Microsoft has decided is enough is enough: Java-based malware sees no end and it's time to do something about it. The software giant points to two type-confusion vulnerabilities (CVE-2012-0507 and CVE-2012-1723) that have been very actively exploited in recent months. Redmond thus wants you to do one of three things: update Java, disable it, or uninstall it.
First, some background. Type-confusion vulnerabilities are effective because they lead to a Sandbox compromise for Java. They occur when the type safety check in Java Runtime Environment (JRE) fails to verify wrong types supplied to instructions working with different types. If the classes' type safety is broken, you can access some methods that are not supposed to be opened to processes outside of the class.
As a result, Microsoft's first recommendation is to update your Java installation. To check the version of JRE your browser is running, head over to java.com/en/download/installed.jsp and get the latest version.
I did that in Chrome and IE9. Google's browser informed me that "Java(TM) is required to display some elements on this page." Excellent, so I don't have Java installed in Chrome, which I use the most frequently. Next, Microsoft's browser gave me the following error:
No working Java was detected on your system.
Install Java by clicking the button below.
I know I have Java installed, but I'm guessing this error is happening because it's the 64-bit version. I wasn't suprised Oracle still hasn't fixed Sun's version check code.
Next up, Microsoft has offered guidance for those who don't want to keep Java updated. The software giant points to Apple's instructions for the Mac (support.apple.com/kb/HT5241) and details its own instructions for Windows:
If you prefer, you may also just disable your current Java Plug-in temporarily to prevent being vulnerable to Java-based threats. To do this, on Windows systems, go to "Control Panel" and select "Java". When the "Java Runtime Environment Settings" dialog box appears, select the "Java" tab. From there, click the "View" button. You can just uncheck the "Enabled" check box to disable that installation from being used by Java Plug-in and Java Web Start. Even though you can disable Java Plug-in on a per-browser basis, this method is most effective in disabling Java Plug-in system-wise.
Last but not least, Microsoft recommended you uninstall Java if you don't use it. Instructions from Oracle are available at java.com/en/download/uninstall.jsp.
After seeing Microsoft's warning, I chose to kill Java with fire. I removed it completely from my Windows 7 box. Mind you, I'll probably be doing some programming in a few months, but I'll just reinstall Java then.
"So, by following some simple steps, you can protect your machine from this malware infection by choosing to update, disable or uninstall," a Microsoft spokesperson said in a statement. "All of these will be effective for preventing currently prevalent Java based malware; it's just up to you to choose the right method to protect yourself based on your needs and situation."
- Cross-platform malware exploits Java to attack PCs and Macs
- Cross-platform Trojan checks your OS: Attacks Windows, Mac, Linux
- Cross-platform Trojan attacks Windows, Intel Macs, Linux
- New targeted Mac OS X Trojan requires no user interaction
- Over 600,000 Macs infected with Flashback Trojan
- How big a security risk is Java? Can you really quit using it?