MSU IT Techbase

Avoiding Java vulnerability and exploits - TB18942

This article has been retired and moved to a new location. To view the current support article, please click 402877 to be redirected to the new document within the Knowledge module of the MSU IT Service Desk application.

Please Note: As another step in enhancing our customer experience, MSU IT Services is consolidating all technology help information into one repository. This process will begin Friday, April 15, 2016, with MSU IT moving all public facing documents to the MSU IT Service Desk application. The service will be retired in the future and replaced with a new help portal. More information will be shared as timelines are confirmed.

Java is a general-purpose, computer programming language that is intended to run independently of platform, operating system or the browser in use.

It was developed in the 1990s and is currently one of the most popular programming languages in use.

Unfortunately, in recent years, the flexibility and wide implementation of Java has made it a target of hackers and criminals. New vulnerability is discovered on a regular basis and exploited to spread malware when a hacked site is browsed while an insecure Java browser plugin is in use.

Users should be aware of how vulnerable to exploit Java makes today's browser software and take steps accordingly.

Typical exploits

In late 2012 and early 2013, security experts began reporting concerns about a particular Java vulnerability called the zero-day (0day) exploit. Since initial reports, repeated hacks and problems related to zero-day have occurred.

For instance, due to a series of attacks, as of early 2013 Java Version 7 Update 10 and earlier versions of Java 7 running on desktop computers contain a vulnerability that can allow a remote, unauthenticated attacker to execute code on a vulnerable system.

The malware was installed silently when an unsuspecting user visited a hacked website while running an infected Java browser plugin.

Safer practices regarding the use of Java

More and more computer security experts recommend disabling Java from your browser software. Unfortunately, for many users this is not realistic as they may regularly use systems and services both within the university and outside that require the use of a Java plugin in their browser. Below are some suggestions and strategies for safer computing when using Java:

  • Understand that it can take Oracle, who owns Java, several days to issue a patch, however critical the need.
  • Remove older versions of Java to minimize vulnerability related to previous versions:
    • Windows users can follow uninstall instructions on Java to remove older versions of Java.
    • MacOS updates have already removed older versions of Java. No additional action is required.
  • Utilize a "two browser" strategy where you turn Java off in your main browser software and turn in on, as needed, in a secondary browser. For instance, disable Java in Firefox and enable it in Internet Explorer.
  • Keep your Java installation up to date.
  • Keep anti-virus, anti-malware software and definitions up to date.
  • Only enable Java to run when you are accessing known safe sources and that are properly digitally signed.
  • Restrict the use of your Java-enabled browser to internal MSU application servers, which are not directly affected by this vulnerability.
  • Disable Java in your browser(s) whenever news of a new exploit occurs. Keep it disabled until a patch is issued and you are able to update.
  • Increase the security setting of Java on your machine to a high setting, requiring more user intervention before Java-based code runs.

Issues with the browser toolbar add-on

Current Java installation and upgrade software for Windows integrates an "Ask Toolbar" browser add-on that can cause issues for VPN and EBS users.

For best results with campus services, uncheck the selection to "Install the Ask Toolbar...." during the install/upgrade process.

Alternatively, if already installed, provides instructions on how to uninstall it.

Keywords for this Document

java exploit hack

Date Last Modified: 5/9/2016 8:13:00 AM

Was this document useful?