The JAVA Exploit

Welcome to another “tech blog.” I apologize for the delay in posting at least once a week. Sometimes the ‘local’ job takes over and doesn’t give me the time needed. This edition (Oops, I started to say ‘this week’s edition’) has a very important, urgent message pertaining to your computer’s safety. The JAVA exploit In mid-January the US Department of Homeland Security advised that users disable/uninstall Java. The government felt this unprecedented action was needed because the need was so severe. Based on their advisory and Oracle’s failure to fix the issue (exploit), Java is a real and present threat to our computers and privacy as well as the potential to threaten national security.

The main problem is that a whole new industry has formed in the last few years. This industry creates “exploit kits” which are then sold by the writers, at up to $3,000 each, to fund themselves and to help others in their ‘community.’

Exploits locate software on your computer that has vulnerabilities which allow them to deliver their “payloads” without your knowledge. This is bad enough that just going to a compromised web site will infect your computer, if certain situations exist. Most  common websites are safe, but that is no guarantee that it won’t be infected tomorrow (before it can be cleaned) when you visit. The scary part? It is not targeted sites, but random sites. So if a site is not vigilant in protecting itself, it unwillingly infects patrons who visit their site. Most infections according to recent research suggests that close to 50% of all infections are from the ‘Black Hole Kit.’ What does the ‘Black Hole Kit’ target? Java. I must interject here that Java is not Javascript. Java is a separate program which is installed on most computers whereas Javascript is a part of most web browsers and is needed. Some websites use Java, but most do not and is therefore pretty much useless to have ‘hanging around’ on your computer. Please read on. Oracle, which owns Java, has distributed, via its automatic updates, a patch to the affected Java exploit. But it is merely adjusts the safety settings, which can be ‘un-adjusted’, and does not fix the actual issue at hand. You may say but “I have anti-virus software running on my computer.” Here’s the truth on that. It takes most anti-virus companies a few days to ‘catch’ and decode a root kit, which is what delivers the ‘payload’ of virus/trojan to your computer. In fact, most of the big players, like Norton, McAfee and AVG, have ranked the slowest in protection against new threats.

 

There are several more viable, and usually cheaper, AV software available, but most people don’t know about them because they don’t spend huge sums of money to advertise themselves. I personally use Internet Security Complete 2013, from Comodo, for my computers and use VIPRE, from GFI, on jobs that I do for corporate/business customers. Both of these programs have performed very well in my endeavors and always rank well in the research community tests. Oh, and they are both cheaper than the ‘big’ boys per year.

Don’t get me wrong, I am not advocating that you abandon your current protection software and buy something else. If you are happy and comfortable with what you have, please continue to use it. I am not a salesperson for these products, I just know, from experience, that they work. Getting back on topic here, Java has a problem which allows ‘code’ to be injected on your computer, just by visiting an infected page, and this action will not be detected by most security software until it’s to late. Remember, you will have no way of knowing that a page is infected and most protection software will alert you only after the ‘bad stuff’ is already on your computer. So, you are now asking, “How do I protect myself?” For the time being, uninstall Java. As noted previously, it is mostly not needed now and is just an open door with a big bulls-eye on it. If you go to a website that still requires you to have Java, it will give you the option of downloading it, or it will let you know that you need it. If you really need to use that site, you will have to consider re-installing it. My thought: Find another website that doesn’t require Java. Uninstalling Java is just like uninstalling other programs from your computer via the control panel. Remember Java is not Javascript, which is built into your operating system. I uninstalled mine (Java) last fall and have only had one website tell me that I needed it. Summary? Java has a problem and, in my opinion, needs to be removed from your computer. This small step will help to curb the spread of malware by not giving it access to your computer, which in turn, prevents it from being spread to another computer. Thanks for reading. Until the next blog, Rob