Stump the Geeks

Consumers wise to pay attention to recent Java warning

CORRESPONDENTJanuary 20, 2013 

It hasn’t been a great week for the makers of Java.

Oracle, the company behind the programming language that powers both Web and desktop applications, has been scrambling to fix major security flaws in its software after the Department of Homeland Security warned of the potential threat Jan. 10. Through its Computer Emergency Readiness Team (CERT), the government issued some straightforward advice: Unless you absolutely need it, disable Java in your Web browser altogether.

Within days of CERT’s vulnerability notice, Oracle released patches to address part of the problem.

But that wasn’t good enough to satisfy Marc Hoit, vice chancellor for information technology at N.C. State. On Wednesday, his team pushed out an update that shut down Java on every IT-managed system on campus – roughly 10,000 machines. He’s also recommending that students, faculty and staff do the same on their own computers.

Notices aren’t rare

Vulnerability notices – even from the Department of Homeland Security – aren’t exactly a rarity in the IT world. But there are a few reasons why even casual users should pay attention to this one.

For starters, Java runs on an enormous number of machines, and CERT says Windows, OS X and Linux can all be affected.

“Because Java is so ubiquitous, it’s a nice target for malicious hackers to try to go and exploit your machine,” Hoit said in a phone conversation.

The vulnerability is also far from theoretical. In a Jan. 13 security release, Oracle’s Eric Maurice explained that all an attacker needs to do is trick users into visiting a malicious Web page. Once your browser runs the Java application on the page, the attacker is free to run his or her code on your now compromised system.

What’s more, both Oracle and CERT have already spotted these techniques in the wild – and as part of existing hacking tools.

The real issue

There are a couple of things worth noting here, the first of which is that this problem seems limited to Java running in Web browsers, not standalone applications. You can disable the software’s Web capabilities either in-browser or through the Java control panel. Instructions can be found here: www.java.com/en/download/help/disable_browser.xml.

The second note that often causes confusion: Java and Javascript are two different things. I’ve addressed this difference before, but just remember that Javascript isn’t the problem here and doesn’t need to be blacklisted.

Although more fixes to the Java platform are forthcoming, Oracle’s not likely to restore much confidence with IT professionals like Paul Rosenberg, owner of the Chapel Hill repair shop Love Your Computer. For more than a year, he has mostly advised his clients to remove Java. He even gave the same advice to Stump the Geeks readers last April.

He says it’s frustrating to know users – and his customers – are forced to pay the price for inadequate security updates.

“It’s kind of like knowing that in some random circumstance your USB cable to your printer might allow something to come in and trash your OS,” Rosenberg said in an email.

“You’ve got to have that cable for the printer, and you have to have Java for a variety of things (though it is possible to live without it in many cases), so all you can do is hope Oracle diverts more energy from PR to security.”

Send technology questions to stumpthegeeks@newsobserver.com. Please include your name, city and daytime phone number. Sorry, we can’t answer every question.

News & Observer is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service