Microsoft: Update Java or kill it

Microsoft: Update Java or kill it

Summary: Microsoft is offering advice on how to protect yourself from Java-based malware. The instructions are simple: either update it, disable it, or just uninstall it completely.

SHARE:
101
Microsoft: Update Java or kill it

Microsoft has decided is enough is enough: Java-based malware sees no end and it's time to do something about it. The software giant points to two type-confusion vulnerabilities (CVE-2012-0507 and CVE-2012-1723) that have been very actively exploited in recent months. Redmond thus wants you to do one of three things: update Java, disable it, or uninstall it.

First, some background. Type-confusion vulnerabilities are effective because they lead to a Sandbox compromise for Java. They occur when the type safety check in Java Runtime Environment (JRE) fails to verify wrong types supplied to instructions working with different types. If the classes' type safety is broken, you can access some methods that are not supposed to be opened to processes outside of the class.

As a result, Microsoft's first recommendation is to update your Java installation. To check the version of JRE your browser is running, head over to java.com/en/download/installed.jsp and get the latest version.

I did that in Chrome and IE9. Google's browser informed me that "Java(TM) is required to display some elements on this page." Excellent, so I don't have Java installed in Chrome, which I use the most frequently. Next, Microsoft's browser gave me the following error:

No working Java was detected on your system.
Install Java by clicking the button below.

I know I have Java installed, but I'm guessing this error is happening because it's the 64-bit version. I wasn't suprised Oracle still hasn't fixed Sun's version check code.

Next up, Microsoft has offered guidance for those who don't want to keep Java updated. The software giant points to Apple's instructions for the Mac (support.apple.com/kb/HT5241) and details its own instructions for Windows:

If you prefer, you may also just disable your current Java Plug-in temporarily to prevent being vulnerable to Java-based threats. To do this, on Windows systems, go to "Control Panel" and select "Java". When the "Java Runtime Environment Settings" dialog box appears, select the "Java" tab. From there, click the "View" button. You can just uncheck the "Enabled" check box to disable that installation from being used by Java Plug-in and Java Web Start. Even though you can disable Java Plug-in on a per-browser basis, this method is most effective in disabling Java Plug-in system-wise.

Last but not least, Microsoft recommended you uninstall Java if you don't use it. Instructions from Oracle are available at java.com/en/download/uninstall.jsp.

After seeing Microsoft's warning, I chose to kill Java with fire. I removed it completely from my Windows 7 box. Mind you, I'll probably be doing some programming in a few months, but I'll just reinstall Java then.

"So, by following some simple steps, you can protect your machine from this malware infection by choosing to update, disable or uninstall," a Microsoft spokesperson said in a statement. "All of these will be effective for preventing currently prevalent Java based malware; it's just up to you to choose the right method to protect yourself based on your needs and situation."

See also:

Topics: Security, Malware, Microsoft

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

101 comments
Log in or register to join the discussion
  • Java?

    I have been running all my computers without Java for at least the last 5 years.
    I don't even remember the last time I saw something requiring it.
    RIP Java.
    TheCyberKnight
    • Unfortunately there are things that still require it

      Cisco GUI management as well as some other web based RDP clients use it. I have to have it and use it a couple times a week. Although I do keep it up to date. I'm not a fan though because of the vulnerabilities. I feel the same about Flash too.
      LiquidLearner
    • java

      Try printing a shipping lable without Java - unfortunately it is what Pitney Bowes uses... therefore eBay and PayPal
      ClickHouse
      • Or your blu-ray player that connects to the internet for updates

        Java is here and it's not going to vanish.

        Replace it with something else, especially one that isn't as flexible, and the same security issues will come right back.
        HypnoToad72
    • My home computers don't need it...

      but my office requires it for various applications. Unfortunately, I'll be stuck using it at work for the forseeable future.
      kstap
      • In the same boat

        We have programs essential to our organizations that require Java. It is for that reason I push out updates to it as soon as an update is released.

        In the personal computing world I see so many that ignore the update warnings. Their Java, Flash, Reader, Shockwave are so out of date it is scary. I have been recommending and installing Secunia PSI on personal computers I work on in my side jobs. At least it updates most things for the user and provides a better notification system that is centralized.
        bobiroc
    • No Java or Adobe

      5 years ago we did the same thing here. We keep one machine in the DMZ for things that only work with brand name Java or Adobe.
      mswift@...
    • Dumped Java a few months ago - haven't missed it.

      Like Liquid Learner I found I really don't need Java. Unfortunately my office does as they run Oracle applications which require Java to run. Personally I felt the risk:benefit ratio was to far off to keep it installed. If you don't need it, uninstall it!
      CasualAdventurer
    • I have tons of stuff

      From Cisco, EMC, Oracle, etc that all use Java. I could never get rid of it.
      Johnpford
    • Same old MS spin

      .NET is a Java copy. MS even got x Sun employees to develop it.

      You better go ahead and uninstall Android too.
      Dar Var
      • Seems MS isn't the only one...

        The Dept of Homeland Security feels the same: http://www.reuters.com/article/2013/01/11/us-java-security-idUSBRE90A0S320130111
        TechNickle
  • The dangers of open source software

    Witness the dangers of "open" despite it being championed by Google and others. Increasingly, Java lacks the commercial support needed to keep on top of the malware issue. Secretly, Oracle/Sun staff must long have wished they had the profits that Microsoft makes from selling similar but closed source and more commercial products, but "open" is like a religious dogma to some people, and fanatics will never admit they're wrong even if they were capable of seeing it.
    Tim Acheson
    • Do you remmember...

      when MS launch MS Java? Funny isn't?
      I never have any problem using open source software! The same thing i cant tell with MS Windows or Office (vb virus). I don't like java for other reasons, i use C++ for develop applications. But commercial isn't better than open! No way!
      ruirego
      • Remember MS Java 2.0?

        It's called .NET. MS would have still be using Java had they not lost their case against Sun.
        balsover
      • @ruirego

        "No Way!"

        Well, it's hard to argue with forceful arguments like that.
        mepallow
    • I have one wordc for you:

      ActiveX.

      A closed source browser add-on that has the distinction of being the most abused browser-based attack vector in the history of computers, but "Microsoft" is like a religious dogma to some people, and fanatics will never admit they're wrong even if they were capable of seeing it.
      anothercanuck
      • How true...

        and still one reason that Internet Exploder cannot disappear completely.
        chrome_slinky@...
      • Hacktive ActiveX is still around

        And M$ would rather band-aid it's security holes than kill it out right.

        Although I'm no fan of java (and would like to get rid of it) M$, because of ActiveX, doesn't have a pot to piss in in this particular case.
        CaviarBlack
    • Missed the part where they said update huh?

      Reading is fundamental.
      T1Oracle
    • Java's proprietary

      At least the official versions Oracle maintains are. Also, since Oracle's the copyright holder, there's nothing to stop it from charging for updates, except, of course, that it would be a very good way to encourage developers to either abandon the language entirely, or use third party JVMs (which was what the Google suit was really about).
      John L. Ries