Disable Java NOW, users told, as 0-day exploit hits web
A new browser-based exploit for a Java vulnerability that allows attackers to execute arbitrary code on client systems has been spotted in the wild – and because of Oracle's Java patch schedule, it may be some time before a fix becomes widely available. The vulnerability is present in the Java Runtime Environment (JRE) version 1 …
This topic is closed for new posts.
Re: Such as?
That's not entirely accurate. Android will still run Flash, but for it to run Adobe has to certify the hardware it is running on. If Adobe hasn't certified that specific hardware it will just cancel the installation.
"how will the picture be better when cross-platform HTML 5 and HTML 5 video are standard"
The problem with Java and flash is that there is one single company with one single codebase that covers every implementation. If there is a security hole, it affects everyone.
HTML5 does not suffer from that issue, there are separate codebases for IE, Firefox, Safari and Chrome. An HTML5 bug in Firefox will not affect Chrome. An HTML5 bug in IE will not affect Safari. OK, Chrome also uses Webkit, so depending on what the bug is it might affect both Safari and Chrome, but at least that's not everyone.
This is important because if there is a bug announced tomorrow that affects every version of Java (rather than fortunately affecting only 1.7.x like this 0-day exploit) and you MUST run Java as some people here have reported they must, you are effectively screwed. If you MUST run HTML5 and there's a nasty 0-day in Firefox, you have the option to safely use IE or Chrome until Firefox is updated.
Re: "It's a good thing cross platform stuff ..."
Not true, cross platform is a good idea BUT the machine specific environments, within which the cross platform software runs, need to be secure.
Developing once for many environments is a huge benefit for developers.
Sun need to make Java environments safe.
"Sun need to make Java environments safe"
THEY CANNOT! Java has been around for how many years, and we still see these types of attacks! It will NEVER be secure, unless they use virtualization technology so that the isolation is enforced by hardware rather than software.
I rolled back to version 1.6 until there's a fix. I got to have my Pogo.com. NoScript for Firefox is handy to have too.
I'm pretty sure you can still run NoScript with the JRE plugin disabled.
NoScript
I'm pretty sure you can still run NoScript with the JRE plugin disabled.
I suspect the OP's point was that NoScript will block applets from non-whitelisted sites unless you tell it to allow them, so you can restrict the JRE plugin to sites you trust. That mitigates the risk of Java-in-the-browser, though it certainly doesn't eliminate it.
Personally, I find Java useful in some domains (I use it for much of my Natural Language Processing research, for example), but I rarely want to run it in the browser. So NoScript's whitelisting is a good solution for me.
This is old news
Java has been disabled on all my boxes for years now.
another one?
Java always has and always will be vulnerable. I have no use for it at home but WebEX etc. at work necessitate it, I use FF for normal browsing, sans-Java and use the exploder only for apps I know are clean.. and in this context, 'apps' is actually pretty much correct as Java apps have always been 'apps' right? Not like this trendy "every program is an app"
I'd put money on the IT department at work doing sweet fa about this.
Pint because the weekend can't come too soon.
Re: another one?
"Pint because the weekend can't come too soon."
A sad comment for a Tuesday morning. : (((
Re: another one?
"I'd put money on the IT department at work doing sweet fa about this."
The circuit of fail:
The main reason an IT department is needed is because there is an IT department - i.e.: 80% of the problems are internally created; the rest are produced by Larry Ellison, CISCO or God (in that order) over which we have no influence, time & circumstance will cure those.
Re: IcedTea?
If it's based on OpenJDK - which I'm pretty sure it is, then no. It appears to be a regression specific to Oracle's distribution of 1.7
Not so easy
Not so easy to disable java if you're a java developer!
Re: Not so easy
Don't know - our offshore team seem to get by coding java using only notepad...
Re: Not so easy
For "off shore development team" read "root access malware portal".
I have yet to see an offshore op that has revised it's audit and change control to reflect the additional risk exposures to insider threats.
Re: Not so easy
Disable Java plugins in the browser! and then only run your apps locally... Sorted...
Re: Not so easy
Who cares? The thing what bringeth the bonus is the cost reduction from "off shoring" ... for the savvy IT manager with an eye on the Game, not the Ball, a decent attack is an opportunity to secure additional ressources and headcount, the raw material for another round of cost-cutting and personal pay increase ;-)
roll back
As long as you don't need 1.7 you can roll back to the latest version of 1.6
1.6 is still supported and receiving security patches on the same 4 month schedule.
Have not run Java @ home for years now
Not found a single instance when it's been needed for home apps. Work another story unfortunately.
Unfortunately flash is still required for most "educational" websites still.
Cross platform IE *non* Windows specific is exactly the spirit of the Web.
But it looks like Java is one of those languages that not "too simple to have a bug in" but "too complex to find a bug simply".
<sigh>
All very well harping on about "disable Java!!!11" but it's heavily used on corp desktops where web app access is secured via smart card. In those situations you can't simply disable it or your whole business falls over.
Once again, thank you NoScript
Frankly, I'm beginning to think that Firefox and noScript should become mandatory by law.
If that ever did happen though, then this almost-perfect shield would become the hard target for all the miscreants and issues would be found.
So let the rabble continue with IE and zero protection. I'll just glide by, blissfully oblivious to the carnage until an article like this wakes me up to the fact that there are still people who don't know how to surf securely.
<disclaimer>this post concerns private use of Internet only - I am very well aware that professionals have a different set of problems, mainly that of not being able to choose their work platform</disclaimer>
Re: Once again, thank you NoScript
You may won't look at a recent article that show Firefox more vulnerable to certain attacks (Tesco article) than i.e.
add that to the fact it's dog slow to launch...
Me I use most of them, i.e.9 FF, Opera, Iron.
Yet to find one that works 100% of the time, so I use the best for the job.
Re: Once again, thank you NoScript
Don't you hate the time between someone sitting acting smug thinking they are bullet proof and the time when malware comes out that bypasses their impenetrable security like a hot knife through butter.
Re: Once again, thank you NoScript
Erm, but Firefox has had more recent security vulnerabilities than current versions of IE....
Frankly, I'm beginning to think that Firefox and noScript should become mandatory by law.
Why don't you just use Lynx.
I'm not "sitting smug"
I am aware of threats and I know perfectly well that no platform, anywhere, anytime, is immune against problems.
I also have a brain and use it every time I click on a link.
That said, since I have started using Firefox with AdBlock and NoScript all those years ago, I have not once been infected by anything. That is fact, not smug, and if you don't like it I don't care.
I will continue to use Firefox/NoScript whilst keeping up-to-date about its issues and keeping it up-to-date as well because I trust it and it has never failed my trust yet.
But that does not mean I will click blindly on any link that I see or get sent to my mail.
The day IE has NoScript, I might take it for a whirl outside the very small list of URLs I let it see at this time, but until then, my general surfing will be done on Firefox, because it works.
If using a tool because it works is being smug, then so be it, I'm smug.
My PC is virus-free too.
Then again
Having re-read my initial post, I have to admit that it does sound a bit smug.
So be it, guilty as charged.
But still virus-free.
Re: I'm not "sitting smug"
Maybe you should reread your original post. If you can't see the smug in there your ego has blinded you. For that matter, reread your response as well.
Re: Once again, thank you NoScript
Dog slow to launch? Doesn't everyone + dog have an SSD these days?
Don't visit compromised web sites
And hope that your favourite web site isn't attacked and compromised, such as through the adverts.
The linked article mentions news from elsewhere ("VulnDisco") of a zero-day exploit as of 10-Aug-2012, and not sure if it's a different one. The one that they're talking about affects Java 7 (or 1.7) up to and including the latest Update 6, but does not affect Java 6 (or 1.6).
http://en.wikipedia.org/wiki/Java_version_history says that a Java 6 Update 34 was released on 14-Aug-2012 and that might beat the possible second exploit, too - although this release may have been available to hackers before the general public, too.
Really the need is to extend your exposed surface only where it is safe AND necessary to do so. That is - only accept plugin content from a limited set of web sites that you want to use. But I only know the Opera web browser's mechanism for doing that, site by site, and you can't just tell everyone to use Opera. Well... you could...
Re: Don't visit compromised web sites
Adverts? Websites have those?
Is OpenJDK also effected ?
Is anyone aware if this is a flaw in Sun/Oracle Java or is the openJDK 1.7 also effected?
Re: Is OpenJDK also effected ?
According to the Ars article on this, they were only able to demonstrate this vulnerability on Linux by removing OpenJDK and replacing it with Oracle's official 1.7 distro (i.e. a pretty rare config on Linux these days)... so OpenJDK and 1.6 are ok.
Re: Is OpenJDK also effected ?
Not sure about that - we run Oracle's JDK on Linux because the OpenJDK has it's own issues, and because most of our clients are running Oracle's or IBM's.
For example, this one is OpenJDK specific and fatal for certain workflows. http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1013
Many Switches require Java also
A lot of switches in our DC use java to interface with them.
Also every KVM I have used (keyboard,mouse,video devices - not the amazing Linux virtualisation) also need java...
Procrastination pays!
I haven't updated any java runtime to 1.7... I haven't needed anything new since 1.5 save for patches. Hard work pays off eventually. Procrastination pays off immediately!
Could be some reluctance
Seems like the latest java update for 1.7 on windows also wants to uninstall any 1.6 installation installed. I'm guessing this was some bright sparks idea at oracle to try and get the 1.7 migration going. This is going to really discourage people when a fix is released.
Problem for 3-D Secure?
Don't the Verified-by-Visa and Mastercard SecureCode use Java, as do some online banking sites?
As such, doesn't this create rather a large problem for them?
Re: Problem for 3-D Secure?
Yep, pretty much all online banking in Norway uses a Java based system as its preferred client ID verification.
That's the *only* reason I have Java installed anywhere at home. (I'm still on 1.6 too because the Java update system has never worked on Windows 7 - it seems to think I need to change the settings of my non-existent proxy server.)
Re: Problem for 3-D Secure?
Fucking hope so! I so hate that bloody crap!
Re: Problem for 3-D Secure?
Certainly Verified by Visa does *not* use Java (remember the only link between JavaScript and Java is in their names).
Re: Problem for 3-D Secure?
Norwegian verified by visa uses a java applet and a paper set of one-time codes iirc, so its nothing to do with javascript.
Eeeh
So this exploit existing, doesn't automatically mean that all Java is suddenly a void of horrid death, right?
I mean - the java at my banks webpage isn't all of sudden a Chinese torture device, right?
Furthermore, so long as plug-ins are only activated when I activate them, then all those ghastly sites I visit on how to bake the perfect sponge-cake wont be able to run evil java code, right?
If the answer to all of the above is: "Right!", then I should be fine...
So is it?
No...?
Depending on your browser, a plugin is likely to be active on -any- web site that wants to use it - or, if disabled, none.
Opera lets you specify plug-ins, Java, and scripting on or off by site, or, ifn other browsers, you can disable a plug-in until you need it, probably.
You also may be able to run your browser as different user names simultaneously, to have access to different user profiles with different session preference settings.
Re: No...?
Thank you kind sir! (have an upvote)
I should have of course mentioned my browser - but you figured that out all on your own :)
Can anyone please advise me ...
whether Java and Javascript are the same for the purposes of this safety warning?
And is it really true Flash is just as dangerous and Chrome is the only browser to make it safe by 'sandboxing' it as one of the commenters here wrote?
Thanks
Re: Can anyone please advise me ...
No, clearly not. If Javascript was the same as Java, it'd be called Java.
This topic is closed for new posts.
