Unfortunately, it appears that Java is once again unsafe. Over the weekend, the good folks over at security firm FireEye spotted a new attack that exploits a vulnerability in Java to install a Trojan named Poison Ivy, which communicates with C&C servers in China and Singapore.
Since there’s no fix in sight, it is highly recommended that users turn off/disable Java in their browsers. This might keep certain websites from operating 100% but, it will help prevent possible “drive-by downloads”. What is a “drive-by download” you might ask? Well, in a drive-by download, your computer becomes infected just by visiting a website which contains malicious code. Cybercriminals search the Internet looking for vulnerable web servers that can be hacked, and when one is found, they can then inject their malicious code onto the web pages. If your operating system or one of your applications is un-patched, a malicious program is downloaded to your computer automatically when you access the infected web page.
For instructions on how to disable Java in Google Chrome, go here, for Firefox, go here, for Safari, here and for disabling it in Internet Explorer, click here. You might be tempted to “downgrade” to an earlier version of Java since these new exploits only target version 7 but, don’t do it! The previous versions of Java also have security flaws. Don’t waste time downgrading to an earlier version since it will be equally insecure.
If you absolutely MUST use a Java-enabled browser for mission-critical productivity apps, Brian Krebs over at Krebs On Security suggests users switch to a secondary browser with Java installed, using a Java-less browser for normal browsing and only occasionally switching to a Java-enabled one. This isn’t a bullet proof plan but, it’s safer than surfing the Web with a browser where Java is fully enabled. Good news if you use Google Chrome, you will get a warning every time Java wants to execute and you can decide for yourself whether or not to allow it.