Java has been responsible for some of the most serious cross-platform browser exploits in the past year. Most web exploits only apply to a specific operating system or browser, but if your browser has Java enabled, you’re probably vulnerable. If you want to check your system for java vulnerabilities, check out isjavaexploitable.com (by the guys at Rapid7).
The most popular exploit kits have all been updated to include CVE-2012-0507, which allows malware to be installed simply by visiting an infected webpage (Update: CVE-2012-4681, a new JVM 0day, has also been observed in the wild and added to Metasploit. Oracle has released a patch, but hours after its release, the emergency patch was shown to include even more vulnerabilities).
Since last year, unpatched Java installations have been responsible for more virus and malware infections than any other browser-based vulnerabilities. Few people actually use Java in their browsers, and insecure Java plugins can often go a long time without being updated. A study from last year showed that over 60% of Windows computers lacked a critical Java update that was over 18 months old, and were vulnerable to exploits that could be hidden in any website they visited.
How to Disable Java in Chrome/Chromium:
Type about:plugins into your address bar.
How to Disable Java in Firefox:
Type about:addons into your address bar.
How to Disable Java in Internet Explorer
Don’t even bother. If you care about browser security, you would be better off installing Chrome or Firefox and ditching Internet Explorer completely. If you must use Internet Explorer, you can disable Java applets by going to [Tools Menu] > Internet Options > Security (tab) and clicking the “Custom Level” button at the bottom of the window. Scroll down in the “Security Settings” box until you see “Scripting of Java Applets,” and click the “Disable” or “Prompt” radio button. This will disable the loading of Applets on webpages.
Cut off Web Browser access to Java in Windows
To completely disable web browsers’ access to the Java Virtual Machine on a Windows system, go to Control Panel > Java and click the “Advanced” tab. Then click the “+” icon next to “Default Java for Web Browsers” and uncheck the boxes next to the browsers you want to cut off.
This approach is useful if you need a JVM on your computer, but you don’t want your browser to have any access to it. If you don’t need a JVM at all, you may as well uninstall Java completely (Control Panel > Add and Remove Programs) and reinstall it later if you need it.
Update 8/27: For background on CVE-2012-4681, have a look at FireEye’s report, the PoC code and the blurb on Metasploit’s blog. The exploit is now a part of the Metasploit suite as “java_jre_17_exec,” and the source of the malicious .class file is here.
If you’re interested in the technical background of the (known) Java exploits floating around the internet right now, including CVE-2012-0507, Metasploit: CVE-2012-0507 – Java Strikes Again is a good starting point.
Update: Disable Java in Safari
As Corin pointed out in the comments, you can disable Java in Safari by going to Safari>Preferences>Security>Web Content. In the time since I wrote this post, over 600,000 Macs have been infected by the Flashback trojan, which relies on the CVE-2012-0507 Java exploit.