Tech Alert: Update Java NOW

[lolmac]

How recently did you install an update to Java?

If your answer is "Last week" or "Last month" or "Huh?  What's that?" or, in fact, anything other than "Yesterday" or "Today", go thou and update.  Now.  Then come back here and I'll tell you why, but seriously, DON'T WAIT.

http://www.java.com/en/download/inc/windows_upgrade_xpi.jsp

It usually comes as a file named 'jxpiinstall.exe'.  The file will also offer to install the Ask toolbar: uncheck this and proceed.

After installation, go into your control panel and un-install any older versions of Java that might be lurking (Versions 6 or less). The patched version is Version 7 Update 7.

ETA:  link to all downloads:  http://java.com/en/download/manual.jsp -- the Mac update is about mid-page.

So.  Why?


Late Sunday night, a 'zero-day exploit' was discovered 'in the wild', using two vulnerabilities in the current version of Java.  By late Monday, the exploit had been incorporated into the kits used by malware developers.

- - - - -
Department of Very Basic Geekspeak Translation for Non-Geeks:

Java:  a software platform that runs a ton of software all over the friggin' place.
Zero-day exploit:  evil code that is a problem RIGHT NOW, for which a defense has not yet been developed and released.
In the wild:  It's already out there and can hit your computer.
- - - - -

Translated into English: in the first half of this week, the Bad Guys were handed the key to your computer.  This specific hole allows successful infection of a fully patched computer running any standard security software.  It doesn't even matter what browser you're using:  it can slip through IE, Firefox, and Chrome.  It works on Macs as well as PCs, and not even Ubuntu is safe -- the vulnerability is that pernicious.  No patch existed to block the hole.  And here's the rub:  Oracle, the company responsible for issuing security patches, wasn't planning to do anything about it until October.

By Wednesday morning, the IT blogosphere was recommending that people uninstall Java from their computers, or shut it down in their browsers.  The catch is that there's a metric buttload of Java out there, running many of the widgets that we use on the web.  This kind of translated into "Stop doing anything online."

By Thursday morning, infected code had been found on over a hundred websites, and the IT blogosphere was howling for Oracle's blood -- especially since it was discovered that Oracle had been informed of the vulnerability in April.

Oracle released the patch on Thursday afternoon.

You haven't heard any of this?  Well, Oracle hasn't been talking about it.  They never said, "Yes, it's a problem, and we're working on it and we'll have your fix ASAP."  They didn't say bupkis.  They didn't even promote the patch when it was released.

So, if you haven't heard of it before this -- Congratulations!  You are among about at least half a billion people who are still at risk, because a patch ain't worth spit until it's applied.  Actually, by this point, I REALLY hope you're not at risk any more, because you did go update Java back at the beginning of this post, right?  You're safe now?

This isn't entirely over -- you may hear me saying this all over again soon, since Java is the shiny new channel for the malware goons.  I don't think they've discovered Tumblr or Pinterest or similar sites yet, but if they do -- well, how many sites can you think of where everyone happily clicks away on any and every link they see?

There's a bright spot:  in my earlier posts, I've been a fervent advocate of running AdBlock in whatever browser you favour -- it's available for Chrome now as well as Firefox.  (If you use Internet Explorer, except under duress, please schedule me for an intervention, stat.)  Guess what?  It's not a perfect protection against malware, but it's a damned good first step.  Run an adblocker, use an anti-malware scan as well as an anti-virus, don't click on funny links in emails, talk to an IT person when you seen weird stuff going on, and you've already lowered your chances of getting hit by an impressive amount.

And now, go update Java if you haven't yet.  Please?


ETA2:  the same group that originally identified the vulnerabilities in Java and told Oracle about them has analyzed the patch.  They report that there are still holes, although they're different holes from the ones that are already being used by the Bad Guys.  This means that the Bad Guys will find them, sooner or later (probably sooner).  More patching will be needed.

In the interim:  the safest thing is, well, never to go online.  Next safest:  uninstall or disable Java.  Next safest:  stay fully patched, use an adblocker, run regular anti-malware scans, don't click on weird links in email.

For advanced students:  one approach is to bifurcate your browsing.  If there's a site that you MUST use that requires Java, run that site in one browser -- Chrome, say, or even IE -- and do the rest of your browsing in another browser, such as Firefox.  Turn off Java in that browser.  This was the approach I had everyone use at work this week, since our daily operations REQUIRED use of a professional website that ran almost entirely on Java.

Revision:  see ETA4.  There's now a patched version of Java 6.
It's been pointed out (and not just here) that the exploit only works in the most recent version of Java.  Can't we just roll back to an older version, or stick with an older version if you haven't updated?  Unfortunately, no, not really.  The older version has a different set of security holes:  that's why the new version came out.  If you roll back, you've locked the front door and unlocked the back patio.

On the one hand:  this is the newest, most fashionable vector, bringing you the latest in custom tailored malware.  This is where the crooks are focusing their efforts.  So if you don't update, you're vulnerable to the older threats; if you do update, you may be vulnerable to the newer ones, as they're developed.  Personally, I'm staying updated.

ETA3:  Thanks to dbskyler, here's an outstanding article on the Mac situation, including a good description of bifurcated browsing.


ETA4:  Oracle has released a patched version of Java 6:  it's Version 6 Update 35, and you can find it here.  This may be the best interim solution.  Unfortunately, it isn't available for the Mac.  If you want to go that route, uninstall Java 7, reboot, and then install 6.35.

Be safe, everyone.

Comments

[alternatealto.livejournal.com]

Heard and obeyed, Oh Queen!

And also signal-boosted. Thanks!

[justice-turtle.livejournal.com]

You do realize you're one of the only people who could get me to click on an "install" link right away, no questions asked... ;-)

*toodles off to forward news to my family, because their resident geek is my dad and he hates Java / won't support it*

[magnavox-23.livejournal.com]

Done & done! Thank you. <3

[campylobacter.livejournal.com]

For Mac users:

The Java 7 patch link goes to a .exe file, which won't run on Macs.

Brute force Mac solution: DISABLE JAVA
1. Go to Applications > Utilities > Java Preferences
2. Under the General tab, uncheck the "On" ticky boxes.

New vulnerabilities found in latest Java update (http://reviews.cnet.com/8301-13727_7-57504640-263/new-vulnerabilities-found-in-latest-java-update/)

[sid]

I took care of it on my PC and then went to update my netbook...only to find out Java isn't even installed on my netbook. Which is weird, because when I was dealing with Java on the PC, I had my browser open to DW and LJ, and I had to close the browser because it was using Java. So somehow I am accessing DW and LJ on the netbook without needing Java? Oh, well. The mysteries of computers. Might be something to do with the more up-to-date OS and browser on the netbook, I suppose.

[flywoman.livejournal.com]

Hate to be a bother, but where can we download the patch for Macs?

[bookblather.livejournal.com]

Right here. (http://www.java.com/en/download/mac_download.jsp?locale=en)

[hermit.livejournal.com]

Weird. My work PC updated itself first thing this morning after I clocked in, but I had to manually update my laptop just now. *scratches head*

Oh, well - better late than never. Thank you!

[blackmare.livejournal.com]

Here via alternatealto's link, and I just had to say that as a native of Florida, I am tempted to add you to my f-list based on your icon alone.

Also, I am away from home and using an iPad right now, so updating ... does this apply to mobile devices?

[dbskyler.livejournal.com]

Apparently it's only an issue if you're running Java SE 7? I have a Mac, and I ran the check recommended below by Macworld, and I'm running SE 6, so I should be fine.

http://www.macworld.com/article/1168358/java_security_threats_what_you_need_to_know.html

Obviously it's still a major concern that the flaw exists and is being exploited, but I thought I'd pass on a ray of hope for the slightly-behind-the-times people like me.

[thothmes.livejournal.com]

Thank you for the sage words of advice, and the fascinating reading that you linked to in giving them. The five computers in the house are now all nicely updated and winnowed of their old versions, and I've (no doubt) insulted the IT intelligence of my offspring in the Philly area by letting them know too.

Middle Daughter (who has strenously resisted parental efforts to teach her about computer security vulnerablilities and best practices, because she and her little friends know allabout computers, unlike some of us fogeys who don't know a thing about navigating Facebook, so she doesn't need to heed our warnings, right?) has had her email hacked today. She wouldn't listen to me and do anything about it, so I just sent Beloved Husband in to put the fear of God (or at least hackers) in to her. Let's hope she'll listen to him.

*headdesk* *headdesk* *headdesk*

[lolmac]

Not a bother -- I should have thought to include this link too:

http://java.com/en/download/manual.jsp

That's the general download page. The Mac download is the second main section. I've edited the post to include this.

[lolmac]

That's probably caused by slightly different administrative settings, with the work computer set to run out and grab updates much more frequently than the default setting. That's one of the reasons I decided to do this post -- a patch is worthless if it's not applied, and at least half a billion computers are running Java that only updates once a month, or even less.

This particular exploit only targets the most recent version of Java, so computers running older versions were safe -- but there are other exploits aimed at the older versions, so the safety is pretty much illusory.

[lolmac]

I adore you! You asked a question that required me to go learn the answer. I don't have an iPad or iAnything, so I hadn't researched that side. Now I have!

The answer: Steve Jobs hated Java, and no iWidget will run it without some kind of unsanctioned workaround. The workarounds do exist, but this is one good reason not to do it.

I hope you have an anti-malware scanning app on your iWidget, though. That's another vector that's being targeted a lot by the malware goons.

Re the icon: you can actually blame alternatealto for that one, in fact, since she originally sent me the link to the source image!

Friend at will if you like, and be very welcome! The lolmac journal is all LOL images for MacGyver, Stargate, etc., and is updated every weekday; this journal is where the personal stuff goes. I'm an expat, having come from the Pacific Northwest to the alien country of Florida. I originally started this journal to let my LJ friends know where my partner and I were during the cross-country drive, and continued it afterwards.

Beth

[primsong.livejournal.com]

Thanks! I'm punting this to my engineering hubby to see if he's already done this or not - mucho gratitude-o!

[lolmac]

You're welcome!

[lolmac]

*scratches head* Yeah, that one's got me stumped! Unless the Netbook is an iWidget of some sort?

Or -- possibly -- since DW and LJ don't actually require the Java plug-in, it may never have been invoked on the netbook (especially if the netbook is relatively new, and you mostly use it to visit DW and LJ). In that case, it hasn't been installed yet, although it might yet make whiny noises and ask for it.

[lolmac]

See note about updating Java even if you then disable it -- which might be a reasonable solution for your father.

[lolmac]

*HUGS*

[lolmac]

Well, I just did my third ETA update, thanks to fine feedback such as this! That is a GREAT article.

The professional consensus is that, for PCs at least, it's riskier to run the older versions, which have their own vulnerabilities. Even if you have a Mac, there's room for concern: one of the more serious attacks earlier this year targeted Macs running Java, as mentioned in the article you linked. The very bright side is that, as detailed in that same article, the new generation of Macs have some very nice safeguards built in. So yay Apple!

[lolmac]

*headdesk with you*

Gaaah. One of the biggest issues in my professional life, at present, is dealing with the fallout from clients whose emails have been hacked . . . we're one of the subsequent targets, and it's part of our job to keep our compromised clients safe from fraud and theft.

[lolmac]

*bows* You betcha!!

[lolmac]

See also ETAs in the main post -- Skyler passed on a really good article on the situation for Mac users.

[thothmes.livejournal.com]

And this kind of willful ignorance is also why she is not allowed to use the computer I'm on now. I've password protected her out.

Knocking down my 2 TB drive and making it non-functional was its own consequence. She lost most of her music, which she'd uploaded to the drive, and then left the original CD's in a friend's truck, where her then-boyfriend stole them.

The only thing I lost and didn't have backed up was my TurboTax files, because I had hard copy instead, and didn't like the idea of my tax files sitting around where they could be easily hacked.

Paranoia is our friend!

[campylobacter.livejournal.com]

That's teenaged logic for you: knowing how to use 30% of Facebook's user interface features 90% of the time = understanding admin-level security issues for operating systems & web browsers. >___<

[campylobacter.livejournal.com]

Thanks. I'ma wait for more definitive patches from Oracle before enabling Java again. (I'd disabled applets when the first Java vulnerability appeared in the spring.)

[thothmes.livejournal.com]

It's all complicated by the fact that her generation has lived so much of their lives out in public on Facebook and other sites, that they have no concept of privacy and security. She sees it as "So a hacker gets into my computer. So what. It would just be a matter of oversharing, really." She doesn't have personal finances or places where she orders things at this point.

But then she comes home crying because somebody hacked her VampireFreaks account and posted all kinds of lascivious stuff perving about various guys she knows, and her boyfriend saw it and had a major insecurity freakout.

You would think she would learn... eventually.

Unfortunately the highly unsuitable boyfriend (he's a red flag capitol, but she refuses to see that) calmed down, she changed the password - AND SHARED IT WITH THE HIGHLY UNSUITABLE BOYFRIEND - and the lesson was forgotten in favor of rejoicing because it was all fixed.

Parenting has taught me that you can model commonsense, discernment, and a heads-up attitude, but you can't actually force them to adopt it!

[thisbluespirit]

Thanks for the heads up - done!

[campylobacter.livejournal.com]

"Oversharing"? Wow, that's a cavalier spin on a breach of private information.

One day, a decade from now, she'll say, "Mom, I was such a rotten teen. How did you ever put up with me?"

[thothmes.livejournal.com]

Nah, she's a good kid, earnest and hardworking. She's just very sure right now that she knows it all, and that the things that she and her friends know from their experience is more valuable and pertinent than what I've learned from 54 years of navigating the world with eyes, ears, and heart wide open.

After all, how could I know things if my taste in music and my fashion sense is so execrable. Clearly I stopped learning a long time ago.

Everybody has to be young and stupid sometime. Now is her time. She'll learn.

[lolmac]

Yup, that's the math! A variation of it can also be found in many straight white male business owners.

[lolmac]

Ah, she's only just learning that people can and will do horrible things just because they can, huh? Better to learn it now than enter adulthood clueless. I've come to the conclusion that adults who haven't figured this out aren't just targets: they're vectors. They do an increasing amount of collateral damage as they pass through life. Witness every person in a position of authority who's handwaved away complaints of harassment or bullying.

(I personally got my initial lesson in it while I was still in grade school. It sucked at the time, but it's actually been a source for plenty of high-quality lemonade.)

[lolmac]

You betcha! Do boost the signal if you will.

[hermit.livejournal.com]

...so the safety is pretty much illusory.

That pretty much sums up... well, everything to do with computers these days. *sigh*

[lolmac]

BTW, would you be willing to signal-boost this on Dreamwidth? I don't have a BethInExile journal in parallel there.

[sid]

Okay!

[lolmac]

My general philosophy is along the lines of "Don't be the slowest camper" or possibly "Get well above the lowest-hanging fruit, but don't worry too much about getting up to the highest branches."

It's not a bad approach -- there are, after all, over a billion campers in total, and several hundred million of them are incredibly clueless. I can't do anything to save most of them, but I can try to help my corner of the campground. If the rest of the campers are lion bait, well, it keeps the lions fed. (Cynicism on the hoof . . . )

[hermit.livejournal.com]

Have I told you lately how much I love the way you think?

*hee*

[lolmac]

*hugs you like whoa* Thank you!!

[lolmac]

This, of course, has nothing to do with the mental image of our respective technologically clueless parasitical ex-spouses being back there, hopping along in their untied shoes, with the lion right behind. Not at all. *weg*

[hermit.livejournal.com]

That thought/visual never even crossed my mind!

*shifty eyes*

[lothithil.livejournal.com]

I'm late! I'm late! But have have installed the update :)

Thanks for the camel.

[thothmes.livejournal.com]

I learned that lesson much earlier too, but I think a late start on that is both the curse and the blessing of growing up in a very small town. In an environment where there are hardly any strangers, this kind of behavior is less common. Of course it occurs, but when you are deliberately harming someone you know well, and they know you, it takes a far higher level of depraved indifference towards others, or a genuine desire to harm with intent. It's less likely to be a thoughtless crime of opportunity. The middle school and high school have six towns feeding into them, and kids who are used to having anywhere between one and twenty kids in their whole grade feed into a class of 70 to 90 kids. The temptation to act badly has less of an immediate and visible downside at that point. All of my kids have thus far only learned that lesson in middle school or high school, rather more the latter than the former, because the middle school is more rigorously supervised.

I used to travel as an unaccompanied minor as an 8 year old, traveling between parents from Philly Airport or JFK to Burlington. Later it was Amtrak, and on one memorable occasion, a Greyhound bus where we came in very late because there was an attempted rape while we were in transit, and witnesses needed to be interviewed by the police! My parents had to make sure that I understood the concept that most of humanity is well-meaning, that a subset is malevolent, and that you can't tell the difference by looking at a tender age. On one flight, the year I was 12, there was a man in his sixties who was clearly grooming me for asking my parents to spend time with him, probably with pedophilia in mind, right there sitting across from me and next to his wife. I found his interest creepy, and wouldn't tell them anything about myself, except that my father would be meeting me as soon as we landed.

It drives me nuts to take my kids into New York City, because they don't understand my "paranoia" they don't understand caution the way I do, and don't see my strictures as reasonable.

Still, I and mine have received some remarkable kindness from strangers. Beloved Husband, in particular, has a knack for wandering (out of ignorance) into Very Bad Corners of cities where Very White Suburban Guys are distinctly unwelcome, and getting plenty of well intentioned help and advice in finding directions back to where he was trying to go. People just seem to like him on sight in some strange and magical way. The good outweighs the bad in the end. It just makes sense to keep a sharp eye out for those rocks and shoals. It saves a whole lot of aggravation.

Java Update

[theo-j.livejournal.com]

I'm SO glad I happened to check LiveJournal and catch your update. Thank You.

Re: Java Update

[lolmac]

You bet! Good to hear from you!

[jackwabbit.livejournal.com]

I iz stoopid after con.

Me uninstalled Java entirely and no put new Java on. Me okay, right? Me just wait until safe again?

Java not so grate akshully

[lolmac]

Good wabbit! Uninstall Java good!

Install again if you find you need it. Maybe you won't.

Re: Java not so grate akshully

[jackwabbit.livejournal.com]

Okie dokie, mama bear! :)

Re: Java Update

[theo-j.livejournal.com]

Heya---Didn't mean to drop so completely from view. Figured you had Life to handle. Zen Hugs to you & Melissa---T.