Blog

Rahul Thadani
As another Java flaw is discovered, is it time to disable Java completely?
January 17, 2013

Java Security Hole

After a massive Java 0-day vulnerability surfaced in August 2012, Oracle released an out-of-cycle update to combat the exploit. However, we advised our readers to simply disable Java on their web browsers to avoid the threat. Java has now become a highly vulnerable program that causes more trouble than it is worth and this is highlighted by the fact that yet another 0-day Java vulnerability has surfaced.

Apparently, this latest exploit was put up for sale over an anonymous underground forum where the seller invited bids and claimed that the kit would only be sold twice. It is believed that the reason behind this is if there are only 2 buyers, it will take a longer time for the code to be detected by system protection software agencies. However, one of the potential buyers leaked this information and this has the computing world racing to disable Java at the earliest. The exploit kit allows an attacker to plant malicious Java applets in websites. These applets then invade machines as drive-by downloads when an unsuspecting victim visits a compromised website.

A series of Java security holes
This piece of news follows close behind reports that Oracle just released a new security patch (Java 7 Update 11) a couple of days back. This patch was designed to combat a security flaw (CVE-2013-0422) that was being exploited by Blackhole and Nuclear Pack, 2 crimeware products that compete against each other. Blackhole recently informed its users that they had an undiscovered Java security hole which they would offer as a New Year’s present for their customers. Nuclear Pack soon made the same announcement and this prompted immediate action from Oracle to patch Java.

In the midst of all this, we recommend that you completely disable Java from the web browser that you use. Malware writers are creating threats against Java with an alarming regularity so you should only enable this program if it is absolutely essential. You can learn how to disable Java on various browsers through this post.

The confusion about ‘Java vs JavaScript’
One issue that seems to regularly crop up whenever a Java security hole is discovered is the differentiation between Java and JavaScript. Some people accidentally turn off JavaScript whereas some are left confused about the similar sounding names. To clarify, Java and JavaScript are not the same.

Java vs JavaScript

It is important to understand that JavaScript is basically a part of a web browser. It controls the look and functionality of certain pages and it remains embedded with the browser application at all times. On the other hand, Java is a program that runs independently from the browser. It allows other applications to function when the Internet is accessed. Additionally, Java leaves plug-ins (known as applets) in a system for this purpose. So, Java and JavaScript are completely different and should not be mixed up.

Quick Heal 2013 provides the Browser Sandbox feature that actively blocks 0-day threats. However, it is still recommended to disable Java completely to avoid such threats now and in the future.

Have something to add to this story? Share it in the comments.

Rahul Thadani
About Rahul Thadani
Rahul is a web enthusiast and blogger, and has been writing about the computer security industry for the last three years. Following the latest technology trends,...
Articles by Rahul Thadani »

12 Comments

Your email address will not be published.

CAPTCHA Image

  1. Kanishk SinghJanuary 17, 2013 at 8:14 PM

    A question over here.

    I’am also a minor computer security expert and I’ve learnt that some Java Applets (actually Backdoors and Trojans) appear completely safe when scanned with Quick Heal Internet Security 2013. I’ve tested those applets on my own system and came to knew that Quick Heal does not alert the user the moment he downloads such files. Quick Heal only identifies the Trojan when a user runs a ‘Complete System Scan’ in his Computer. Many Users don’t usually come to know that they’ve come in contact with a Trojan and leave their system as it is and the hacker easily gets time to explore and exploit their entire system within that time.

    A normal user can’t go on with repeatedly scanning his entire system throughout the time he is online. Therefore I request Quick Heal,Inc to come up with a solution for this vulnerability.

    Many people won’t be reading your blogs and they may not be coming to know about this problem.

    Reply
  2. Ajit MahabalJanuary 22, 2013 at 4:58 PM

    I read your comments about JAVA issues for PC and BOTNET threat for android. Can you help me to remove JAVA from home PC and suppport for andoid threat?

    Reply
  3. Ajit MahabalJanuary 23, 2013 at 2:03 PM

    Thank you

    Reply
  4. Ajit MahabalJanuary 23, 2013 at 10:40 PM

    When I switched off PC today evening and and restarted PC windows starting system crashed. With help of HP tools available on laptop I could restart the system.

    Reply
  5. Ramachandra.DJanuary 26, 2013 at 3:35 PM

    Thank you Rahul.Furtur please assist me.

    Reply
  6. Nice Differentiation for java and javascript
    Thanks once again..

    Reply