Now it is time to get rid of Java. Get rid of Java on your web browser now. You need to do it if you care your security at all. Finnish Communications Regulatory Authority Cert-Fi site and Security company F-Secure’s Chief Research Officer Mikko Hypponen calls for removal of Java software from browsers. Most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable. Older versions are not vulnerable to this specific security hole, but they have other holes so using then got around this is not recommended either.
A recent bug in Java open a hole in your computer against the invaders. The situation is serious. Attackers Pounce on Zero-Day Java Exploit. The hole is used for real aim is to use machines. The attackers hit the popular sites. The vulnerability allows attackers to use a custom web page to force systems to download and run an arbitrary payload – for example, a keylogger or some other type of malware. The payload does not need to be a Java app itself. A Metasploit module is now available to attack the flaw, and word in the underground is that it will soon be incorporated into BlackHole, a widely used browser exploit pack.
It will be interesting to see when Oracle plans for a patch, until then most of the Java users are at the mercy of this exploit. The Oracle patch cycle is 4 months (middle of February, June, October) with bugfixes 2 months after the patch. The next patch day is October 16 – almost two months away. There is a 3rd-Party Patch For New Java Zero-Day, but you know what would be better idea than patching Java? Uninstalling it.
Disable Java in your browser is the best solution. Users urged to disable Java as new exploit emerges. How to Unplug Java from the Browser article tells you how to do that. In Mozilla Firefox this is easy: From the main menu select Add-ons, and then disable any plugins with the word “Java” in them. Restart the browser. I did that to my browser to be safe.
Although Java is almost each and every computer, you can in most cases live very well without it. Mikko Hypponen has for some time recommended to get rid of Java in browser because “there will always be bugs in Java” that cause serious security issues quite often.
If you have to use an on-line service that absolutely need Java (some on-line banking systems for example), then I would suggest a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it.
UPDATE August 31: Oracle has been quick in trying to solve this Java security issue. Oracle has just released an updated version of the Java software (Java 7 update 7). It has a fixed four vulnerabilities. Update your Java to that newest version immediately. And I think it is still good idea to keep the Java turned off in your browser unless you absolutely need it.