Java provides nasty wake-up call

By Nathan Larson
Published 5 Jan 2013

To skip the intro, just scroll down to the What can I do? section. I won't take any offense.

There has been much in the tech security news, especially throughout 2013, about Java and its atrocious vulnerabilities. (And let's not miss this latest report about an ad running on Yahoo.) Oracle, which is responsible for Java, has made some glorious attempts to shore up the virtual machine (VM) that Java depends on to run on pretty much any platform. But vulnerabilities are discovered more frequently than any big company can keep up with, and discovered vulnerability = published exploit. For the most part, most of us need only worry about Java running malware on either a naughty site, or a grandmother-friendly site that has been corrupted by naughty code.

As a disclaimer, I like Java. The language, the write-once run-anywhere concept, the drink. I've taught Java programming, and at least half my classes stayed conscious for much of the lectures. Heck, one of my favorite profs in grad school actually helped build Java. So I'm not a Java basher by any means. I just wish Sun/Oracle could have gotten it right, without putting millions of people's computers at risk.

Do I even have Java?

According to Oracle, roughly 89 percent of computers run Java. It was probably installed for you by the kindly gnomes at your computer's birthplace (they're always so helpful, installing crapware that you'll never want to use). To see if your browser has Java enabled, go to this page and click the red "Verify Java Version" button. If the next page tells you "We are unable to verify if Java is currently installed and enabled in your browser," don't worry about it. Turn off your computer, curl up in bed, and rest assured that you won't be hacked. By a nefarious Java applet, anyway.

Update: If the page shows a grey box that reads "Activate Java applet," you're also safe; Java is installed, but the browser can't activate it.

Otherwise, continue reading...

What can I do?

That depends on your answer to the question: Do you really need Java installed? If you use your computer as part of a corporate environment that uses Java applets or apps (yes, there is a difference), then the first option is for you. If you're fortunate enough to be learning how to program in Java, use the first and second options. If you've never needed it, and don't care what it's for, you might try the last.

Update Java

Updating in the Java world feels a bit like updating in the Windows world. So you're probably used to it. Follow these directions. Make sure you update whenever Oracle feels the desire to warn you about it. The bad guys won't bother.

By the way, if you're using Java version 6, for the love of all things digital, upgrade to 7! Version 6 has gone the way of the dinosaurs as far as updates are concerned. And the bad guys simply love tracking obsolete software across the internet.

Disable Java in the browser

This is a pretty easy process to keep Java installed (so you can run Java applications on your computer, just not through your browser). Oracle has produced a rather nice page detailing how to do this on various systems.

Uninstall Java

The majority of computers run Java. But that doesn't mean you need to keep it (it's free, and trivial to reinstall should you ever need it). Again, Oracle has taken the time to post some rather nice instructions, whether you're using Windows, Macintosh, or Linux (not that you need them, you awesome power user, you).

Have I been hacked?

That, dear reader, is a tougher question to answer. There is no simple thing to type into the command line or browser window to see if your computer has been compromised. The best advice is to use (and keep up-to-date) a good anti-virus tool. Scan your computer on a weekly basis (or more frequently, if you're really worried about it) and update the scanner on a daily basis (there's always a setting for doing this automatically).

Unfortunately, there are so many Java exploits that the bad guys are building into their automated toolkits of evil, with an infinite range of possible resulting nastiness -- from displaying a "gotcha" message to cryptographically locking you out of your computer -- that it's impossible to guarantee you haven't been infected. The only way to make sure? Wipe your hard drive and reinstall the operating system -- with the networking turned off until you've rid yourself of Java.