Link to SANS Institute Ouch! Monthly Newsletter

In This Issue…
• What is Java?
• Risks of Java
• Best Defenses
OVERVIEW
Software refers to programs or applications you install and use on your computer every day.  Examples include your web browser, word processor, email client, video games and movie players.  The problem with most software is that it is written to run only on specific computers.  For example, software written for Microsoft Windows can run only on Microsoft Windows computers; it cannot run on an Apple Mac computer.  The same applies for software written for Apple's Mac; it can only run on a Mac computer.

Java is different.  It is a computer language that allows programmers to write software you can run on many different types of computers, such as Microsoft Windows and Apple Mac.  To enable programs developed in Java to work on your computer, you need to have Java (often called the Java runtime environment) installed on your computer.  In this newsletter, we are going to explain the dangers of having Java installed on your computer and what you can do to protect your computer.  Note: Javascript and Java are two entirely different things.  This newsletter applies to Java

WHAT ARE THE RISKS?
A common method cyber attackers use to hack into computers is to develop special programs that take advantage of and exploit weaknesses in your computer’s software. These weaknesses are usually specific to  one type of computer. This means the hacking tools they develop to attack Microsoft Windows computers  work only on Microsoft Windows; their tools do not work on any other type of computer such as an Apple Mac, or vice versa.

This limits who they can attack and how.  Java is different. Since it is designed to work on almost any computer, cyber criminals can create a single attack tool that can potentially hack almost any computer in the world as long as it has Java installed. This makes Java’s weaknesses an attractive target for attackers, as they can hack more computers with less effort. Also, Java is complex, which means it can have many weaknesses.

Finally, most people do not even know what Java is or if they have it installed. As a result, Java has become a popular target for cyber criminals.

BEST DEFENSE
Ultimately, the best defense is simple: if you are not using any programs or applications that require Java, then do not install it on your computer. Only install Java if you absolutely require it. If you are not sure if you have Java already installed on your computer, there is a simple way to check. Simply go to the Java website listed below to check if you have Java installed. Be sure to only check if you have Java installed; do not actually install it.

http://www.java.com/en/download/installed.jsp

If you discover you do have Java installed but you no longer need it, uninstall Java from your computer.

IF YOU MUST...
If you absolutely must have Java installed, there are several things you can do to protect yourself.

1.  KEEP IT CURRENT
Make sure you always have the latest version of Java installed on your computer. Old or outdated versions of Java have many known vulnerabilities, making it easy for cyber criminals to hack into your computer. In addition future releases of Java may have additional security features. Keeping Java updated is relatively simple for Windows computers. To verify the version of Java on your computer, click on the Java icon in the Control Panel and confirm you have the latest version installed and that it is configured for automatic updating. If you do not have the latest version, be sure to update it through the Java Control Panel.

Java is software that can expose you to additional risk.

If you do not need Java then do not install it.

If you do need Java always be sure to run the latest version.

2.  DISABLE BROWSER PLUGIN
One of the most common ways that cyber criminals hack Java is through your web browser. If you have Java installed, your browser will have what is called a Java plugin, which lets your browser use Java. When you connect to a malicious website, bad guys may hack your computer through your Java plugin.
However, very few websites require Java to work, so in most cases you can safely disable your browser’s Java plugin. How you disable your browser’s plugin depends on what type of browser you have. Most browsers have a Preference or Settings option where you can disable your browser’s Java plugin. In addition, newer versions of Java can disable Java plugins from the Java Control Panel. If you do find a website that requires Java to work, you can then enable it for only that website, then disable it when you are done.

RESOURCES
Some of the links have been shortened for greater readability using the TinyURL service. To mitigate security issues, OUCH! always uses TinyURL’s preview feature, which shows you the ultimate destination of the link  and asks your permission before proceeding to it.


What is Java?:
http://preview.tinyurl.com/7l7jvb8

Uninstalling Java on Windows:
http://preview.tinyurl.com/4x66uco

Uninstalling Java 7 on a Mac:
http://preview.tinyurl.com/cowkxy4

Disabling Your Browser’s Java Plugin:
http://preview.tinyurl.com/cwptsxv

Browsercheck:
http://browsercheck.qualys.com

Common Security Terms:
http://preview.tinyurl.com/6wkpae5

SANS Security Tip of the Day:
http://preview.tinyurl.com/6s2wrkp



LEARN MORE
Subscribe to the monthly OUCH! security awareness newsletter, access the OUCH! archives, and learn more about SANS security awareness solutions by visiting http://www.securingthehuman.org. OUCH! is distributed under the Creative Commons BY-NC-ND 3.0 license.