Security experts are recommending computer users disable or uninstall Java following the discovery of a zero-day Java exploit which allows hackers to take control of vulnerable Macs, PCs and Linux computers.
The exploit takes advantage of a vulnerability left open in Java 7 Update 10, released in October of last year. It works by getting Java users to visit a website with malicious code that takes advantage of a security gap to take control of users’ computers.
Update: Oracle has released Java SE 7 Update 11 to address the vulnerability. It “strongly recommends” that Java SE 7 users upgrade immediately.
What’s worse is this particular exploit is reportedly being used to push ransomware, a type of attack that demands users pay to have control of their computers returned from a hacker’s grasp.
Java’s creator, Oracle, hasn’t specified the number of users who have downloaded Java 7 Update 10. However, Java runs on more than 850 million computers and other devices. When Oracle released Update 10, it “strongly recommended” that users update to receive “key security features and bug fixes.”
The exploit was first discovered by French researcher Kafeine, who claimed to have found it running on a site registering hundreds of thousands of page views daily.
Should you be worried about this exploit? While security lapses are sometimes overblown, there are good reasons to take this one seriously: The U.S. Department of Homeland Security issued a warning advising users to disable Java until a fix is discovered. Apple has apparently moved to disable Java in response to the threat. Mozilla took the opportunity to warn users and advertise “Click to Play,” a Firefox feature which stops Java from loading on individual web sites until a user allows it. Many security experts are advising users disable or uninstall Java for the time being.
Our advice? It’s probably a good idea to disable or uninstall Java until a fix is published. You can find out how to do that right here: How to disable Java in your web browser. How to uninstall Java for Mac. How to uninstall Java for Linux.
Other News on this:
- The US-CERT security warning said the agency is “unaware of a practical solution to this problem.”