grunge
news

Java: A Malware Writer’s Dream Come True

   March 5th, 2010

Not too long ago I wrote about how to Make Firefox More Secure by Disabling Java in it.  Since I wrote that article in November, nearly every malware cleanup I have done since then has used Java as it’s injection vector, and that has been quite a lot.  This has become a HUGE wide spread security issue for Windows users, and it’s all thanks to Oracle’s Java plugin for web browsers.

Java isn’t supposed to allow apps with out a certificate to execute unless the user gives it permission to.  The problem is that there are bugs in the Java plugin that allow malicious apps to still run, regardless of the user clicking allow or block!  I don’t know if the latest Java update version has patched these holes or not.  Every system I have seen though has been running Java 6, just one of the lower update numbers (they’re on update 18 at the time of this writing).  Compounding the issue is that most people never update Java.  Heck, I hardly ever used it, so I never updated it either.

The Java plugin is allowing malware writers to infect machines, no matter which web browser or which version of the browser the victim is using.  Java is allowing malicious code to run, which in turn infects machines.  This needs to be stopped, and the best way to do so is completely remove Java from your computer.  I urge everyone to uninstall the Java plugins immediately.  If this is not an option for you because you need Java for some poorly coded website, or obscure photo uploader (thanks Facebook), then you should at least be disabling Java in your browser until you come to the page you actually want it to run on.

In my previous article I showed you how to disable it in Firefox 3.5.  Well, since then Firefox 3.6 has come out, and it changes how the Java Plugin has to be disabled.  Now you have to click Tools -> Addons -> Plugins

Find the “Java(TM) Platform SE x Uxx” (the x’s are version numbers), and click the Disable button on it.  There is also a “Java Deployment Toolkit” that you should disable as well.

If you’re using Internet Explorer you should uninstall Java completely.  In IE you’re supposed to be able to click Tools -> Internet Options -> Manage Add-ons, then find all of the Java Plug-in’s in there going through the various lists, and disable them, but I have not been able to.  Even though I have disabled every single java plugin possible, when I visit a java web site, it still loads up Java.  For this reason, I recommend completely removing Java from your computer if you’re in IE user.  Or even better yet, use Firefox which actually disables the Java plugin when you click the disable button in it.  IE sucks, stop using it.

For Firefox, that’s it.  Rest assured you have once again secured your browser.  If you visit a site you TRUST explicitly, then you will simply need to revisit the Plugin and click Enable.  The change is instantaneous and fortunately doesn’t require a browser restart.

I can already hear you now “Just make sure you’re updated to the latest version”.  To that I say NO.    Java has proven itself HIGHLY dangerous to a computer’s security.  Allowing it to sit there and load, even if it’s the latest version, is ill-advised as any new exploit could be found at any time and allow the malicious code through again.

Just say NO to java!

8 Responses to “Java: A Malware Writer’s Dream Come True”

  1. Brandon  Says:

    Great tip. I wish Flash wasn’t everywhere so we could disable it, too.

    – B

  2. Nick - Author Comment:

    I agree (ignores Flash powered Tag Cloud in navigation bar).
    With HTML5 around the corner, Flash will hopefully be on it’s way out sooner then later.

  3. Tom  Says:

    Glad I found this. Great advice. I recently got bitch slapped by a Java malware exploit on IE that cost me a day of work. Wish I had read this beforehand.

  4. Anon  Says:

    You misspelled writer

  5. Nick - Author Comment:

    You’re right. Thanks for the correction. This is why I need a proof-reader.

  6. Phillip Rhodes  Says:

    Java has had a rough go *just recently* in this regard, but over its lifetime, has a better security track record than many other technologies. Saying “Remove Java from your computer completely” is a bit over-the-top.

  7. Dan  Says:

    Back off, Phillip. I just got YET ANOTHER java exploit via browser, and I was just doing some benign rental car searches on google. Disable JAVA! Thanks

  8. Nick - Author Comment:

    I am closing the comments on this article. I’m not sure what keywords are setting off the spam-bots, but I am constantly getting spam posts specifically on this article. Since nothing further needs to be discussed here, it’s just easier to close the comments. Thanks everyone who has commented.

grunge

πWhat do you think you're doing?