It's time to run Java out of town

A Java security hole just nailed 670,000 Macs, and Java accounts for more Windows infections than any other source. It's time to get rid of Java and stop the madness

Page 2 of 2

Apple doesn't bundle Java with any of its products any more -- and hasn't done so since OS X Lion -- but many Mac owners find themselves installing Java manually when they go to a website that requires (or requests) Java.

Oddly, Flashback doesn't even try to infect Mac systems with antivirus products Little Snitch, Virus Barrier, iAntiVirus, Avast, ClamXav, HTTP Scoop, or Packet Peeper installed. And it won't infect Macs that have Apple's free Xcode development environment installed.

If you want to see whether your Mac is actively participating in the Flashback botnet, go to the Kaspersky verification site and run your UUID through its lookup routine.

The Flashback payload appears to move in two directions. First, it scrapes log-in IDs and passwords from the Safari browser. Second, it redirects search engine results.

Security researcher Brian Krebs has been recommending for years that people turn off Java and enable it only when they absolutely have to run it. Many sources peg Java as the primary source of Windows infections over the past two years, including this Virus Bulletin 2011 presentation and a Virus Bulleting analysis of infections delivered by exploit kits.

One way to protect your computer is to use two different browsers -- one with Java enabled, the other without -- and only haul out the Java-jinxed browser when absolutely necessary. The other approach is to uninstall or disable Java in the browser you use and reinstate it only when you have no other options.

The easiest way I've found to manage Java is through the NoScript add-in for Firefox -- in fact, that's the primary reason I use Firefox as my main browser for both Windows and Mac. If you prefer Chrome, disabling Java takes only a few clicks. Instructions for disabling Java in Internet Explorer or Safari -- or allowing Java (to support, say, OpenOffice) but disabling it in the browser, are availabe on the Microsoft and Apple sites.

But that only treats the symptoms. To get rid of Java as the world's foremost computer infection vector, we simply have to get rid of Java. Yes, it's installed on 3 billion computers. Yes, many companies rely on Java -- just as they relied on ActiveX technology not so long ago. The lamentable fact is that Java's rotten to the core, and Oracle's done nothing to improve its trustworthiness. IT departments need to get on the bandwagon and run Java out of town.

Steve Jobs dumped Java for good reason.

This story, "It's time to run Java out of town," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and Twitter stream.
Related:
| 1 2 Page 2
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.