Critical security updates to applications are essential to maintain a patched system from the many exploits which attempt to infiltrate ones PC. Certain software companies need patching more than others and this is no less evident with both Adobe Flash and Oracle Java, the aforementioned needs fixing every five minutes and the latter, well, is probably better uninstalled altogether. On the subject of Java, many websites are using a trick which promises an update but also bundles are PUP for good measure.
So, what are the tricks, well, when a user attempts to view content which requires a Java plugin on certain websites, a pop up appears stating that they should update their version of Java. By following the prompt the user lands on various pages unconnected with Java, for example one page is coined “Media Downloader”. The user is then asked to both downloaded and install a “setup.exe” file which turns out to be a PUP. Quick tangent here, a novice computer user once asked me if it would download a dog, I replied PUP not Puppy, not joking either.
There are other techniques too, one masquerades on a webpage as a standard Java pop up update notification, further examination shows this is in fact a background image and not a pop up. If you click on this you might receive among others a bundler which offers Java but also others including Norton 360 (terrible program) PC Mechanic and for some reason Stormfall Age of War. This though can be avoided by checking the UAC prompt which lists this .exe file as from Verified Publisher “Super IS Fried Cookie Ltd”, sounds about as authentic as a fast food burger, mentioning no names.
As standard, make sure any software applications are downloaded from authentic sources, if you visit a page that promises an update, be cautious, check the URL and as an extra precaution, always scan downloaded files with a reputable Anti-Virus and if possible a Malware scanner as well. Quick side note, these days viruses are becoming harder to detect by AV companies, therefore, while it’s essential to have these suites available, always download from authentic sources and be sceptical.
Of course, if you don’t use Java then it might be better to uninstall it considering the amount of security issues it has faced over the last few years.
Image courtesy of limewheel
In other words, if you’re unsure go to the proper Java site and check for yourself.
The vast majority of users have no need whatsoever for the JRE. Very few websites use it these days.
The other point is that old versions remaining on your computer can be attack vectors, so uninstall all but the latest. This arises since a Java app can specify a preference of which among several installed versions to use, so a hacker will of course specify an old one with a vuln in the hope that it has not yet been removed.