Oracle, the company behind the Java software that caused a worldwide alert about its security gap, has issued a patch to prevent viruses from infecting computers without the owners’ knowledge.
To be secure, computer users need to install the patch, made available Sunday, rather than waiting for an automatic update. The U.S. Department of Homeland Security on Thursday recommended disabling Java software used in Web browsers.
“Unfortunately, Homeland Security didn’t tell anybody how to disable it,” said Thor Schrock, CEO of Schrock Innovations, an Omaha-based computer sales and service company. Schrock says his stores have seen a recent uptick in virus removals in all three locations.
“People are getting hit by this,” he said.
For tech-savvy users, disabling Java or installing the patch isn’t a big deal. But for those who don’t typically adjust default computer settings, the process can be a little more complicated, and many users may still have questions:
Q: What is the Java bug and what is the danger?
A: Java is software that delivers video and other content to Web browsers like Internet Explorer, Firefox and Chrome. The most recent version — Java version 7, update 10 — included a security loophole that allowed hackers to gain control of a computer without its owner’s knowledge. In other words, your computer could be compromised not by downloading a program or clicking a link, but merely by viewing a video that used Java — something millions of users do every day.
By taking over a computer, a hacker could install additional malware and viruses or steal personal information, which can lead to identity theft.
Q: Who is affected?
A: More than 850 million computers around the world could be at risk, particularly those using Microsoft Windows operating systems and Microsoft Internet Explorer, which comes pre-installed on all Windows systems. Internet Explorer uses Java differently from other browsers. Mozilla’s Firefox has a “click-to-play” feature that activates Java only when a user clicks on a web element that uses the software. And Chrome, which is Google’s browser, can be adjusted in the settings to operate in a similar matter.
But Java on Internet Explorer is “on” at all times — whether it’s needed or not — meaning it’s constantly running and available for exploitation.
Smartphones and tablets, like the Apple iPad, are not affected. Apple Mac computer users with the latest version of the company’s OS X operating system are also protected. That system communicates frequently with Apple’s servers, and if the software is out of date or enables malware, it is remotely disabled.
Q: How can I tell if I’ve been hit?
A: The genius of this security loophole is that you might not know if your system has been compromised. It’s similar to leaving your front door unlocked while you’re away. It’s not guaranteed that something bad will happen, but you’ve certainly made it easier.
Q: What are the fixes?
A: Install the patch immediately. Also, Schrock recommends using Firefox or Chrome instead of Internet Explorer. Those who strongly prefer Internet Explorer should be OK after installing the patch. Windows users should go into the Java setting and use the manual update feature to get the software patch. Instructions can be found here: www.java.com/en/download/help/java_update.xml.
To help stay ahead of future problems, Schrock Innovations is recommending its customers download a program called Secure Updater, which keeps third-party applications like Java or Flash updated without user intervention. Though it is a subscription-based service, the free 15-day trial will handle the Java update automatically. The updated software will remain on your system even after the trial expires.
Installing anti-virus software also would keep other potential problems at bay.
Q: What if I don’t do anything?
A: On most systems, Java, Flash and other third-party programs are set to update automatically at regular intervals. Unless those settings have been disabled, you will probably eventually have updated software. In the meantime, though, your system will be vulnerable.
“If you don’t download the patch, you have a big problem,” Schrock said.
Q: Where can I get help?
A: If you think your system has been compromised, local computer repair centers will be able to remove viruses and install protective software. Java’s website, www.java.com, has a help center that, among other things, offers instructions for changing the automatic update schedule, allowing the system to check for and install updates more frequently.