Should we stop using Java? Experts and the US Department of Homeland Security think so

15 Jan 2013

Last weekend, security experts everywhere were alerting users to a zero-day vulnerability that left computers using even the latest version of Java open to attacks from cyber-criminals. The flaw has since been patched by Oracle, but is it high time we called it a day on this problematic platform?

CVE-2013-0422 was big news last weekend. This Java security hole allows Java applets in browsers to bypass security restrictions and infect computers without warning. It was quickly distributed among cyber-criminals in exploit packs, putting millions of users at risk.

Sometimes you’ll see these malicious applets popping up as shared links on Facebook, asking you to install files to watch videos, etc. Any anti-virus software worth its salt should detect these threats, but that won’t always stop unsuspecting users from downloading malware.

This vulnerability and another have since been patched by Oracle with Java 7 Update 11, which also changes users’ default Java Security Level setting from medium to high, meaning they will always be prompted before any unsigned applet or Java Web Start application is run.

However, despite this fix, some security experts are advising that users permanently disable Java in their web browser – or even go so far as to uninstall it from their computers altogether. But why?

Continually exploited

“The reason is that Java keeps getting exploited by malicious cyber-criminals,” explains Graham Cluley, senior technology consultant at Sophos.

“If you are running a vulnerable version of Java, your computer could become silently infected by malware just by visiting a website. Seeing as the vast majority of computer users don’t need to run Java, it seems sensible to suggest that they turn it off – in their browser at least, and for many people completely remove it from their entire computer! That way you no longer have to worry about any more Java security issues – and, trust me, there surely will be more,” he warns.

Sophos’s Naked Security blog provides instruction on how to disable Java in Internet Explorer, Firefox, Chrome, Safari and Opera. Should users opt for the two-browser option, Sophos advises that both browsers’ security settings are kept up to date. In fact, if you have Java installed, whether it’s enabled in your browser or not, you should upgrade to the latest version to ensure protection.

Javatester.org will tell you if you have successfully disabled Java or not and, if Java is running, the version number will be revealed, so users can use this site to verify that they are using the most up-to-date release (version 1.7.0_11).

Why always Java?

Java has been plagued by security vulnerabilities, and developer Oracle has often been criticised for being slow to issue critically needed updates. Where other software is updated on a monthly or even weekly basis, Oracle only updates Java every four months.

In this instance, the company worked quickly to provide users with a fix, but last year a security flaw spotted in April was not patched until August. Earlier in 2012, more than 600,000 Macs were infected by Flashback malware, which came as a result of a Java security flaw.

Java Runtime Environment is said to be found on billions of devices worldwide, including more than 850m PCs. It is favoured by cyber-criminals because it is so widespread across all the major platforms – Windows, Mac OS and Linux – resulting in multi-platform Java malware.

Kaspersky Lab estimates that Java exploits accounted for up to half of all web-based attacks last year.

“More and more cyber-criminals are hunting for security holes in Java that they can exploit,” says Cluley. “Having Java enabled in your browser is opening up opportunities for malicious hackers to infect your computer – so the best advice, if you don’t need Java, is to turn it off completely.”

Going without

So what would happen if you disabled or uninstalled Java on your computer? “Most people won’t notice any difference at all as only a small number of websites require Java,” says Cluley. “That small number of websites will tell you if you need Java, and you can always use a different browser (with Java enabled) specifically for those sites.”

It’s important to note here that Java and JavaScript are entirely different things. “It’s an unfortunate historic screw-up that the names of the different technologies are so similar,” Cluley explains. “Many websites require JavaScript, but it has nothing to do with Java.”

Even the US Department of Homeland Security recommends that Java be disabled. A post on the Vulnerability Notes Database, updated on 14 January after the Java update was issued, states: “Unless it is absolutely necessary to run Java in web browsers, disable it […] even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future.”

Not all security experts recommend dropping Java, and strong anti-virus software and other security tools can sidestep the impracticality of disabling it altogether.

What’s important is that users inform themselves of the risk involved in running Java, and ensure they are always up to date in terms of security.

Elaine Burke is the host of For Tech’s Sake, a co-production from Silicon Republic and The HeadStuff Podcast Network. She was previously the editor of Silicon Republic.

editorial@siliconrepublic.com