As a courtesy to our clients, we have put together this page to help inform and assist regarding
the reported Jan 2013 Java vulnerability. Please note that lessons from this vulnerability can be
applied to all past, present, and future vulnerabilities.
Page last updated Jan 13, 2013
January 13, 2013: Oracle has
an update that includes a fix for the vulnerability. Please
that your Java is updated to the latest version (ver 7 update 11
We would still recommend considering to uninstall Java if you do not need it or
disabling Java if you decide to keep and update Java.
What is Java?
Java is a programming language and platform that has been used extensively since 1995 in many applications
on computers and other electronic devices. Java was originally developed by Sun Microsystems but is now
owned by Oracle. For full information on Java, please visit
used extensively to assist and enhance user experiences on the web. At the moment, there is no
What is the zero-day Java attack announced in Jan 2013?
A zero-day attack is a an attack, or threat of attack, that exploits a vulnerability
that was previously unknown. In this case, the discovered zero-day attack takes advantage
of Java, including the latest version. According to
the vulnerability was supposed to be fixed by Oracle in an August 2012 patch but the patch was incomplete.
Am I affected by the Jan 2013 zero-day attack?
As of Jan 12, 2013, if you have Java installed, then yes, you are vulnerable to the attack.
The vulnerability is present on Windows, Apple OS X, and Linux. The vulnerability is clearly
present in Java 7. However, for earlier versions of Java, it is unclear if the vulnerability
is completely present but earlier versions have other vulnerabilities as well so it is not
advised to use earlier versions.
Do I have Java installed? What version of Java do I have installed?
Oracle has setup the following page that will allow you to test whether you have Java installed as well
as which version if you have Java installed:
If present, click on "Verify Java version".
Does CLS use Java?
How would I get compromised?
The vulnerability by itself will not harm the machine but the vulnerability is like leaving
the door open to a house. If the door is open and someone malicious walks by, the vulnerability
can be exploited. In a similar sense, your machine would get compromised if you were to visit
a website that happens to use Java and is looking to take advantage of the Java vulnerability.
Am I compromised?
The reported Java vulnerability allows a malicious site or user to gain access to your machine
and thereby install surreptitious spyware and malware programs, such as keyloggers. In order to
determine whether your machine has been compromised, please keep an eye out for suspicious or
unusual activites on your system as well as run a well regarded anti-malware program to look for
spyware and other malware.
What should I do? How do I uninstall/disable Java?
Until Oracle releases a fix for the exploit, here are our current recommendations.
This would be an opportunity to consider whether you require Java. Most websites do not
require Java so if you do not require Java, our best recommendation is to uninstall Java.
If you do require Java or would like to postpone uninstalling Java, our next recommendation
is to disable Java. Instructions are provided below for uninstalling and disabling Java.
If you are concerned if your machine has already been exploited, please run an
Spybot - Search & Destroy)
and anti-virus program (e.g.,
Microsoft Security Essentials).
Uninstalling Java on Windows 7
- Click "Start".
- Select "Control Panel".
- Select "Programs".
- Select "Programs and Features".
- Find all instaces of Java. Select each instance of Java by clicking
on the instance and then click the "Uninstall" button. (You will have to repeat
this step depending on how many instances of Java is on your machine).
Uninstalling Java on Mac OS X
- Click the "Finder" icon in your dock.
- Click "Applications" in the sidebar.
- In the serach box enter "JavaAppletPlugin.plugin", without the quotes.
- Right click on the JavaAppletPlugin.plugin file and select "Move To Trash".
Disabling Java 7.0, 7u10+
- Find the Java Control Panel.
Click on the "Security" tab.
Uncheck the box that says "Enable Java content in the browser".
Click "Apply". When the Windows User Account Control (UAC) dialog appears, click on "Allow" to make the changes.
Restart any open browsers.
- Windows XP: Click "Start" > Click "Control Panel" > Double-click the Java icon.
- Windows 7, Vista: Click "Start" > Click "Control Panel" > In the Control Panel Search, enter "Java Control Panel" (without quotes) > Click on the Java icon.
- Windows 8: Drag mouse pointer to bottom-right corner of the screen > Click "Search" > In the search box, enter "Java Control Panel" (without quotes) > Click on the Java icon.
- Mac OS X 10.7.3 and above: Click the Apple icon (upper left corner) > Click "System Preferences" > Click on the Java icon.
Disabling Java in Google Chrome
- Click on the wrench icon in the upper right corner of the browser.
In newer versions, the wrench is replaced by the "hot dog" (a button that looks like a stack of 3 lines).
- Click on "Settings".
- In the "Search Settings" box, type in "Java" (without quotes).
- Click on "Content Settings".
- Scroll down to the section called "Plug-ins" and click on "Disable individual plug-ins".
- Look for "Java(TM)" and click on "Disable".
Disabling Java in Mozilla Firefox
- Click on the "Firefox" menu icon in the upper left corner.
- Click on "Add-Ons".
- Click on "Plugins" on the left.
- For each instance with the word "Java", click on the "Disable" button on the right.
Disabling Java in Internet Explorer
Where can I get more information regarding the Java exploit?