U.S. Says Disable Java: Download Latest Version
The U.S. Department of Homeland Security is warning computer users that a vulnerability in the way Java 7 restricts the permissions of Java applets
could allow an attacker to execute arbitrary commands on a vulnerable
system.
A vulnerability in the Java Security Manager allows a Java applet to grant
itself permission to execute arbitrary code. Homeland Security says that an attacker could use social
engineering techniques to entice a user to visit a link to a website hosting a
malicious Java applet. An attacker could also compromise a legitimate web site
and upload a malicious Java applet (a "drive-by download"
attack).
Any web browser using the Java 7 plug-in is affected, including Firefox, Safari, Internet Explorer, Chrome, or Apple Macintosh browsers. The Java
Deployment Toolkit plug-in and Java Web Start can also be used as attack
vectors.
How to Disable Java
Starting with
Java 7 Update 10, it is possible to disable Java content in web browsers through
the Java control panel applet. From Setting
the Security Level of the Java Client:
A Security Level slider has been added to the Java Control Panel
(under the Security tab) to control the behavior when
attempting to run unsigned apps (either from the web or local). The
user can select low, medium, high or very high security settings.
There are fewer security warnings at the lowest setting. While it
is called the "Security Level control" (or slider), it can be
thought of as the ability to control the level of notification you
will receive when the browser attempts to run unsigned Java
apps.
Download Latest Java Update:
The following list summarizes the behavior of the different
levels:
- Low
- Most unsigned Java apps in the browser will run without prompting unless they request access to a specific old version or to protected resources on the system.
- Medium
- Unsigned Java apps in the browser will run without prompting only if the Java version is considered secure. (The JRE version should not be expired and should be at or above the latest security update release of Java from Oracle.) You will be prompted if an unsigned app requests to run on an old version of Java. To download the latest version of Java, go to java.com.
- High
- You will be prompted before any unsigned Java app runs in the browser. If the JRE is expired or below the security baseline, you will be given an option to update.
- Very High
- Unsigned (sandboxed) apps and local applets will not run.
The default security level is medium.
Additionally, there are two checkboxes available in the Java
Control Panel (under the Advanced tab) that are relevant
to unsigned apps:
- Show sandbox warning banner
-
- Disables the warning icon that appears next to top level windows opened from an unsigned app.
- Allow user to accept JNLP security requests
- Allows an unsigned app that is deployed via JNLP to ask the user for increased access to computer resources like the hard drive or the printer.
For
installations where the highest level of security is required, it is possible to
entirely prevent any Java apps (signed or unsigned) from running in a
browser by de-selecting Enable Java content in the browser in the Java
Control Panel under the Security tab.