Right now you might have one of the most vulnerable utilities that hackers absolutely love installed on your computer, and there’s little you can do about it.
What’s this mysterious highly insecure program I’m talking about? None other than Java.
Java is a programming language that was developed years ago to specifically run on all manner of devices. Want to run the same web app on a Mac, PC, and Linux? No problem Java has your back!
While it’s slowly been fading out, partially due to just how ridiculously insecure it is, Java is still widely used across the internet and many people can’t live without it - at least yet.
With that in mind, there are a few things we can do to protect ourselves from Java-based exploits instead of just throwing Java off the deep end and uninstalling it.
Today we’re going to discuss Java and what you can do about its insecurities. Before we start though there’s one misconception to clear up.
Java has two parts - the browser plug-in that lets you view java content online and the runtime base that runs applications on your computer. Java desktop apps aren’t insecure, when we discuss the exploits and insecurity we’re talking about the browser plug-in!
Is Java Really That Dangerous?
You might be skeptical, if Java really is all that important and according to Oracle is installed on 89% of desktops, can it really be that dangerous? Unfortunately, the answer is a definite yes!
Even worse, when zero day exploits hit Java they are usually disastrous. They can affect your personal finances and even cripple entire companies! These are the sort of attacks where hackers can get full access to your system, it’s intimidating stuff!
The problem with the Java plugin has been around since it was first released. The developers thought it would be handy if you could run full-fledged applications in your web browser so they developed the java web browser plug-in.
The plug-in worked fine but security issues started cropping up that the original developers didn’t seem to fix. This apple is rotten from the inside, even if it is functional, and looks like a lost cause to fix.
This isn’t ancient history either, Ars Technica reported earlier this year that a security update worked the opposite as intended, it actually made Java more vulnerable to a nearly 3-year-old attack!
There is a silver lining to this cloud, though. Many experts expect Java to eventually fade away but Java’s developers have put time and effort into securing it more. According to Heimdal Security, a leading independent research firm, attacks on Java have gone down year over year.
The worst part of Java exploits is they usually allow you to bypass normal anti-virus and anti-malware measures. Here are a few attacks from 2014 that made headlines:
- Angler Exploit: By far the most advanced and scary of the list, the Angler Exploit doesn’t use any files so it can’t be picked up by traditional security programs. With no file, it leaves no trace so you may not even know you’ve been compromised!
- Magnitude Exploit: This one exploited Java, Internet Explorer and Flash to make cyber criminals an estimated $60,000 a week!
- Sweet Orange Exploit: This one made news when it was discovered it could morph to avoid being detected by anti-viruses!
With the new exploits and zero-day malware appearing seemingly by the day, we need to buff up our defense! As you saw above, many traditional anti-virus programs can’t pick up on Java exploits, so what can we do? How do you fight an enemy you can’t detect?
Keeping Java around may be necessary but that doesn’t mean we have to sit around idly hoping nothing bad happens! There are a few security firms that are releasing specific anti-exploit defenses.
One of the best is Malwarebytes Anti-Exploit. Normal antivirus programs look at signatures or detect behavior to determine malware. This works for most malware but exploits latch onto legitimate programs which lets them slide on past unhindered.
This is where Malwarebytes Anti-Exploit can help you out. It’s designed to fill the gaps and detect when programs are acting suspiciously.
It’s designed to work alongside other more robust security software and provides three new layers of defense:
- Actively guarding against Operating System (Windows) security bypasses.
- Prevents exploits that are run from your RAM memory.
- Stops programs from delaying malicious code.
Malwarebytes Anti-Exploit comes in a free version and a paid premium version. Both of them will protect you against exploits and Malwarebytes claims it won’t slow down your system either.
The premium version adds a few extra optional, but handy, features like shielding your PDF files and the Microsoft Office suite.
You can get Malwarebytes Anti-Exploit directly from their website here. The cool part of the program is that it automatically runs in the background, so once you set it up you can forget about it and just let it do its thing!
Malwarebytes Anti-Exploit is compatible with almost all other security software suites today. Because it doesn’t use a signature database it doesn’t need to update all the time either!
Other Forms of Protection
The best form of defense for Java vulnerabilities is to uninstall it completely but if that’s not an option there still are a few other things you can do to protect yourself.
If you use Java for a desktop application for your business or to play Minecraft, you can disable the browser plugin. This is fairly easy:
- Open up the control panel and type in ‘Java’
- Select the ‘Security’ tab and uncheck ‘Enable Java content in the browser’
This keeps Java on your computer but the browser won’t be able to touch it. Remember Java as a programming language isn’t insecure, it’s the web browsing that’s a constant security risk!
What if you actually need it for something you do on the computer in your normal daily activities? While this is less secure than disabling it or checking off the security setting above there are still a few things we can do.
Our first recommendation is to have multiple browsers installed on your computer. Use one browser as your designated go-to for Java websites. Disable Java entirely from the second browser and use that one for everything else under the sun.
This is much more secure than doing nothing and prevents websites from exploiting Java during most of your normal activities.
How to Disable Java in Browser
Here’s how to disable Java for just your one main browser:
- Open up Chrome and type ‘about:plugins' into your URL bar without the apostrophes.
- This will bring up a list of all of the currently installed plugins, locate Java on the list.
- Click the blue ‘Disable’ text and you’re all finished as well as much more secure.
- Open up Internet Explorer and click on the little gear in the top right.
- Select ‘Manage Add-Ons’ in the drop down.
- Locate the Java Plug-In on the list, and then click the disable button.
- Open up Firefox and open the Firefox menu on the top left.
- Click on the Add-Ons button with the blue puzzle piece.
- There may be a few, go down the list and disable all of the plugins that include the word ‘Java’ in them!
How-To-Geek has a few pictures of the process if you want to look into it further.
Keep Java Updated
If you’re in the majority and have Java installed, have you ever noticed that it needs updating quite a lot? This isn’t a coincidence, Java needs that many updates just to stay secure!
New exploits and bypasses are found all the time and Java’s developers put out a new patch every other day or so just to keep on top of it all!
If you need to keep Java around be sure to always keep it updated! Yes, it might be annoying that Java asks you every few days to update but there’s a good reason for that! It’s not asking you just to get on your nerves.
Whenever you see the popup for Java when you start your computer, take a second and update it! You could also set it to automatically download from here on out if you don’t want to be bothered with it anymore.
It’s worth a note that Java isn’t the only platform that is so commonly attacked, Adobe Flash is another that tends to make the headlines every now and again. The premium version of Malwarebytes covers the other most common attacks including Flash and Microsoft office.
Even if Java fades away into obscurity one day it’s important to protect yourself today against all of the nasty exploits out there. Installing an anti-exploit tool like the one from Malwarebytes is definitely a step in the right direction, and it wouldn’t hurt to have a ‘Java Only’ web browser too. Simple steps like that will go a long way in keeping you safe!