Update January 10, 2013: A zero-day exploit is in the wild, attacking fully patched versions of Java. You can protect yourself by disabling the Java plugin from your browser(s) or removing Java completely.
The criminals who successfully infected 600,000 Macs with the Flashback malware (aka Flashfake) could just as easily have trained their guns on Windows or Linux users.
That’s the problem with exploits that target vulnerabilities in cross-platform runtimes like Flash Player and the Java Runtime Engine (JRE). Even if your operating system is fully up to date, an unpatched vulnerability in that third-party code can lead to havoc.
As the Mac community discovered, a user can go to a perfectly legitimate site, be infected with absolutely no warning, and have untrusted code running on the box. That infection typically includes a component that can download additional malware later, also without warning.
Indeed, as operating system vendors get better about patching their own flaws, malware authors are increasingly turning to third-party code to get their dirty work done, and Java is high on the list. In the second quarter of 2011, Kaspersky Labs researchers listed two “Highly Critical” Java vulnerabilities in their top 10 list (six of the remaining eight entries on the list involved Adobe Flash Player). A presentation by Kaspersky’s Kurt Baumgartner at the VB2011 conference called out “the recent explosion in prevalence of both client-side Java exploitation and Android malware development,” and in a separate October 2011 blog post, Baumgartner noted that Java exploits had taken over the #1 spot on the list.
The best defense against this kind of attack is to remove the vulnerable runtime engine so that it can’t be exploited. On a recent-vintage PC or Mac, the odds are in your favor, at least initially.
- Java is not installed by default with any modern version of Windows, thanks to an April 2004 antitrust settlement between Microsoft and Sun Microsystems. (Sun was later acquired by Oracle, which now owns and maintains Java.)
- Apple maintains Java separately from Oracle. Apple’s Java was included with Snow Leopard and earlier versions of OS X. If you have one of these OS X versions installed, you must disable it manually, and there is no option to uninstall it. That’s one reason the Flashback attack hit Snow Leopard users especially hard.
- Apple’s release of Java is not included with a new installation of OS X Lion. If you upgrade from Snow Leopard to Lion, however, the JRE remains on the system and can be targeted by Java-based exploits.
So, if you start with a clean installation of Windows 7 or OS X Lion, you’re immune from Java-based exploits. But all it takes is one application that requires Java, and you see a message like these:
At that point, you have to make the tough choice: install the JRE and make yourself vulnerable, or find an alternative to that app.
Out of curiosity, I did some research to see which apps still require Java. The list is longer than I thought.
Two widely used role-playing games require Java: Minecraftclaims to have 26 million registered users, including 5.5 million who have purchased the game. Runescape, according to Wikipedia, “has approximately 10 million active accounts per month [and] over 156 million registered accounts.”
CrashPlan Pro, an online backup service, uses a Java-based client on OS X and Linux. Java is not required for the Windows client.
Adobe Creative Suite 5.5 is one of several widely used Adobe programs that require Java. This language appears in a support document at Adobe.com:
Many Adobe applications are dependent on the Oracle Java Runtime Environment (JRE) for some features to work. … Adobe and Apple have worked together to ensure that you can install Java [on OS X Lion] at OS install time. Or that it can be installed at a later time before you install Adobe applications. At runtime when you launch an Adobe application, you are prompted to install Java if it is not already installed. If you do not install Java before running an Adobe application, there can be missing or improperly behaving features.
OpenOffice, a free alternative to Microsoft Office, uses Java for many features. The main download page notes that the JRE is included in all versions except those for Linux and OS X, adding this explanation:
Java is required for complete OpenOffice.org functionality. Java is mainly required for the HSQLDB database engine (used by our database product Base) and to make use of accessibility and assistive technologies. Furthermore some wizards rely on Java technology.
On Twitter, I asked my followers for other examples, and found a smattering of less widely used programs that require Java to run:
- Jaikoz Audio Tagger, a music file manager that runs on Windows, OS X, and Linux
- Screenr, a free screencast creation tool
- Wuala, a Dropbox alternative from LaCie
- Vuze, a BitTorrent client formerly known as Azureus
- Xmind brainstorming and mind-mapping software
- GanttProject, a free cross-platform project management tool
If you write code using the popular Eclipse Integrated Development Environment, you must have a JRE installed,
But it’s in the enterprise space that Java really has a high profile. I heard from several users of virtual private network (VPN) clients who have no choice but to maintain a local installation of Java if they want to connect to a corporate network. Cisco’s AnyConnect is one; Oracle's Secure Global Desktop client is another.
A reader at a four-year university noted that his institution’s Oracle-based student and financial systems all require Java. And I heard from one person who said his company’s electronic medical records system was built on Java.
In short, Java is easy to avoid, except when you can’t.
My advice? If you can find a way to go completely Java-free, do it. You’ll be free of a significant source of vulnerabilities and you’ll have one less third-party program to worry about updating.
If you must use Java because it’s required by a program or web site for which you have no alternative, consider disabling the Java plugin in your default browser, and use a secondary browser exclusively for any Java-related activity.