BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Disable Java In Your Browser To Avoid A Nasty New Malware-Spreading Attack

This article is more than 10 years old.

With a new attack that targets a security vulnerability in Oracle's Java spreading through the hacker underground and no available fix in sight, it may be time for users to deal with the plugin's bug themselves--by unplugging it.

Over the weekend, security firm FireEye spotted a new attack that exploits a vulnerability in Java to install a piece of malware known as the Poison Ivy Trojan on target machines, which communicates with command and control servers in China and Singapore.

While FireEye says the attacks seem to be limited to a small number of targets for the moment, expect them to spread soon. The Java exploit has already been added to the commonly-used Metasploit kit. And most troubling for users, Oracle typically patches Java three times a year, with its next update nearly two months away.

"It's just a matter of time that a [proof-of-concept] will be released and other bad guys will get hold of this exploit as well," write FireEye's researchers. "It will be interesting to see when Oracle plans for a patch, until then most of the Java users are at the mercy of this exploit."

In the meantime, users can simply turn Java off in their browsers, a move that means sacrificing functionality on some websites but prevents possible "drive-by download" attacks that invisibly infect PCs via the Web.

For instructions on how to disable Java in Firefox, Chrome and Safari, click here. For instructions on disabling it in Internet Explorer, click here. The newly spreading exploit affects version 7--versions 6 and earlier aren't targeted by the latest exploit. But given that those prior versions have their own security flaws, researchers are recommending users disable Java rather than simply downgrade to earlier, equally insecure version.

When visiting sites that require Java, security blogger Brian Krebs suggests users switch to a secondary browser with Java installed, using the Java-less browser for their normal browsing and only occasionally switching to the Java-enabled one. That strategy is far from a perfect fix, but it's safer for the moment than using the Web with a vulnerable Java fully enabled.

Java's vulnerability as attack point is nothing new: Cybercriminals have integrated attacks against older versions of Java into the commonly-used Black Hole exploit kit since March. In April, Flashback malware infected more than 600,000 Macs using a Java vulnerability. In response to Flashback, Apple disabled Java by default and set it to automatically disable itself again if a user turns it on but doesn't use it for a certain period of time.

For those who refuse to part with Java--even until Oracle issues a fix for the latest exploitable bug--researchers Andre Di Mino and Mila Parkour have created their own patch for the vulnerability, though they warn that it has had "limited testing" and suggest users instead simply disable the plugin.

In releasing their patch, Di Mino and Parkour also took the opportunity to point fingers at Oracle, whose lax patching has left Java users vulnerable for months at a stretch, and Rapid 7, the firm that owns the toolset Metasploit and has already updated it to include the Java-hacking exploit.

"Feel free to contact Oracle and ask them about their patch cycles," the researchers' note reads. "You can also contact Rapid 7 and ask if they ever heard of Social responsibility.'"