What to do about Java?

In recent months the programming language Java has been in the news a lot, mainly because of its association with virus infections. By most reliable accounts, over one-half of all recent malware infections have been accomplished by exploiting vulnerabilities in Java.

Java was first released by Sun Microsystems in 1995, which was subsequently acquired by database software company Oracle. According to the Oracle web site, "Java runs on more than 850 million personal computers worldwide, and on billions of devices worldwide, including mobile and TV devices."

Contrary to a widely-held belief, Apple computers are not immune to virus infection. In fact, the most widespread infection of Macs to date involved 670,000 infected computers that unwittingly became members of a botnet known as Flashback.

The Flashback virus was actually a Trojan Horse, installed as a "drive-by download," without the user's knowledge or permission. The virus accomplished this objective by taking advantage of known security holes in Java, adjusting its behavior as necessary to fit the environment of the target computer.

These vulnerabilities are commonly exploited on Windows-based PCs, and many IT professionals question whether Java will ever be secure enough to be trusted on the average user's computer. As much as Oracle tries to find and patch all the holes in Java, the bad guys keep finding more of them.

Just in the past few weeks Oracle released Java 7 Update 10, which introduced some new techniques to make the platform more secure. Within a few days researchers found ways to compromise this redesigned architecture, and new exploits followed. Update 11 was released less than a week after the introduction of Update 10.

Once again, the new version gave way to new vulnerabilities. As of this writing, Update 13 is the latest release, having come out less than one week after Update 11.

So, what should you and your users do about Java? You will hear various opinions on the subject. The right answer, of course, is "it depends."

The unfortunate reality is that many programs, devices, and web sites use Java in one form or another. While some experts recommend removing Java from your computers altogether, that approach may not be practical in some cases. But a reasonable first step might be to uninstall Java from your computer and see whether you lose any functionality.

Do all of the programs you normally use continue to run normally without Java installed? If so, that's a promising sign. What about web sites? Any of your favorites quit working when Java isn't there? Here's a hint - GoToWebinar won't work without Java. And there are many others.

One of the improvements in the recent Java updates is a wider range of options related to security. There is now a Security tab in the Java dashboard, with a slider that allows you to select a Security Level from Low to Very High. The default setting is High (recommended), and an Advanced option gives you more granularity in the detailed settings.

There is also an option to "Enable Java content in the browser," with a check-mark in that box by default. Deselecting that option will greatly improve the security of that computer, albeit at the risk of breaking some web pages. But this is a prudent step for you to take if possible.

Another new option allows you to specify how often to have Java check for updates. The default was originally once per month and has since been increased to once per week. But now you can set it to check for updates every day if you like.

Considering how frequently new exploits are discovered, you may want to set all of your computers to check for Java updates daily. The increased overhead is minimal, and the potential for keeping the computer secure against Java-based attacks is significant.

It's important to note that there is no option to install Java updates automatically, only to notify the user that a new version is available. So be sure your users know to look in the System Tray on a regular basis and allow a Java update to install any time it is offered.

Keeping Java up to date is every bit as important to security as a serious, commercial-grade (not free, in other words) anti-virus program and Windows Updates. Disabling or removing it altogether is a more secure solution, but one that may not be practical for many users.