Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Java Vulnerabilities


  • Please log in to reply
12 replies to this topic

#1 Xirw

Xirw

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 06 April 2015 - 05:09 PM

Hi, I recently needed java on my computer to go with a plugin for VLC and was wondering if I completely remove java from my internet browser only, is my computer still vulnerable to outside java exploits? I am not a fan of java or adobe flash on my computer but I can live with java if there are no security risks involved.



BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:11:42 AM

Posted 06 April 2015 - 05:15 PM

You can choose to disable Java on your browsers.

Alternatively you can use an anti-exploit application - the three most popular ones are Malwarebytes Anti-Exploit, HitmanPro.Alert (paid version only) and EMET (Enhanced Mitigration Experience Toolkit). These will reduce the risk of Java being exploited by malware.

#3 Xirw

Xirw
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 06 April 2015 - 05:20 PM

You can choose to disable Java on your browsers.

Alternatively you can use an anti-exploit application - the three most popular ones are Malwarebytes Anti-Exploit, HitmanPro.Alert (paid version only) and EMET (Enhanced Mitigration Experience Toolkit). These will reduce the risk of Java being exploited by malware.

 

Thanks for the reply. If I do remove/disable java from the browsers then is that enough so I can't be exploited? (Dont really wanna spend money for a subscription application right now)



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:42 AM

Posted 06 April 2015 - 05:26 PM

It's enough to not get exploited via Exploit Kits using Java. But it's not enough to not get exploited overall via other ways: Office plugins, Adobe Reader plugins, Flash Player, Shockwave, etc. I would install one of the Anti-Exploit software recommended by Alex above for additionnal security.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:11:42 AM

Posted 06 April 2015 - 05:36 PM

Thanks for the reply. If I do remove/disable java from the browsers then is that enough so I can't be exploited? (Dont really wanna spend money for a subscription application right now)

MBAE already provides protection for Java in its free version, and EMET is free (it's from Microsoft after all).

However EMET needs a bit of tweaking, so if you are not comfortable with that (or just plain lazy as I am), then MBAE is good to go. You can get it here.

#6 Xirw

Xirw
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 06 April 2015 - 05:46 PM

It's enough to not get exploited via Exploit Kits using Java. But it's not enough to not get exploited overall via other ways: Office plugins, Adobe Reader plugins, Flash Player, Shockwave, etc. I would install one of the Anti-Exploit software recommended by Alex above for additionnal security.

 

 

 

Thanks for the reply. If I do remove/disable java from the browsers then is that enough so I can't be exploited? (Dont really wanna spend money for a subscription application right now)

MBAE already provides protection for Java in its free version, and EMET is free (it's from Microsoft after all).

However EMET needs a bit of tweaking, so if you are not comfortable with that (or just plain lazy as I am), then MBAE is good to go. You can get it here.

 

 

Thanks guys appreciate it



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:42 AM

Posted 06 April 2015 - 06:16 PM

If you don't need or use Java I recommend just uninstalling it altogether.

Using Java is an unnecessary security risk...especially using older versions which have vulnerabilities that malicious sites can use to exploit and infect your system.Although Java is commonly used in business environments and many VPN providers still use it, the average user does not need to install Java software.I recommend just uninstalling Java if you don't use it.If you must use Java, many security researchers and computer security organizations caution users to limit their usage and to disable Java Plug-ins or add-ons in your browsers.

If you need Java for a specific Web site, consider adopting a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site(s) that require(s) it.

Krebs On Security: ...Java

To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available. As with any software, unnecessary features should be disabled or removed as appropriate for your environment.

US CERT: Disable Java in web browsers
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 rp88

rp88

  • Members
  • 3,060 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:42 AM

Posted 07 April 2015 - 10:51 AM

There is only 1 reason you might actually need java, that is if you have any desktop programs which require it so they can run. Java's web plugin components are barely used anywhere any more, the context in which you are most likely to encounter them is the context in which they are exploited and give you an infection.


Running a script blocker in your browser is another good idea these days.


http://www.howtogeek.com/134353/how-to-protect-yourself-from-java-security-problems-if-you-cant-uninstall-it/?PageSpeed=noscript

Edited by rp88, 07 April 2015 - 10:51 AM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:42 AM

Posted 07 April 2015 - 11:03 AM

There is only 1 reason you might actually need java, that is if you have any desktop programs which require it so they can run.

Actually some websites still require the use of JAVA...gaming, educational, and business related...but it is a small percentage.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:42 AM

Posted 07 April 2015 - 11:08 AM

At least now the Minecraft players don't have to worry about installing Java anymore, since the new launcher has it built-in. It's one thing but a lot of popular websites continues using it like the NVIDIA Auto Detect (even thought I don't recommend using it to get the right drivers). I'm currently following a class over the web for my school and their platform uses Java. At work, we use Kronos for the payroll, which uses Java as well. So many vulnerabilities. Now with HTML5 and other web-based applications, Java could be entirely ditched and only used in closed environment if needed, not for the whole web to use it and be vulnerable. Little rant, my bad.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:42 AM

Posted 07 April 2015 - 12:23 PM

Business and Educational institutions are historical resistant to change.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:42 AM

Posted 07 April 2015 - 12:26 PM

And I don't know why. Everyone at work is getting pissed with our payroll platform. Every time a new Java update comes out, we get tons of call that the platform stops working or that Java throws error messages every second. Yet we are being told to deal with it and that hopefully, someday, we'll change platforms. Before was worst since we were stuck on an older version of the platform that didn't support Java newer than J6U13 at the time J7U40 was out. But now we can actually update Java whenever we want, but its done via a controlled deployment since they are specially packaged. Anyway I'm going a bit off topic here sorry.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,766 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:42 AM

Posted 07 April 2015 - 12:30 PM

It boils down to money.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users