Oracle keeps shipping a web browser plugin with its Java Runtime Environment (JRE), even though it’s a notoriously useless malware magnet (see below). Most legitimate Java client applications found on the Internet today are intended for offline installation. These often come bundled with a private JRE, and always completely ignore the browser plugin. So the best choice would be to remove the plugin entirely, or at least disable it by default.
That hasn’t happened yet, but Oracle has finally made one step in the right direction. The control panel for the new JDK/JRE 7u10 offers a security page that determines what happens when unsigned or local Java apps attempt to run in a browser. But really, you should just ignore that and simply uncheck the topmost option: Enable Java content in the browser (outlined below). Click Apply, and the plugin will be disabled for all browser apps – signed or unsigned, local or remote, annoying advertising or outright malware. This is a nice central alternative to disabling the plugin in all of your web browsers.
Tip: On Windows, there’s no Start Menu entry for the Java control panel. Start up the Windows Control Panel and click “Programs” (not “Uninstall a program”) or type “Java” in the search field. You should see a Java icon that starts the Java control panel. Aside from the new security settings, you can also change a number of other options, e.g. if and where Java should keep temporary files on your system.
I was shocked to discover that the standard reference Core Java I (9th ed., 11/2012, p.16) belittles administrators who disable the browser plug-in, claiming minimal security risks and that “no actual systems were ever compromised.” This is absurdly wrong. For a more realistic view, here’s a sampling of recent Java exploit reports:
Java Considered Harmful (F-Secure, 12/2011): “And the Java Rhino vulnerability is not theoretical: the most common exploit kits have incorporated this vulnerability in their default exploits, and it seems to be working very well for the online criminals.”
Exploring the Blackhole exploit kit (Sophos, 03/2012): “Blackhole is one of the reasons behind the press interest in Java vulnerabilities recently. Anecdotal evidence [from several organisations] collected during the past year indicates that it is predominantly the Java vulnerabilities that lead to users getting infected by Blackhole.”
Oracle Java 7 Security Manager Bypass Vulnerabilities (US-CERT Alert TA12-240A, 08/2012, and Alert TA13-010A, 01/2013): “Reports indicate this vulnerability is being actively exploited, and exploit code is publicly available.” Alert TA13-010A specifically recommends disabling the Java browser plugin, as described above.
You may also want to check out Krebs on Security’s ongoing coverage of Oracle Java vulnerabilities and commercial exploits based on them.
2013-03-05: Recent weeks brought an entire series of zero-day exploits aimed at the Java browser plug-in, with Oracle frantically playing catch-up. Ars Technica summarizes the situation at the time of this writing.
2013-03-13: After a stampede of exploits, Oracle further tightens security in Java SE 7u21 by automatically showing warning dialogs before any remote Java code is executed, with additional “user interaction” required for unsigned code.