Disable Java? Here's how, after US agency warns of software 'vulnerability.'
To prevent cyber crime, the Department of Homeland Security advises Americans to temporarily disable Java 7 software, commonly used in Web-browser programs.
Paul Sakuma/AP/File
(Updated Saturday, Jan. 12, at 3:30 p.m. EDT.)
With an eye on the security of millions of Internet users, the US Department of Homeland Security is advising Americans to temporarily disable Java, a software commonly used in Web-browser programs.
It’s not that Java itself contains a malicious computer virus. The problem is what the agency calls a software “vulnerability,” a kind of open door for hackers to infiltrate a computer. That can result in identity theft or other bad things happening on your computer.
The urgent warning, in response to known hacker activity, comes from the US Computer Emergency Response Team, or US-CERT, a part of the Homeland Security Department. [Editor’s note: This paragraph and the following contain corrected wording, to clarify the distinction between US-CERT and CERT.]
“We are currently unaware of a practical solution to this problem,” said a notice released this week by CERT, a group at Carnegie Mellon University in Pittsburgh, which often provides technical services to US-CERT.
The recommendation highlights the rising threat level in the realm of cybersecurity, and the growing efforts to make devices and networks more secure. The vulnerability in Java is just one piece of that puzzle, but it’s significant because the software is so widely used in Web browsing.
If you want to follow US-CERT’s advice and disable Java, how do you do that?
First, if you use a Mac computer from Apple, the answer appears to be simple. According to reports by technology websites including MacRumors.com, Apple has already moved to force a disabling of Java on Macs with the OS X operating system.
For other computer users, a first step may be to check what version of Java you're running. The US-CERT announcements focus on Java 7. Computer-security blogger Brian Krebs notes some uncertainty about whether other versions going back to Java 4 are affected. But he points to evidence suggesting the problem is limited to version 7.
Oracle, the owner of Java, said on Twitter that the problem is limited to "JDK7," or version 7, and that it hopes to have a fix available "shortly." (JDK stands for Java Development Kit.)
Mr. Krebs suggests that Internet users visit a Java Web page where they can confirm whether the software is running on their machines, and which version. Click the “Do I have Java” link, which is below a big red “download” button.
Now, if you have a version of Java you want to disable, here’s what US-CERT said Thursday: “Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet.”
Citing a document from Oracle (Java’s corporate owner), CERT describes the following steps:
1) Make sure you have Java 7 Update 10. If not, you can upgrade. (A quick reminder: As this story just noted, if you have version 6 or prior, you may not want to upgrade or disable Java for now.)
2) Go to the Java control panel.
3) In the Security tab, de-select “Enable Java content in the browser.”
If you can’t upgrade to Update 10, CERT says to see a different "vulnerability note" it wrote for browser-specific instructions on disabling Java.
Beneath the “solution” heading in that note, you can search for the name of the browser program you use.
The note says the process of disabling Java is “significantly more complicated” if Microsoft’s Internet Explorer is your browser. An expedient answer may be to temporarily use a different browser. Computer experts generally advise the less sophisticated among us not to try adjusting your computer’s registry, which is called for to implement some of CERT’s Explorer-related options.
CERT's security warning also includes some added advice and context that's helpful to keep in mind.
"An effective way of mitigating risk of web browsing is to use separate browsers for different activities online. For example, if you do online banking, choose a browser to use for banking and nothing else," the note says. "This can help minimize the risk of a malicious web page being able to interfere with the banking activity."
CERT says the same concept can be applied to Java. If you have a must-use website that requires Java for its functioning, then configure one browser to be Java-enabled, and only use that browser for accessing that trusted site.
Finally, blogger Krebs notes that the Java software in the news is distinct from something else, called JavaScript. But JavaScript has its own security gaps. For his part, Krebs suggests disabling JavaScript, and then selectively enabling it for use on specific websites where you know you want to use it.