Hackers have found a flaw in Oracle's Java software that allows them to break into users' computers and install nasty malware, security experts report. The attack, first spotted on Sunday by researchers at the security firm FireEye, is what security types call a "zero-day" threat, exploiting a previously unknown vulnerability for which there is currently no fix available.
The loophole appears to affect Java Version 7 (also known as 1.7) on all browsers. So far the attacks have been against PCs, but Mac users are vulnerable as well. Businesses should be especially concerned about targeted attacks, but just about anyone who uses Java on the Internet is at risk, especially since the attack has been added to the Internet's most popular hacking kit, BlackHole.
Given the potential seriousness and pervasiveness of the attacks — and Oracle's reputation for being slow on the draw in response to Java vulnerabilities — experts say that everyday Internet users should probably just disable Java entirely. Like, right now.
"Java has been the most exploited program for well over a year now and it simply isn't worth the risk," Chet Wisniewski of the security firm Sophos told me in an email. "I would recommend removing Java entirely, if you can."
That's not as problematic as it might sound. Java is not as popular on websites as it once was, and the average browser will rarely run across it, Wisniewski says.
To disable Java, you usually don't have to uninstall it from your operating system — you can just disable it in the main browsers that you use. The procedure is slightly different for each browser, but it's actually pretty simple for all of them except Internet Explorer. (One important note: Java should not be confused with Javascript. Disabling Javascript will result in a bunch of websites not working properly, and it won't do anything to address this threat.) Here are the basics for disabling Java:
In Firefox, select "Tools" from the main menu, then "Add-ons," then click the "Disable" button next to any Java plug-ins.
In Safari, click "Safari" in the main menu bar, then "Preferences," then select the "Security" tab and uncheck the button next to "Enable Java."
In Google Chrome, type "Chrome://Plugins" in your browser's address bar, then click the "Disable" button below any Java plug-ins.
If you're an Internet Explorer user, the process is a bit more complex. The blog Krebs on Security summarizes a procedure that "may or may not work." Alternatively, you could uninstall Java from your system, provided you don't need it for some particular application or website that's important to you.
For those who can't live without Java, Wisniewski's blog post at Naked Security offers a few other suggestions.
One final point: This flaw does not appear to affect the previous version of Java (Version 6, aka 1.6), which is the default on most Macs. So while Mac users are theoretically as vulnerable as Windows users, only those who have specifically installed Java 1.7 should be at risk.
Jodi Arias: Death Penalty Would Cause More Pain
Looking for Love? Take the Prague Metro
Crews Race to Find Survivors of Okla. Twister
First Person: Baby Falcons on a New York Bridge
Oklahoma: Images of Devastation, Reunion
Reunited Dad, Son: 'We Just Praise God'
Slow Pokes: Acupuncture Helps Sick Turtles
Moore, Okla. City of Reunions, Tears After Storm
Former IRS Chief: Can't Say How List Happened
Gov. Fallin: Okla. Facing Horrific Disaster
Tim Cook Defends Apple's Tax Accounting
AP Photograher: 'It Was a Miracle' They Got Out
Raw: Crews Search for Survivors of Okla. Tornado
Raw: Tearful Reunion After Okla. Tornado
OKC Hospital Describes Treating Tornado Wounded
Obama Pledges Urgent Aid for Tornado Victims
Raw: Massive Funnel Clouds in Oklahoma
DWTS Crowns a Winner
Police Ram House to End Hostage Standoff
Crowd Chants '¡Si, Se Puede!' After Passage of Immigration Bill
Demi Moore a Rocks Bikini at Harry Morton's Family House
Anthony Weiner: I'm running for New York City mayor
Kate Middleton's Dress Flies Up
VIRAL: Baby makes epic soccer goal
The Hangover Baby All Grown Up
Olivia Munn Flaunts Her Bikini Bod
Britney Spears Under Fire Once Again For Being A Bad Mom
Arias Tells Jury What She'd Do if She Gets Life
The all-new Xbox One
RAW: Massive tornado strikes Oklahoma
Nidal Hasan paid $278K while awaiting trial
VIDEO: Teacher reunites mother and son after tornado levels elementary school in Oklahoma City
Okla. tornado survivor finds dog buried alive under rubble
Jennifer Lawrence Gets Naked and Painted Blue as X-Men's Mystique
Pickler's Dance Moves Cause A Stir
Obama to tornado survivors: The country stands beside you
Reporter Cries Over Devastation
