Page 1 of 2 12 LastLast
Results 1 to 15 of 18
  1. #1
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts

    Exclamation Yet another Java exploit

    This is beginning to get tedious: (yet) another Java zero-day exploit is in the wild.

    This one appears to have been floating around for a few days (but has just been publicly disclosed) and has been adopted by some of the more troublesome malware toolkits such as Blackhole. It affects all versions up to and including the latest version (Java 7 Update 10). This makes it rather more serious and dangerous. There are posts on various "grey" sites demonstrating real world exploits in use right now.

    Here's a quick guide to disabling Java plugins in the browser as a quick patch until Oracle can do something more permanent.

    Even easier though: if you have Java 7 Update 10, you can open the Java Control Panel and un-tick the Enable Java content in browser setting under the Security tab....

    Disable Java plugin.JPG
    In God we trust; all others must bring data.

    - William Edwards Deming. 1900 - 1993

  2. #2
    Plutonium Lounger Medico's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    12,625
    Thanks
    161
    Thanked 930 Times in 851 Posts
    I'm glad I uninstalled Java long ago. I do not miss it at all.
    BACKUP...BACKUP...BACKUP
    Have a Great Day! Ted


    Sony Vaio Laptop, 2.53 GHz Duo Core Intel CPU, 8 GB RAM, 320 GB HD
    Win 8 Pro (64 Bit), IE 10 (64 Bit)


    Complete PC Specs: By Speccy

  3. #3
    New Lounger
    Join Date
    Sep 2011
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts

    What about larger organizations?

    I can't walk around to every station and uncheck that box, is there a group policy setting for this?

  4. #4
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    20,517
    Thanks
    1
    Thanked 614 Times in 550 Posts
    Quote Originally Posted by DanGuzman View Post
    I can't walk around to every station and uncheck that box, is there a group policy setting for this?
    See Java Group Policy Network Settings for an approach to setting Java properties. Not sure if that property is in the configuration file mentioned - Deployment Configuration File and Properties.

    Joe

  5. #5
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,306
    Thanks
    138
    Thanked 113 Times in 97 Posts
    Another Java Scare Story


    Chicago Tribune Headline -- Homeland Security Urges Computer Users to Disable Java -- WAIT A Minute!!


    Homeland Security really only said:


    "To defend against this and future Java vulnerabilities, disable Java in Web browsers."


    That's the Java Runtime (JRE) browser plugins only. Hardly anything on the Web runs on these. This is not javascript, and not an issue with Java Apps.

    TintoTech is correct:


    Even easier though: if you have Java 7 Update 10, you can open the Java Control Panel and un-tick the Enable Java content in browser setting under the Security tab....

    And no, BruceR, javascript is NOT Java. I just thought I'd pre-empt a repeat of a previous useless challenge and rebuttal string from another Lounge thread.
    Last edited by bobprimak; 2013-01-11 at 23:01.
    -- Bob Primak --

  6. #6
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    2,754
    Thanks
    80
    Thanked 339 Times in 306 Posts
    Quote Originally Posted by bobprimak View Post
    And no, BruceR, javascript is NOT Java. I just thought I'd pre-empt a repeat of a previous useless challenge and rebuttal string from another Lounge thread.
    You have a lousy memory. Our discussion of JavaScript was because you said Sun sued over the name; which they didn't because they owned and licensed the name.

    I had pointed out the difference many times before you jumped on the bandwagon:

    Quote Originally Posted by BruceR View Post
    It's not really Java though, but JavaScript, which is a bit different: Java vs. JavaScript: Similarities and Differences
    Quote Originally Posted by BruceR View Post
    ... because javascript and java are two totally different things,
    Quote Originally Posted by BruceR View Post
    It's possible to disable Java use from a browser but leave it installed for use by a trusted program.

    Most webmail sites require Javascript to be enabled ("Active Scripting" in Internet Explorer), but that is different from Java (applets, often animations or games).
    Bruce

    P.S. You must be missing the useful challenges and non-rebuttals badly to drag up ancient history out of the blue for no apparent reason.

  7. The Following User Says Thank You to BruceR For This Useful Post:

    cipher (2013-01-17)

  8. #7
    Super Moderator jwitalka's Avatar
    Join Date
    Dec 2009
    Location
    Minnesota
    Posts
    4,743
    Thanks
    67
    Thanked 544 Times in 492 Posts
    I wouldn't panic over this. Remember to be impacted by this all of the following has to happen:
    1. An exploit based on the flaw has to be released I know of none so far but it is likely in the future
    2. You have to be running out of date Java once Oracle releases a patch to close the flaw. This should be done shortly. I recommend leaving the Java autoupdate app in Windows startup if you use Java.
    3. You have to visit a web site employing the flaw usually part of the webs dark side - porn or illegal download sites.
    4. Your security software doesn't cover the malware in question.

    With good web habits and keeping Java up to date, I believe you can safely use Java. I have used it for years without a problem and plan to continue to use it. Of course, if the web sites you visit work fine without Java, there's no need to have it installed. But if you enjoy a Java web site, there's no reason to panic.

    Jerry

  9. #8
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    I not sure I completely agree on all of those points Jerry.

    100% agree: I don't think there is a need to panic, but I believe sensible precautions can be recommended. If those precautions impact on daily use of the machine they can be rolled back and the user make an informed judgement on how to proceed.

    It should be borne in mind that this particular vulnerability is being exploited in the wild right now. It has also been ported to some of the more widely used malware tools and so we can expect that it will be seen much more frequently in the future.

    Yes, for the most part these exploits will turn up on sites that have a certain "niche following", but one shouldn't discount the possibility of them being dropped onto more mainstream sites that have been compromised, or being packaged with malvertising that exploits vulnerabilities in Flash etc.

    I do think it correct to employ a multi-layered security model that, among other items, includes keeping Java up to date as automatically as possible. The trouble with that one is that often the Oracle update release process is a slow beast to watch and often users have been "educated" or perhaps more accurately "scared" into not clicking on any pop up windows. I have seen machines that are prompting to update Java and Adobe products from way back when, but the user refuses to update because they are worried that the pop up is actually a threat.

    Just as important in knowing how to stay safe, is knowing how to react if a threat does present itself. Regular automated image based backups, coupled with the knowledge of how to use them is a powerful thing...but sadly, you and I know from experience how few people protect themselves properly.
    In God we trust; all others must bring data.

    - William Edwards Deming. 1900 - 1993

  10. #9
    New Lounger
    Join Date
    Nov 2010
    Location
    Florida
    Posts
    22
    Thanks
    0
    Thanked 1 Time in 1 Post
    Java 7 update 11 is now available.

  11. The Following User Says Thank You to Rothie For This Useful Post:

    Tinto Tech (2013-01-13)

  12. #10
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    Quote Originally Posted by Tinto Tech View Post
    ...often the Oracle update release process is a slow beast to watch
    Quote Originally Posted by Rothie View Post
    Java 7 update 11 is now available.
    There you go, famous last words again!
    In God we trust; all others must bring data.

    - William Edwards Deming. 1900 - 1993

  13. #11
    Super Moderator jwitalka's Avatar
    Join Date
    Dec 2009
    Location
    Minnesota
    Posts
    4,743
    Thanks
    67
    Thanked 544 Times in 492 Posts
    When a vulnerability is as well publicized as this one, Oracle and the security apps tend to respond quickly. Your original statement probably applies to the non publicized issues.

    Jerry

  14. #12
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    2,754
    Thanks
    80
    Thanked 339 Times in 306 Posts
    Quote Originally Posted by bobprimak View Post
    "To defend against this and future Java vulnerabilities, disable Java in Web browsers."


    That's the Java Runtime (JRE) browser plugins only. Hardly anything on the Web runs on these.
    Try telling five million Danes.

    Bruce

  15. #13
    Super Moderator jwitalka's Avatar
    Join Date
    Dec 2009
    Location
    Minnesota
    Posts
    4,743
    Thanks
    67
    Thanked 544 Times in 492 Posts
    Note that in Windows 8, you have to do a Restart after installing the latest Java patch to complete its install. A Windows 8 Hybrid Shut Down won't work.
    Check Control Panel > Java > General Tab > About Button. It should read "Version 7 Update 11".

    Jerry

  16. #14
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    20,517
    Thanks
    1
    Thanked 614 Times in 550 Posts

  17. #15
    Super Moderator jwitalka's Avatar
    Join Date
    Dec 2009
    Location
    Minnesota
    Posts
    4,743
    Thanks
    67
    Thanked 544 Times in 492 Posts
    I stand by my personal view that if you don't need Java on any of your Web pages, uninstall it. If you have a Java game or a web page you enjoy, keep Java and your security software up to date, use common sense before clicking on links and don't lose any sleep over it. As Tinto alluded to earlier, a good backup regimen is also recommended but that is not just because of Java threats.


    Jerry

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •