to have java for internal software on a corporate level, or even home use, and they do not require java to access the internet, they could just restrict the application and all associated file from being able to connect to the internet, just shut it out completely.
Including stopping the system from installing or using applets or adding runtime files that are not needed.
I know this takes a bit of planning and you have to constantly be on top of this, but if your organisation is large enough or deal with sensitive information then you have no choice sometimes, as security is a major priority.

In short we don't blame microsoft or apple when a virus is created for vulnerabilities in their OS, and start shouting for these OS's to be removed and replaced, we use what ever means we have to our disposal to cover up these holes, until an official fix is released.
At the end of the day it is our jobs(IT Staff), to make sure our systems are safe and only in an extreme circumstance would we decide to fully remove software.
For me more needs to be done to catch the people who are creating the viruses, and have strict global laws to make sure a strong message is sent out that would deter a number of wannabe virus writers from creating what they see as a bit of fun, or for financial gain, being caught by a global legal team, having all their assets stripped and given 25 years in jail would stop most of these vulnerabilities from being exploited.
It costs billions each year to fix damage done by viruses, why not pay some of that money to a central organisation that would catch the people doing it.
Because they are too busy spying on people trying to catch the pirates to care about anything else. They rather have Homeland Security get on the news and say take Java off your computer.
__________________
"Resolution is just a number." #Ubisoft
Origin/Steam = PP_Mguire Twitch = pp_mguire Instagram = ppmguire PSN = PP_Mguire

Access to my Plex PM me.
PP Mguire is offline   Reply With Quote
Old 01-18-2013, 03:57 AM   #5 (permalink)
Super Techie
 
Join Date: Dec 2011
Location: Newcastle, England
Posts: 268
Default Re: Do you need to uninstall Java to be safe from its vulnerabilities?

I am aware that it is illegal, but the countries never seem to want to work together to deal with the situation, and yes it is true they would rather catch pirates, as the large companies, such as sony, pay them to catch the people sharing media
Which is why I don't understand why they also don't have a fund for catching programmers who write viruses
Maybe I should setup a company with Dog the Bounty Hunter and start catching these people lol
Frosty is a Snowman is offline   Reply With Quote
Old 01-18-2013, 11:18 AM   #6 (permalink)
Build Guru
 
PP Mguire's Avatar
 
Join Date: Dec 2004
Location: Fort Worth, Texas
Posts: 28,310
Default Re: Do you need to uninstall Java to be safe from its vulnerabilities?

Actually it's Hollywood funding the fight against copyright abusers.

You're essentially asking the world to get together and fight common evil. This only happens in the movies.
__________________
"Resolution is just a number." #Ubisoft
Origin/Steam = PP_Mguire Twitch = pp_mguire Instagram = ppmguire PSN = PP_Mguire

Access to my Plex PM me.
PP Mguire is offline   Reply With Quote
Old 01-18-2013, 02:16 PM   #7 (permalink)
Private Joker
 
carnageX's Avatar
 
Join Date: Feb 2007
Location: South Dakota
Posts: 24,515
Default Re: Do you need to uninstall Java to be safe from its vulnerabilities?

Quote:
Originally Posted by Frosty is a Snowman View Post
I am aware that it is illegal, but the countries never seem to want to work together to deal with the situation, and yes it is true they would rather catch pirates, as the large companies, such as sony, pay them to catch the people sharing media
Which is why I don't understand why they also don't have a fund for catching programmers who write viruses
Maybe I should setup a company with Dog the Bounty Hunter and start catching these people lol
It's not illegal to write viruses. It's only illegal to distribute with the intent of harm. We wrote some basic viruses in my Ethics and Security class, and it's not like we all had the FBI knocking on our doors.
__________________
Laptop: MSI GT70 2OC-059us | i7-4700MQ | 16GB | GTX 770m | 500GB SSD / 750GB HDD | 17.3" | Win10 Pro
Desktop: 4690k | 12GB g.Skill RipJaws | GTX 970 | 520hx | Z87X-UD4H | Corsair Vengeance C70 | Corsair H110 | Acer 25" | Acer 22" | Win10
Mobile: Samsung Galaxy Note 5


If I help you, or you just like what I said, rep me by clicking the under my post
carnageX is offline   Reply With Quote
Old 01-19-2013, 03:17 PM   #8 (permalink)
Call me Mak or K
Mod Emeritus
 
KSoD's Avatar
 
Join Date: Sep 2004
Location: C:\
Posts: 35,647
Default Re: Do you need to uninstall Java to be safe from its vulnerabilities?

Quote:
Originally Posted by Frosty is a Snowman View Post
In short we don't blame microsoft or apple when a virus is created for vulnerabilities in their OS, and start shouting for these OS's to be removed and replaced, we use what ever means we have to our disposal to cover up these holes, until an official fix is released.
Really? Then go to the Microsoft Community Site and tell that to the people that have issues with Windows 8 and complain about it and want it removed from their PC.

Yes people do blame Microsoft for issues with the OS. In fact they blame them for issues that are not even their fault. Like driver support. I answer more questions about why a device doesnt work for Windows 8 than anything else cause people do not understand that Microsoft is no responsible for making the drivers. It is the device manufacturer that is responsible. Yet people seem to think that if they complain enough on a Microsoft site that their problems are going to be answered even though it has nothing to do with them.

If you really think that, then you are very secluded as to what you see on the internet. Cause I dont even have to be on a Microsoft site to see such things. Just go look at the "Should I get Windows 8" Topic to see what I mean.

So yes people do complain about Microsoft and their products and do expect the multi billion $ company to care about 1 person who uses their software and their opinion.

Oracle should care cause many web based sites use Java. If people are being advised to move away from Java to HTML5, that only takes users away from them. Plus it open up the flaw to many people who only use Java for development. How much of the Android community do you think is upset that they HAVE to have this software installed just to create their apps? So now they have to have an insecure system just to do what they love.

Yes it is a big deal to have an advisory out there to disable or remove such software. It is a major factor to a whole device platform as Android Devices all run using the Java Platform. So even though Android itself is not infected by this, everyone who develops for Android is cause they have to have JavaRE installed.
__________________

__________________
I do not accept support questions via EMail, PM, IM or my G+ page!

Phone: LG Optimus G Pro
Running: Stock JB from LG with Nova Launcher

KSoD is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off




Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 08:53 AM.


Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.