Disable Java, warns US government

The United States government has released a bulletin stating that users should disable Java on their computers, as recently the risk for potential hacks and security breaches using the software has increased drastically. Yet another Java exploit has been found in the most recent, fully patched version of the software, and according to Ars Technica this flaw is currently being exploited in the wild.

Even more concerning is how the exploit came to exist: last year Oracle released a patch to fix an earlier security issue, but the patch was incomplete and caused this current flaw to arise. The fact that Java is installed on more than a billion devices worldwide makes it a hot target for hackers, and with the recently discovered flaw the United States government has had to advise users to disable the software.

Oracle claims that a patch is in the works, but this could simply pave the way for more security issues. Java is well known for flaws among computer-savvy users, so as always we recommend not to install the software unless absolutely necessary.

Source: Yahoo! | Thanks for the tip, John

Report a problem with article
Previous Story

Man behind YouTube hit FPSRussia shot to death

Next Story

Aaron Swartz commits suicide

80 Comments

Commenting is disabled on this article.

If they want me to disable java, then i should disable all the other plugins while i'm at it. I have java around yet i have never caught anything. I turn off java's temp file creation, hence no problem.

I spend most of my day on a PC, tablet, or phone. There are a few pieces of software/sites that I simply avoid which makes my life much easier:

*Flash
*Java
*Facebook
*Google
*Any site with more advertisements than content

I have found that avoiding that list makes me happier, doesn't cause unnecessary installs or keystrokes, I haven't had a virus and I am more productive.

exotoxic said,
I wonder if the US government will tell people to stop using windows when the next big windows exploit hits.

Because other OS's arent hacked? Look at how fast (and awfully easy) it is to jailbreak iOS vs WinRT/WP
Oh and have you looked at Linux distro's security bulletins?
Or at how awfully secure OSX proves to be time and time again?

I cant wait untill OSX or a Linux distro become a major player in the OS market We'll see who's more secure

Not that I am bothered about this, but I only installed java for some speed test on my connection. So I have removed it thanks for the reminder

I run java and I have no problems or do I have any fear of any issues now or in the future.... you people sound like those same gun control idiots screaming after someone gets shot about controlling the guns, well how about controlling the idiots that use them same goes with a computer. *Rolls eyes*

sava700 said,
I run java and I have no problems or do I have any fear of any issues now or in the future.... you people sound like those same gun control idiots screaming after someone gets shot about controlling the guns, well how about controlling the idiots that use them same goes with a computer. *Rolls eyes*

wow, i've never wished a java exploit onto anyone until now!

sava700 said,
I run java and I have no problems or do I have any fear of any issues now or in the future.... you people sound like those same gun control idiots screaming after someone gets shot about controlling the guns, well how about controlling the idiots that use them same goes with a computer. *Rolls eyes*

Finally someone with a brain.

This is limited to installed java versions and not those hardcoded in phones, bluray players or other network-connected devices?

I need Java for a few programs I use, but I've had it disabled in my browser since the last exploit appeared.

Thanks to u20 we now have a sure-fire easy way to disable Java in the browser within the app itself, so I've ticked that off.

While it won't let me run some java apps, I can always re-enable it when needed, so it's not -that- bad. Still sucks that there are these miscreants in the world that live to exploit everything and ruin people's digital lives. More digital proliferation, more scum. *sigh*

Someone should make a compatible implementation of Java without the security quirks.

Would be a LONG project but worth it.

I hope Oracle has this in mind.

The database we use also requires java to be installed for some of the reporting tools, but the good news is they're shifting away from java, so maybe the next release will be rid of java entirely.

So on linux I only have icedtea plugin and firefox hasn't blocked that, so don't think it affected. However on Mac where I have java installed its been blocked by firefox

I wonder how Scott McNealy will react (after all his anti-Windows/Microsoft rants in the past).

Interesting fact from Wikipedia: "McNealy was an early advocate of the networked environment; his company's motto was "The Network is the Computer". At times, he has been known to be skeptical of products that do not integrate well with networked environments. One example McNealy has given involved the Apple iPod. As quoted in The Register, McNealy said, "There's a pendulum thing where stuff is on the client side and then goes back into the network where it belongs. The answering machine put voicemail by the desk, and then it went back into the network. Your iPod is like your home answering machine. I guarantee you it will be hard to sell an iPod five or seven years from now when every cell phone can access your entire music library wherever you are.""

He was right.

Firefox already is disabling it and OS X won't let JAVA run at all with the latest patch.

Weird, after years of telling the world how horribly insecure and dangerous JAVA is, people are finally starting to listen. Ironically the last somewhat secure JAVA was Microsoft's VM that Sun forced them to stop working on.

(This is not even considering the fact that JAVA never lived up to its promises and gave us very little than how NOT to build a managed language or a VM.)


What year can we expect the public to FINALLY realize that other security concerns we have been screaming about is of concern and a movement to stop using them happens?

You know, things like WebGL that directly expose GPU hardware to sites.

I don't have Java installed at all and haven't run into anything that required me to install it. If some app says it does I skip it and try to find a alternate that doesn't use it.

I think I've installed this bloated, insecure POS software twice in my life, and was uninstalled IMMEDIATELY afterwards, and haven't had to use it in years now.

Wouldn't put th is crap on any enemies computer! I don't care how easy it is to disable in browser addons or anything else.

As was stated above once already, this almost sounds more like an e-mail type scam than some actual news!

Safari for OSX has been pushed a silent update to its blacklist file which is blocking all versions of Java from running (until a new one is released). Quick move by Apple - but lots of people need Java to access their work VPN (me included).

To get around it I installed the developer preview release - but I don't know if it actually fixes the flaw so it's probably worth disabling java once you've finished using it for whatever you need to use it for:

http://jdk7.java.net/download.html

Mac OS X does not come with Java any more. Java 7 is a manual install you have to get from Oracle's website (or use an open source Java implementation). The version that's auto-downloaded from Apple is Java 6 and it is *only* downloaded when using an actual Application that needs Java (like Adobe CS5.5 and lower).

all the recent Mac OS X updates to Java 6 have repeatedly removed the support for java applets on websites, making the ability to enable it without intention in Safari, very, very difficult.

Anywho, what the hell requires Java for VPN? (Really, I'm curious).

Apple have disabled all versions of Java up to and including Version 7 Update 10 (so basically all versions of Java..) - Anyone who used Java in Mountain Lion would have downloaded it manually when they needed it and would be on Version 7 Update 10 anyway so I don't know why we needed the info about Java 6 - it would be blocked as well because it is also vulnerable.

I was just showing that if you install the developer preview you get around Apple's block (at your own risk) rather than editing the XProtect.meta.plist for Safari (which will continually get overwritten as Apple's server will keep pushing you the correct version..)

As for who uses Java VPN? A whole support discussion going on at Apple says quite a few people:

https://discussions.apple.com/message/20875055#20875055

Ulpian said,
Install Java, disable in browser.

Exactly. While there's not necessarily a need to disable the Java runtime, there is generally little reason to leave the Java plugin permanently enabled in your browser.

Ulpian said,
Install Java, disable in browser.

Or install the Prefbar add on for firefox which gives you a check-box tool bar to disable anything from Java, Java Script to flash on the fly.

Slugsie said,
So, how am I supposed to play Minecraft?

You don't. One of the worst pieces of software created is also Minecraft.

Slugsie said,
So, how am I supposed to play Minecraft?

Just disable Java in your browser, and you should be fine as long as you don't download anything suspicious.

Slugsie said,
So, how am I supposed to play Minecraft?

there is always the xbox version

Also, most of the payload for java exploits are going to be aimed at windows machines. So you can reduce the risk of infection by using a Mac or Linux box.

But like others have said, best to disable it from being in the browse. For Windows users who are using IE, you go to Tools> Manage add-ons. Click Java, and then Click the disable button.

pes2013 said,

You don't. One of the worst pieces of software created is also Minecraft.

Wow. Just wow.

Nevermind that it is incredibly popular, and sold millions of copies, and the developers actually work with and respond to the playing community. Pes2013 has shown me the light, I'll never play Minecraft again.

So, come one PES2013, what games SHOULD I be playing?

Pluto is a Planet said,

Just disable Java in your browser, and you should be fine as long as you don't download anything suspicious.


...Java browser/PC version are different. The browser version works within browser and the PC version becomes a background task on your PC.

Kenny Kanashimi Chu said,

...Java browser/PC version are different. The browser version works within browser and the PC version becomes a background task on your PC.

Exactly, which is why my post is absolutely correct. If you have some Java Applet you come across on the web and you have the Java plugin disabled in your browser, then you won't get infected. You only might get infected if you download an app to run a JAR package or some Java code. So disable the browser version and nothing will happen to you randomly (you'd have to download something for security problems to start happening).

Drossel said,
Java is obsolete.

Tell that to the millions of sites which still use it. Even some online banking sites still use Java.

I just use regedit and set it to 0 then when I need to use java e.g ( on line banking ) I just go back and set it to 1. I just find it easier for me to do it that way.

Only time I use Java is when I goto the nVidia site to automatically check for driver updates. So I guess i'll just uninstall it.

Anarkii said,
Only time I use Java is when I goto the nVidia site to automatically check for driver updates. So I guess i'll just uninstall it.

Guru3D forums are even better. Now uninstall that Java completely.

Guru3D wouldn't be so bad if they would leave the live links up directly to the Nvidia Drivers vs re-packing them and only linking those downloads.

StrykerMikado said,
Gamers mostly have it enabled still. I've never had a problem with it and generally you should be going to sites you trust.

Problem is the exploit hs ben found in adverts on advertising networks so you can get hacked visiting sites you trust.

mog0 said,

Problem is the exploit hs ben found in adverts on advertising networks so you can get hacked visiting sites you trust.

That means this is easily solvable by disabling the "Java Plugin" in your browser. Why are they saying to completely disable Java on our computers?

Pluto is a Planet said,

That means this is easily solvable by disabling the "Java Plugin" in your browser. Why are they saying to completely disable Java on our computers?


It's better to say it like that, considering that most of the people do not know what a browser is.

Because a lot web sites I use require me to, and I need to do in-browser digital signing of documents and java applets are the only real cross-browser, cross-platform possibility for that since HTML5 never bothered to address this.

Indeed Dushmany.

That's a good point, Breach. Hopefully with the next set of standards for HTML6 we have companies that work together so they all implement everything in HTML6 in one version rather than taking ages about it. As far as I'm aware there's no browser that fully supports everything in HTML5 yet. -_- html5test.com Google Chrome v24 gets 448/500.

DeathByPenguin said,
Why? Seems like work tbh. As long as you're not incompetent you wont have any problems. I'm guessing you're one of those incompetent people?

Seriosuly? This isn't some exploit only porn sites are getting hit by... I got hit by it this past week on Houzz.com, a MAJOR house remodleing site.. I only had java too because my admin tools I need for work require I have it.... this isn't some you are incompetent thing, this is a major issue this time

It doesn't make a difference how competent you are if a site has a sketchy java applet embedded in the code which automatically runs when you visit it.

At the very least you should use click-to-play for plugins like you can in Chrome, or better yet just disable the java plugin entirely in your web browser.

Personally I choose to wrestle with a portable version of java whenever I am forced to use it.

DeathByPenguin said,
As far as I'm aware there's no browser that fully supports everything in HTML5 yet. -_- html5test.com Google Chrome v24 gets 448/500.

Most of them are not even approved and may never find their way into the final specification. html5test is pointless at this stage.

I went a step further and completely uninstalled Java, and I'm recommending to other users who might listen to me, to completely remove it.

nub said,
Minecraft and other Java apps.

Disable Java in the browser and you'll be fine.


Both Fx and IE ask to enable java per website each and every time you visit it (unless you whitelist it offcourse)

eddman said,

Most of them are not even approved and may never find their way into the final specification. html5test is pointless at this stage.

Most of the specification will hold. html5test.com is kept up to date with recent developments.

Dushmany said,
Wait, people still leave Java enabled on their machines???
(I usually, install, get what's needed done, uninstall)

We have a few government contracts at work. You have to use an old version of Java to access some of their sites. (1.7 isn't compatible).

It's absurd.