海角大神

(Updated Saturday, Jan. 12, at 3:30 p.m. EDT.)

With an eye on the security of millions of Internet users, the US Department of Homeland Security is advising Americans to temporarily disable Java, a software commonly used in Web-browser programs.

It鈥檚 not that Java itself contains a malicious computer virus. The problem is what the agency calls a software 鈥渧ulnerability,鈥� a kind of open door for hackers to infiltrate a computer. That can result in identity theft or other bad things happening on your computer.

The urgent warning, in response to known hacker activity, comes from the US Computer Emergency Response Team, or US-CERT, a part of the Homeland Security Department. [Editor鈥檚 note:聽This paragraph and the following contain corrected wording, to clarify the distinction between US-CERT and CERT.]

鈥淲e are currently unaware of a practical solution to this problem,鈥� said a notice released this week by CERT, a group at Carnegie Mellon University in Pittsburgh, which often provides technical services to US-CERT.

The recommendation highlights the rising threat level in the realm of cybersecurity, and the growing efforts to make devices and networks more secure. The vulnerability in Java is just one piece of that puzzle, but it鈥檚 significant because the software is so widely used in Web browsing.

If you want to follow US-CERT鈥檚 advice and disable Java, how do you do that?

First, if you use a Mac computer from Apple, the answer appears to be simple. According to reports by technology websites including MacRumors.com, Apple has already moved to force a disabling of Java on Macs with the OS X operating system.

For other computer users, a first step may be to check what version of Java you're running. The US-CERT announcements focus on Java 7. Computer-security blogger Brian Krebs notes some uncertainty about whether other versions going back to Java 4 are affected. But he points to evidence suggesting the problem is limited to version 7.

Oracle, the owner of Java, said on Twitter that the problem is limited to "JDK7," or version 7, and that it hopes to have a fix available "shortly." (JDK stands for Java Development Kit.)

Mr. Krebs suggests that Internet users visit a Java Web page where they can confirm whether the software is running on their machines, and which version. Click the 鈥淒o I have Java鈥� link, which is below a big red 鈥渄ownload鈥� button.

Now, if you have a version of Java you want to disable, here鈥檚 what US-CERT said Thursday: 鈥淪tarting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet.鈥�

Citing a document from Oracle (Java鈥檚 corporate owner), CERT describes the following steps:

1) Make sure you have Java 7 Update 10. If not, you can upgrade. (A quick reminder: As this story just noted, if you have version 6 or prior, you may not want to upgrade or disable Java for now.)

2) Go to the Java control panel.

3) In the Security tab, de-select 鈥淓nable Java content in the browser.鈥�

If you can鈥檛 upgrade to Update 10, CERT says to see a different "vulnerability note" it wrote for browser-specific instructions on disabling Java.

Beneath the 鈥渟olution鈥� heading in that note, you can search for the name of the browser program you use.

The note says the process of disabling Java is 鈥渟ignificantly more complicated鈥� if Microsoft鈥檚 Internet Explorer is your browser. An expedient answer may be to temporarily use a different browser. Computer experts generally advise the less sophisticated among us not to try adjusting your computer鈥檚 registry, which is called for to implement some of CERT鈥檚 Explorer-related options.

CERT's security warning also includes some added advice and context that's helpful to keep in mind.

"An effective way of mitigating risk of web browsing is to use separate browsers for different activities online. For example, if you do online banking, choose a browser to use for banking and nothing else," the note says. "This can help minimize the risk of a malicious web page being able to interfere with the banking activity."

CERT says the same concept can be applied to Java. If you have a must-use website that requires Java for its functioning, then configure one browser to be Java-enabled, and only use that browser for accessing that trusted site.

Finally, blogger Krebs notes that the Java software in the news is distinct from something else, called JavaScript. But JavaScript has its own security gaps. For his part, Krebs suggests disabling JavaScript, and then selectively enabling it for use on specific websites where you know you want to use it.