Via Kaspersky and a bunch of other sources:
Nasty New Java Zero Day Found; Exploit Kits Already Have It
Security experts are urging users to disable Java immediately after the discovery of another zero-day exploit that has been incorporated into the Blackhole, Redkit, Cool and Nuclear Pack exploit kits.
If you don’t recognize those names, they’re crimeware kits that allow bad guys to booby-trap web sites, which they then lure unsuspecting victims to visit using e-mail messages or poisoned seaarch results. As soon as you load the site in your browser, the exploit runs and you are compromised.
At the moment, there’s no fix for the specific exploit, although up-to-date antivirus software will usually block the exploit from the sites.
Instructions on how to disable the Java plugin are here. And yes, this can affect Macs as well as Windows PCs, so don’t assume you’re immune because you have a Mac.
If you have specific sites that require a Java-based plugin, consider using Chrome’s ability to block the Java plugin globally while selectively enabling Java for specific sites. Details here.
Other possible strategies:
- Disable Java in your default browser but enable it in a secondary browser. When you need to use Java, fire up the alternate browser and navigate to the Java-based app manually.
- Install Java in a virtual machine and install Java in that sandboxed installation. Although it sounds inconvenient, cleaning up a malware infection is worse.
Additional reading: How big a security risk is Java? Can you really quit using it?
3 thoughts on “This might be a good day to disable your browser’s Java plugin”
Worth mentioning is that if you have Version 7 Update 10 then you can disable browser access from the Java control panel applet.
This is why I run IE with all add-ins disabled — in particular, no Java and no Flash. If I run into a site that doesn’t work in IE, I then launch Chrome. I stay far, far away from Firefox because it runs with normal privileges, while IE and Chrome both run in low-integrity mode.
I do wish I.E. had a site specific settings like Chrome does. Still not enough for me to use Chrome a lot. Java’s like a bad dream. Just wish it would go away. I’ve been saying that for over 7 years now.