Wanted to repost this message from Andrew Solmssen, aka bitboy.com/
Hi all,
I’m sending this mass e-mail to my primary technical contacts at organizations I support to let you know about a new malware issue and a change in what I feel are best practices regarding Java on Windows-based computers.
For those of you who don’t know – Java Runtime is installed on many PCs as delivered from the manufacturer, and installed by me sometimes if not. It’s used by some websites and applications to add rich interactive functionality. In the past, I’ve felt it was an important part of being ready for the web, like Adobe Flash and Reader.
Now we’re facing a new wave of malware that takes advantage of security problems with Java. I removed it from two computers yesterday, and my sources tell me that problems with Java are the most common pathway for bad programs (fake antivirus, etc.) to get on machines. As this is happening, Java itself has become much less necessary for the vast majority of users as other ways to get that functionality are baked into HTML5 or Flash/Silverlight.
So I am recommending that users uninstall the Java Runtime from their PCs unless they have specific requirements for it – i.e. a website that needs it, or a local program that uses it. The benefit of having it is now outweighed by the attack surface it creates. Removing it is simple.
Close all open programs, go to the control panel, select Add/Remove Programs (Windows XP) or Programs and Features (Vista/7).
Java may be listed as Java 6 , J2SE Runtime, Java Runtime Environment, etc. with various version numbers, and there may be multiple versions installed. Remove all of them.
The uninstaller may ask for a reboot at the end of uninstallation. If you are uninstalling multiple versions, it’s safe to say no to the reboot until the last one is done, then reboot.
If you use a specific website or application that uses Java (you will see Java load with its coffee cup symbol when you do), then it’s alright to leave the most current version (as of this writing, Java 6 Update 22) installed. If you don’t have that version, uninstall all Java Runtimes as above, reboot, and go to www.java.com to get it.
I hope this is helpful, and that you will be able to disseminate this information throughout your organizations. Please let me know if you need further clarification on any of this.
No comments:
Post a Comment