Posted by: Ed Tittel
Ars Technica reported that the hurry-up fix delivered on 8/30 for Java to address a slew of vulnerabilities reported by Polish infosec firm Security Explorations– namely, Java version 7 update 7 – itself remains vulnerable to possible e-mail or Web-based attacks. As with the previous round of vulnerabilities, the latest discovery also confers complete control over PCs should a successful exploit be launched against this vulnerability. Needless to say, Security Explorations is NOT sharing the exploit details with the general public, for fear that malefactors could turn this vulnerability into a successful exploit in the meantime.
When I reported the initial circumstances that led to Oracle’s hurry-up release of Java version 7 update 7 in my blog entitled “Possible Java Exploits Can Expose PCs to Attack,” I got an e-mail from a very close but not terribly tech-savvy friend who informed me that it’s all well and good to tell readers to disable or uninstall Java, but it’s even better to provide some step-by-step instructions on how to do these things. I did advise readers only to enable Java on trustworthy sites, so I will explain here how to do the following:
(a) how to assess site trustworthiness
(b) how to disable (and re-enable) Java in IE, Chrome, Firefox, and Opera
How to Assess a Site’s Trustworthiness
This is actually pretty easy. You need only use a Web reputation site of some kind to check out any unfamiliar URLs before you go to visit any associated Web pages. For example, here’s McAfee’s rating of the site “Java.com” whence all Java updates come:
You can jump to any of these links to check Web reputation for sites you don’t already know and trust: TrustedSource (McAfee), Web of Trust (WOT), the Trend Micro Site Safety Center, BrightCloud Webroot Reputation Index (Webroot), and the Norton Safe Web (Symantec), among many others. Such checks are highly recommended if you’re jumping anywhere off the well-trodden Internet path to big-name company and information outlet sites.
The only sure-fire way to completely disable Java is to uninstall it. One way to do that is to click Control Panel, Programs and Features, then right-click Java 7 Update 7 (or whatever version you might be running) and select “Uninstall” from the resulting pop-up menu. If you don’t have Java on your PC, it can’t be used against you, either.
But alas, some sites require Java to work properly (including some of my favorites, such as DriverAgent.com) so it may be necessary to turn Java on and off depending on where you plan to take your browser at any given moment. Here are abbreviated instructions for various browsers with links to more detailed (and illustrated) tutorials for those who might need them:
1. Internet Explorer: Click Tools (you may have to turn on the Menu Bar to make this selection visible), Manage Add-ons. then select the Java Plug-in, and click the Disable button. Click Close and OK to accept this change. Reverse the process (Enable) to turn Java back on. Tutorial.
2. Chrome: Type chrome://plugins into the URL address box, then click the Disable link in the Java entry area. Tutorial.
3. Firefox: Click Tools, Add-ons, Plug-ins, then click the disable button to as many Java-related entries as appear (in my browser this was Java Deployment Toolkit and Java Platform; YMMV). Tutorial.
4. Opera: Type opera:plugins into the URL address box, then disable any and all Java plug-ins you may find there (as with Firefox, you’ll often find both the Java Deployment Toolkit and the Java Platform; disable both). Tutorial.
Hopefully, this will help people not only hear the word about Java and spread it further, but also to act on the best methods to turn it off or disable it as circumstances may dictate, or allow.