Last week, a new security issue surfaced for a popular programming language known as Java. This Java security issue is classified as a zero-day threat, and it spreads malicious files to unprotected computers. A zero-day threat is an attack that exploits a previously unknown vulnerability in a computer application (in this case Java), which means that the attack occurs on “day zero” of awareness of the vulnerability. As our team at McAfee Labs pointed out, the threat is dangerous: Just browsing a malicious page or clicking a link in spam email is enough to cause an infection.
Java is a programming language and computing platform that runs on practically every device in your home. It powers games, business applications, chat rooms, and runs on billions of personal devices (PCs, Macs, iOS, Android, etc.) worldwide. Given its ubiquity, you see why cybercriminals target Java in the first place. By breaking into Java, criminals can gain access to a global network of devices connected to the Internet.
This Sunday, Oracle released a software update to fix this security vulnerability in Java, which is now available via Oracle’s website. Users can also download the update by visiting the Windows Control Panel and clicking the Java icon, or by searching for “Java” and clicking the “Update Now” button from the Update tab.
While we certainly advise users to download this update right away, readers should be advised that criminals have recently uncovered multiple zero-day vulnerabilities in Java. As stated above, the fact that Java is used on so many devices is a huge draw for attackers. This is the same reason why there are more viruses created for Windows devices than any other platform – to get the most bang for their buck, criminals write software for the most widely-used platforms.
In order to fully protect your computer from this and future Java vulnerabilities, we recommend following the steps below for all devices in your home:
1. Find out if you have Java (and which version you have installed)
The Java website provides an easy way to find out whether or not you have Java installed, and it also shows you which version of the software you have. The process only takes about 10-20 seconds, and you can get there by clicking on the “Do I have Java?” link below the download button on the Java homepage. The version affected by this most recent vulnerability is Java 7, but the bug could impact Java 6 and possibly earlier versions.
2. Remove Java From Your Primary Web Browser
The latest version of Java includes a simple way to disable the Java plug-in in your web browser. Full instructions on how to do this are available here, and they include specific directions for Windows XP, Vista, and Windows 8. Because new Java vulnerabilities are discovered multiple times each year, we recommend that all users either uninstall Java or unplug it from your primary browser.
3. Use an Alternate Browser When Necessary
If one of your favorite websites requires Java, one way to help mitigate risk is to download a secondary browser specifically for that website. For example, if you normally browse in Firefox, disable the Java plugin for Firefox and use an alternate browser (Chome, IE9, Safari, Opera) with Java enabled to access your favorite site. One word of caution, however: Make sure that you only access those few necessary sites with your new browser, since the more websites you visit, the higher the probability one of those sites will be compromised. This method is not fool-proof, but it can help mitigate risk.
4. Download (Free!) McAfee SiteAdvisor Software
McAfee SiteAdvisor is an award-winning browser plug-in that gives safety advice about websites before you click on a risky site. With SiteAdvisor installed, your browser adds small site rating icons to your search results to alert you to potentially risky sites and help you find safer alternatives. The technology is free, easy to install and even easier to use, and you can access the download page here.
In addition, you can help protect all devices you own from similar security exploits (including your PCs, Mac products, smartphones, and tablets) by downloading McAfee All Access.