On March 12th 2013 James Clapper, the director of national intelligence for the United States, told the Senate Intelligence Committee that cyberattacks are now the top security threat facing our country, and that it would be “hard to overestimate [their] significance”. This is but one of many reasons why it’s time to talk about your computer’s security again, and this month that means talking about a few popular web plug-ins with big security issues: Java and Adobe Reader. These programs are installed on a huge percentage of personal and business computers, as they’re used for various types of web content: Java for applets and Adobe Reader for PDF files. They’re free, widely-promoted, and commonly installed along with other well-meaning web-centric programs. They’re also cross-platform, meaning you’ll find them on Windows, Mac and Linux computers.
Of course, the wide install base and cross-platform properties of these applications make them a tempting target for computer criminals and a host of other “bad guys” on the internet. Java, in particular, has seen a long string of security vulnerabilities in recent months. Some of the world’s largest tech companies (including Apple, Facebook and Microsoft) have been hit by major Java-based attacks, leading some researchers to quip that we’re living through the “Javapocalypse”. What’s worse is that the usual advice about defending against these security holes– to keep your system up-to-date– isn’t enough here, because the company responsible for Java, Oracle, has been largely ineffective in patching this problem. They have issued 17 critical security updates since the discovery of a major vulnerability last August, and the platform is still critically vulnerable to exploitation. The recent rash of Java vulnerabilities would allow attackers to remotely do anything on your computer that your user account could do– and for most Windows users, that’s everything. Even Mac and Linux users could still have all of their personal information compromised.
Adobe Reader is not as seriously compromised, but it’s in a similar situation. There have been several recent patches, but the exploits seem to keep coming, and patches aren’t being released until after people have been successfully attacked. There is a race going on between the bad guys and Adobe, and Adobe is losing.
In the case of both of these pieces of software, the advice from security professionals to remove them. Immediately. There are some people who may have a legitimate need for one or the other piece of software, but we recommend that you remove to find out if they are necessary to your day-to-day computing needs since they are free downloads and you can always reinstall them later.
Most people need a PDF reader of some sort, but it doesn’t have to be Adobe Reader– PDF is an open standard, and there are several good replacement readers that are more secure and just as full-featured. On Windows, FoxIt Reader is a good choice. Note that FoxIt is packaged with the Ask.com toolbar by default- pay attention during the install process and uncheck this box to avoid having your browser home page and search engine hijacked by this packaged software. (This is common practice on Windows these days– it’s a good idea to always pay close attention to software installers.) Mac and Linux users will find their built in document viewers are a good replacement.
For Java, unfortunately, there really aren’t any good replacements for most users. Linux users will find that the open-source IcedTea plugin works well (and is generally installed by default), but there are no alternative browser plugins for Windows or Mac OS X. The good news is that Java is a declining technology, and most people will find that they don’t have a need for Java. If you are sure you have a need for Java for a specific desktop application (such as a business application, or the wildly-popular block-building game Minecraft), you can disable it in your web browser, which will reduce your exposure to these security vulnerabilities.
For Windows 7:
- Find the Java Control Panel
- Click on the Start button and then click on the Control Panel option.
- In the Control Panel Search enter Java Control Panel.
- Click on the Java icon to open the Java Control Panel.
Disable Java through the Java Control Panel
- In the Java Control Panel, click on the Security tab.
- Deselect the check box for Enable Java content in the browser. This will disable the Java plug-in in the browser.
- Click Apply. When the Windows User Account Control (UAC) dialog appears, allow permissions to make the changes.
- Click OK in the Java Plug-in confirmation window.
- Restart the browser for changes to take effect.
You can find detailed instructions on how to do this for each operating system by going to Java’s website: www.java.com and searching on “disable browser”. I must reiterate, though, that this only reduces your security vulnerability. It does not eliminate it. You should only use this option if you are absolutely sure you need Java on your system.
Finally, something to watch out for in the coming months and years: Adobe’s Flash Player. Like Java and Reader, Flash has a massive cross-platform install base, and has been the subject to security problems in the past. Flash is a relatively integral part of the present web environment though, and there aren’t any real replacements for it yet. We don’t recommend removing it, although we do recommend making sure you apply all security updates for it. We recommend the same for your operating system and all other software on your system, make sure it is all as updated as possible to protect yourself from future exploits that are almost certain to occur. When they do, we will be here to inform you. Stay tuned…