PSA: Disable Java in your browser

Background

Java has been responsible for some of the most serious cross-platform browser exploits in the past year. Most web exploits only apply to a specific operating system or browser, but if your browser has Java enabled, you’re probably vulnerable. If you want to check your system for java vulnerabilities, check out isjavaexploitable.com (by the guys at Rapid7).

The most popular exploit kits have all been updated to include CVE-2012-0507, which allows malware to be installed simply by visiting an infected webpage (Update: CVE-2012-4681, a new JVM 0day, has also been observed in the wild and added to Metasploit. Oracle has released a patch, but hours after its release, the emergency patch was shown to include even more vulnerabilities).

Since last year, unpatched Java installations have been responsible for more virus and malware infections than any other browser-based vulnerabilities. Few people actually use Java in their browsers, and insecure Java plugins can often go a long time without being updated. A study from last year showed that over 60% of Windows computers lacked a critical Java update that was over 18 months old, and were vulnerable to exploits that could be hidden in any website they visited.

What was the last time you used a java applet on purpose anyway? Java applets have been mostly superseded by Flash or javascript. If you’re not sure whether or not you need Java in your browser, you probably don’t. Given the number and severity of the Java exploits in the wild right now, it might be a good time to disable Java in your browser and enable it when (or if) you need it.

How to Disable Java in Chrome/Chromium:

Type about:plugins into your address bar.

disable java chrome Find your Java plugin in the list and click “disable.”

disable java chrome

How to Disable Java in Firefox:

Type about:addons into your address bar.

firefox about:addons
Find your Java plugin in the list and click “disable.”

disable java firefox

How to Disable Java in Internet Explorer

Don’t even bother. If you care about browser security, you would be better off installing Chrome or Firefox and ditching Internet Explorer completely. If you must use Internet Explorer, you can disable Java applets by going to [Tools Menu] > Internet Options > Security (tab) and clicking the “Custom Level” button at the bottom of the window. Scroll down in the “Security Settings” box until you see “Scripting of Java Applets,” and click the “Disable” or “Prompt” radio button. This will disable the loading of Applets on webpages.

Cut off Web Browser access to Java in Windows

To completely disable web browsers’ access to the Java Virtual Machine on a Windows system, go to Control Panel > Java and click the “Advanced” tab. Then click the “+” icon next to “Default Java for Web Browsers” and uncheck the boxes next to the browsers you want to cut off.

This approach is useful if you need a JVM on your computer, but you don’t want your browser to have any access to it. If you don’t need a JVM at all, you may as well uninstall Java completely (Control Panel > Add and Remove Programs) and reinstall it later if you need it.

See also:

Update 8/27: For background on CVE-2012-4681, have a look at FireEye’s report, the PoC code and the blurb on Metasploit’s blog. The exploit is now a part of the Metasploit suite as “java_jre_17_exec,” and the source of the malicious .class file is here.

If you’re interested in the technical background of the (known) Java exploits floating around the internet right now, including CVE-2012-0507, Metasploit: CVE-2012-0507 – Java Strikes Again is a good starting point.

metasploit java cve-2012-0507

Related: CVE-2012-0507 exploit in Metasploit

Update: Disable Java in Safari

As Corin pointed out in the comments, you can disable Java in Safari by going to Safari>Preferences>Security>Web Content. In the time since I wrote this post, over 600,000 Macs have been infected by the Flashback trojan, which relies on the CVE-2012-0507 Java exploit.

Incoming search terms:

6 thoughts on “PSA: Disable Java in your browser

  1. On the Mac OS you can also disable Safari’s Java use under Safari/Preferences/Security/Web Content. The Chrome and Firefox settings to disable java are in the same spot as in your helpful directions.

  2. Great post! It’s shocking to see how many websites are reporting on these new Java exploits, yet they do not provide any instructions how to disable Java.

    Keep up the good work :)

  3. Pingback: Disable Java In Your Browser To Avoid A Nasty New Malware-Spreading Attack - Forbes

    • Don’t disable javascript. Many websites are unreadable without it. Java and javascript are two very different things.

  4. Thank you. I just got my little netbook working again and I don’t need a bug to mess it up since I just started this semester for college.