People, it's time to disable Java on all your computer Web browsers, at least temporarily.
The Java exploit discovered yesterday (Jan. 10) has already spread to at least four different browser exploit kits, bundles of malware placed into Web pages to infect unsuspecting users.
That includes the widely distributed, and wildly successful, Blackhole exploit kit.
Oracle, which inherited Java when it bought Sun Microsystems several years ago, told the San Jose Mercury News today (Jan. 11) that it was planning to release a large batch of security fixes Tuesday. It did not specify whether the newly discovered vulnerability would be patched.
According to a Polish security team that follows Java closely, this exploit is a result of Oracle botching a previous Java hole.
The only fully effective defense right now is to disable browser plug-ins for Java, the "virtual machine" that lets Web-based apps and other software run on any desktop operating system.
We ain't kidding
Mac users, don't think you're immune. Java works just as well on your machines (although Apple no longer automatically installs it for you). The same goes for Linux users.
"The thing about that [exploit] is that it's not dependent on OS or platform," HD Moore, who develops the Metasploit security-testing tool for Boston-based Rapid7, told Kaspersky Lab's Threatpost blog. "It will run the same exact code on Mac OS X, Windows or Linux."
But don't take just our word for it — take the government's as well.
The United States Computer Emergency Readiness Team (US-CERT) yesterday issued an official alert recommending that all computer users disable all versions of Java 7, which has been out for about a year and a half. (The exploit may affect Java 6 as well.)
"A vulnerability in the Java Security Manager allows a Java applet to grant itself permission to execute arbitrary code," the alert said.
"An attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious Java applet. An attacker could also compromise a legitimate web site and upload a malicious Java applet (a 'drive-by download' attack)."
Translation: If you visit a compromised Web page hosting this exploit — or even a clean page displaying a compromised banner ad — you're hosed, toast, or, as the hackers say, pwned.
This isn't the only Java zero-day exploit (one so new that there's no patch) found in Java recently.
Last year, there were three Java zero-days, the first of which ended up infecting 700,000 Apple desktops and laptops in the first-ever mass outbreak of Mac OS X malware.
For such reasons, security experts have been getting more vocal lately about the need to disable Java. This week, that dull murmur turned into a roar.
"Java is a mess. It's not secure," Jaime Blasco of AlienVault Labs, which confirmed the new exploit, told Reuters yesterday. "You have to disable it."
"It would be a very good idea to unplug Java from your browser, or uninstall this program entirely if you don't need it," said independent security blogger Brian Krebs.
"If you have any business-critical applications that require Java: try to find a replacement," said Johannes Ullrich of the SANS Internet Storm Center. "I don't think this will be the last flaw, and the focus on Java from people behind exploit kits like Blackhole is likely going to lead to additional exploits down the road."
How to go decaf
Unless you use Java professionally — such as by developing Web or Android apps, updating a Website or using Adobe's Creative Suite software package — you don't really need it.
But since this latest attack comes through Web browsers, you can actually just stop the browsers from using Java rather than removing entirely from your system.
It's easier than ever before to disable Java in browsers. The latest version of the Java Control Panel for Windows has a checkbox under the Security tab labeled "Enable Java content in the browser". Uncheck that and all your browsers should be Java-free.
If you have an earlier version of Java 7 for Windows, you'll have to disable each browser individually.
On a Windows PC, keep the Java Control Panel for Windows open and go to Advanced. Under "Default Java for Browsers", uncheck "Microsoft Internet Explorer" and "Mozilla family." (You may need to click the space bar to uncheck the IE box.)
While you're there, you might as well also uncheck "Enable the next-generation Java Plug-in".
Mozilla Firefox can also be sanitized on all operating systems by selecting the "Add-ons" item in the main menu and disabling all Java plug-ins.
Google Chrome users can reach a similar menu by typing "chrome://plugins" into the address bar, and PC Magazine's Neil Rubenking says "about:config" will work for Opera. For Apple's Safari browser, it's Preferences --> Security --> uncheck "Enable Java."
(Apple today pushed out an OS X update blocking all versions of Java 7, and Mozilla yesterday issued an update forcing Firefox users to opt into running individual Java applets.)
To make sure Java is truly disabled, visit http://java.com/en/download/testjava.jsp and see what happens.
For versions of Java older than Java 7 (which you shouldn't be running anyway), the de-Javafication process for Internet Explorer involves editing the Windows Registry. If you don't know what that is, don't do it. Instead, stop using Internet Explorer entirely.
If you do need Java on a browser for whatever reason, take the advice security blogger Brian Krebs gave during another Java zero-day scare only five months ago : Keep Java enabled on one browser only, and use that browser ONLY for accessing those sites you need to use.