Java is vulnerable… Again?!
Published February 25th, 2013 at 10:37 AM EST , modified March 5th, 2013 at 12:07 PM EST
Once again, Java is in the news after new vulnerabilities have been found. Adam Gowdiak, of Security Explorations, has reported to Softpedia the discovery of two new issues in Java. These issues can, when used together, allow an attacker to once again bypass the Java sandbox altogether and gain access to the user’s machine through a malicious Java applet embedded in a web site.
I’ve lost track at this point of how many times I have repeated the same tired old story. I’m sure I could look back through my posts and figure it out, but there’s no reason… suffice it to say, it has happened a lot! So why am I continuing to harp on this? Because every single day, I encounter people who are still using Java, or who haven’t even heard that Java is a problem. This is a major issue, and it cannot be stressed often enough: if you haven’t done it already, it’s time to disable Java in your web browser!
I know there are folks out there who will read this and complain that they can’t stop using Java. The problem with that is that Java has now got a very well-established track record of extreme insecurity. The vast majority of the Mac malware that has appeared in the last couple years has relied on Java vulnerabilities for getting installed. Worse, you can’t just avoid dodgy web sites and stay safe… many high-profile legitimate sites have been hacked to contain malicious Java applets, including the recent hacking of NBC’s web site. So, if there is any possible way of abandoning Java, even if it means giving up your favorite Java-based online games or switching to a new bank that doesn’t use Java for its online banking, you should do so.
Of course, not everyone will be able to do that. Perhaps your job depends on using a proprietary Java-based system, for example. At this point, however, you simply cannot use such a system securely. In the past, I have recommended using a separate web browser reserved only for such systems, and using a different browser, with Java turned off, for everything else. However, hackers are targeting sites where people are likely to want Java enabled, and you cannot guarantee that the Java-requiring site(s) you rely on will remain secure. At any point in time, such a site could be hacked, and you could end up with malware on your computer simply by visiting the site.
For this reason, I recommend not using Java on any computer that might also be used for handling any kind of sensitive information. If you’ve got data you don’t want hackers getting hold of, don’t use web-based Java applets on that computer! Instead, use a cheap throwaway netbook, or something along those lines, to access those sites. Alternately, install Parallels and run Java in a virtual machine. You can install Mac OS 10.7 or 10.8 in a Parallels virtual machine quite easily, and then use Java in a web browser on that virtual machine. This will effectively isolate any malware that you might run into from the rest of your system, and you can use Parallels’ snapshots feature to revert to an older, clean state very easily.
Ultimately, you have your own choices to make. It is certainly your right to use Java in your web browser indiscriminately. If you choose to do so, I recommend that you install anti-virus software, such as Sophos Anti-Virus for Mac Home Edition. Keep in mind, though, that anti-virus software cannot stop a new threat, and the recent vulnerability that resulted in malware infecting Macs at companies like Facebook, Apple and Microsoft even affected machines that had up-to-date anti-virus software. Anti-virus software is not the panacea of security.
If you keep using Java and you end up with malware as a result, remember that you were warned, and that such an infection will have been no one’s fault but your own.