Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Experts urge PC users to disable Java, cite security flaw
reuters.com ^ | Jan 10, 2013 5:06pm EST | Jim Finkle

Posted on 01/10/2013 2:51:44 PM PST by alancarp

[No quote due to Reuters source. Title is accurate representation of article. Please see link.]

(Excerpt) Read more at reuters.com ...


TOPICS: Business/Economy; Culture/Society; Technical
KEYWORDS: computers; java; oracle; security

1 posted on 01/10/2013 2:51:52 PM PST by alancarp
[ Post Reply | Private Reply | View Replies]

To: alancarp

I uninstalled Java several months ago. I only had one program that needed it, and I figured out another program to use for that task.

Remember that Java and JavaScript are two different things from different companies.

These two podcasts will get anyone who wants it up to speed, even though they’re a few months old.

http://www.grc.com/sn/sn-367.htm
http://www.grc.com/sn/sn-368.htm


2 posted on 01/10/2013 3:00:32 PM PST by MarineBrat (Better dead than red!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: rdb3; Calvinist_Dark_Lord; Salo; JosephW; Only1choice____Freedom; amigatec; stylin_geek; ...

3 posted on 01/10/2013 3:03:20 PM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: AdmSmith; Big Giant Head; grey_whiskers; Brandybux; dfwright; Bikkuri; Dacula; BuddaBudd; mbj; ...

4 posted on 01/10/2013 3:03:44 PM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: alancarp

“machines running on Mac OS X, Linux or Windows all appear to be vulnerable to attack.”

Yikes! I wish the article was more specific about the kind of damage the “attacks” do. I am only speculating that more harm could be done to older versions of Windows in particular, such as hiding entries in the Windows Registry.


5 posted on 01/10/2013 3:07:40 PM PST by TexasRepublic (Socialism is the gospel of envy and the religion of thieves)
[ Post Reply | Private Reply | To 1 | View Replies]

To: MarineBrat

Perhaps this might be a good time to review how to uninstall in Windows, Mac and Linux?

(saying that partly, from personal lack of experience at it)


6 posted on 01/10/2013 3:07:54 PM PST by Cringing Negativism Network
[ Post Reply | Private Reply | To 2 | View Replies]

To: Cringing Negativism Network

How do I uninstall Java on my Windows computer?
http://www.java.com/en/download/uninstall.jsp

How do I uninstall Java 7 for my Mac?
http://www.java.com/en/download/help/mac_uninstall_java.xml

Here’s a useful page provided by Mozilla to check to see if you’re up to date with your browser plugins.

https://www.mozilla.org/en-US/plugincheck/


7 posted on 01/10/2013 3:14:31 PM PST by MarineBrat (Better dead than red!)
[ Post Reply | Private Reply | To 6 | View Replies]

To: MarineBrat

Thank you very much.


8 posted on 01/10/2013 3:17:26 PM PST by Cringing Negativism Network
[ Post Reply | Private Reply | To 7 | View Replies]

To: MarineBrat

Thank you, MarineBrat!


9 posted on 01/10/2013 3:18:09 PM PST by Zuben Elgenubi
[ Post Reply | Private Reply | To 7 | View Replies]

To: MarineBrat

Firefox says that I have Java Deplyment Tool Kit.
Should I uninstall that?
It is the only reference to Java on my Windows XP
Thanks


10 posted on 01/10/2013 3:24:15 PM PST by AlexW
[ Post Reply | Private Reply | To 7 | View Replies]

To: alancarp

Nothing like throwing the baby out with the bathwater. The referenced problem is with Java browser plugins, not standalone Java. Yes, standalone Java probably has other security issues, but some of us need it and it is not nearly as exposed. In fact, I need the plugin, also, but haven’t yet decided what action to take if any.


11 posted on 01/10/2013 3:33:44 PM PST by steve86 (Acerbic by Nature, not Nurture™)
[ Post Reply | Private Reply | To 1 | View Replies]

To: alancarp
Here's the source of the FUD: http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/ with this screen shot:

Does it make sense to request an exe with your browser? No. I suppose it could be an obfuscated link in a web page. But how does it involve java?

12 posted on 01/10/2013 3:38:51 PM PST by palmer (Obama = Carter + affirmative action)
[ Post Reply | Private Reply | To 1 | View Replies]

To: AlexW

Before you uninstall Java, you need to determine what programs it might impact.

IIRC, and maybe it was only earlier versions, but Firefox used to require Java. That may have been some of the add-ons, but I recall getting messages to install or upgrade Java when I upgraded Firefox.

Many web pages require Java. My cable ISP email requires it for HTML mode.

I have several Windows programs that require Java.

==

Without more information of this ‘threat’, I am not going to be too concerned about it. If it is serious, Oracle will probably release an upgrade to Java soon.


13 posted on 01/10/2013 3:40:52 PM PST by TomGuy
[ Post Reply | Private Reply | To 10 | View Replies]

To: palmer

Upon further reflection, maybe the screen shot is the end of exploit where the java is now requesting some program to run via the browser. I believe java is allowed to make outgoing http connections to fetch data that it might need. I suppose a buggy version could fetch an exe and run it...


14 posted on 01/10/2013 3:47:08 PM PST by palmer (Obama = Carter + affirmative action)
[ Post Reply | Private Reply | To 12 | View Replies]

To: palmer
But how does it involve java?

If you follow the link to http://malware.dontneedcoffee.com/ you can clearly see how java is involved.

15 posted on 01/10/2013 3:48:27 PM PST by steve86 (Acerbic by Nature, not Nurture™)
[ Post Reply | Private Reply | To 12 | View Replies]

To: alancarp

Additional detail over at Ars-
http://arstechnica.com/security/2013/01/critical-java-zero-day-bug-is-being-massively-exploited-in-the-wild/


16 posted on 01/10/2013 3:49:54 PM PST by Slainte
[ Post Reply | Private Reply | To 1 | View Replies]

To: alancarp

Techie bookmark.


17 posted on 01/10/2013 3:59:28 PM PST by Sergio (An object at rest cannot be stopped! - The Evil Midnight Bomber What Bombs at Midnight)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Sergio

bump


18 posted on 01/10/2013 4:03:45 PM PST by Chickensoup (200 million unarmed people killed in the 20th century by Leftist Totalitarian Fascists)
[ Post Reply | Private Reply | To 17 | View Replies]

To: steve86

nope I don’t see it. It doesn’t have much more than the screenshot I posted. The only other relevant screenshot they show is the browser asking for some jar file, presumably that’s what has the bad java in it. Then the renegade java asks for an exe and runs it.


19 posted on 01/10/2013 4:06:41 PM PST by palmer (Obama = Carter + affirmative action)
[ Post Reply | Private Reply | To 15 | View Replies]

To: alancarp

I’ve been advising friends consider running their web browsers in a Sandbox via Sandboxie. http://www.sandboxie.com/

I run my browser in Sandboxie but, also on a non-persistent (load only) RAMdrive too (using Primo Ramdisk). It’s faster running from a ramdisk, and probably one of the most secure configs possible on Windows.


20 posted on 01/10/2013 4:12:55 PM PST by brandon24
[ Post Reply | Private Reply | To 1 | View Replies]

To: alancarp

Bookmark.


21 posted on 01/10/2013 4:12:55 PM PST by The Cajun (Sarah Palin, Mark Levin......Nuff said.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Slainte

I still don’t see it. The linked page says almost nothing and the link on the linked page (Kaspersky) doesn’t say much either.


22 posted on 01/10/2013 4:18:50 PM PST by palmer (Obama = Carter + affirmative action)
[ Post Reply | Private Reply | To 16 | View Replies]

To: Chickensoup

I have a mac. But I also have clicktoflash installed in Safari and that blocks any java (along with any flash) from running until I click on it to tell it to run. The basic use is to stop animated crap, usually ads, but IMO all animations are crap unless I say otherwise. It will stop malware too.


23 posted on 01/10/2013 4:23:33 PM PST by palmer (Obama = Carter + affirmative action)
[ Post Reply | Private Reply | To 18 | View Replies]

To: alancarp

This is a serious threat that probably all versions of java are susceptible to but since it is carried out via a web browswer plugin all you need to do is to disconnect your java plugin from your browser as detailed here - https://krebsonsecurity.com/how-to-unplug-java-from-the-browser/

In my case I do have a mission-critical app (java plugin based) that I need for my job but in my case I use firefox for that app and google chrome for everything else. The server for the app is behind a firewall so I’m going to bet that I’m OK there. So I’ll unplug java from google-chrome and leave it on on firefox and hopefully that’s ok. I’m also on linux which may have a measure of security through obscurity. (Or not).

I thought that maybe updating to java 1.7(10) might afford some protection but it most definitely does not. So far there is no known version of java that is without this security hole.

Unplug java from your browsers - it just takes a few seconds. I guess to be ultra safe one could uninstall java completely - I just cannot afford to do that unfortunately.


24 posted on 01/10/2013 4:31:58 PM PST by 2 Kool 2 Be 4-Gotten
[ Post Reply | Private Reply | To 1 | View Replies]

To: palmer

caca edit? Ya gets whut ya pays fer.


25 posted on 01/10/2013 4:36:23 PM PST by rawcatslyentist ("Behold, I am against you, O arrogant one," Jeremiah 50:31)
[ Post Reply | Private Reply | To 12 | View Replies]

To: alancarp

mark for home


26 posted on 01/10/2013 4:40:53 PM PST by The Mayor ("If you can't make them see the light, let them feel the heat" — Ronald Reagan)
[ Post Reply | Private Reply | To 1 | View Replies]

To: alancarp
meh. Add NoScript to any Mozilla browser... then only allow script from known good sites. No Problemo.
27 posted on 01/10/2013 4:41:05 PM PST by roamer_1 (Globalism is just socialism in a business suit.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: TomGuy; AlexW

>>Many web pages require Java.

You’re thinking of JavaScript, which is bundled into every browser. IE, FireFox, Chrome, etc... all have their own JavaScript.

Java is a programming language that may be required to run certain programs, but primarily it’s a vector that viruses use to get into your system. Very few programs require actual Java to be installed.

It’s perfectly safe to uninstall Java from your Control Panel. Disable Java Deployment Toolkit from your browser also if you like... though once Java is uninstalled the Deployment Toolkit is defanged. If you find that you have a program that actually requires Java, simply go to java.com and reinstall it.


28 posted on 01/10/2013 5:45:56 PM PST by MarineBrat (Better dead than red!)
[ Post Reply | Private Reply | To 13 | View Replies]

To: roamer_1

>>>meh. Add NoScript to any Mozilla browser... then only allow script from known good sites. No Problemo.

Exactly! I’ve been calling for people to do that for years now. Firefox with NoScript is the way to go. I end up having to do a little extra training of people, but it pays off in the long run. There’s also ScriptNo for Chrome, though I don’t have any experience with that.

In the long run though, uninstalling Java is the way to go even when running NoScript. Unless you have a mission critical program that requires it.

The two SecurityNow! links I posted above are a great resource for Java security.


29 posted on 01/10/2013 5:52:50 PM PST by MarineBrat (Better dead than red!)
[ Post Reply | Private Reply | To 27 | View Replies]

sfl


30 posted on 01/10/2013 6:40:02 PM PST by phockthis (http://www.supremelaw.org/fedzone11/index.htm ...)
[ Post Reply | Private Reply | To 1 | View Replies]

Tells you if JAVA is installed/working and has a link to simple instructions on how to disable it in your browser:
http://www.java.com/en/download/testjava.jsp


31 posted on 01/10/2013 7:04:15 PM PST by mrsmith (Dumb sluts: Lifeblood of the Media, Backbone of the Democrat Party!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce; LucyT

Thanks for the warning!

_______

An FYI PING!


32 posted on 01/10/2013 8:05:54 PM PST by Graewoulf ((Traitor John Roberts' Commune Obama"care" violates Anti-Trust Laws, AND the U.S. Constitution.))
[ Post Reply | Private Reply | To 4 | View Replies]

To: alancarp; a fool in paradise; Slings and Arrows
THIS JUST IN:

PC Users Urge Humans to Disable Experts!


33 posted on 01/10/2013 8:09:42 PM PST by Revolting cat! (Bad things are wrong! Ice cream is delicious!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: alancarp

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Awareness System

US-CERT Alert TA13-010A
Oracle Java 7 Security Manager Bypass Vulnerability

Original release date: January 10, 2013
Last revised: --

Systems Affected

    Any system using Oracle Java 7 (1.7, 1.7.0) including

    * Java Platform Standard Edition 7 (Java SE 7)
    * Java SE Development Kit (JDK 7)
    * Java SE Runtime Environment (JRE 7)

    All versions of Java 7 through update 10 are affected.  Web
    browsers using the Java 7 plug-in are at high risk.


Overview

  A vulnerability in the way Java 7 restricts the permissions of Java
  applets could allow an attacker to execute arbitrary commands on a
  vulnerable system.


Description

  A vulnerability in the Java Security Manager allows a Java applet
  to grant itself permission to execute arbitrary code. An attacker
  could use social engineering techniques to entice a user to visit a
  link to a website hosting a malicious Java applet. An attacker
  could also compromise a legitimate web site and upload a malicious
  Java applet (a "drive-by download" attack).

  Any web browser using the Java 7 plug-in is affected. The Java
  Deployment Toolkit plug-in and Java Web Start can also be used as
  attack vectors.

  Reports indicate this vulnerability is being actively exploited,
  and exploit code is publicly available.

  Further technical details are available in Vulnerability Note
  VU#625617.


Impact

  By convincing a user to load a malicious Java applet or Java
  Network Launching Protocol (JNLP) file, an attacker could execute
  arbitrary code on a vulnerable system with the privileges of the
  Java plug-in process.


Solution

  Disable Java in web browsers

  This and previous Java vulnerabilities have been widely targeted by
  attackers, and new Java vulnerabilities are likely to be
  discovered. To defend against this and future Java vulnerabilities,
  disable Java in web browsers.

  Starting with Java 7 Update 10, it is possible to disable Java
  content in web browsers through the Java control panel applet. From
  Setting the Security Level of the Java Client:

  For installations where the highest level of security is required,
  it is possible to entirely prevent any Java apps (signed or
  unsigned) from running in a browser by de-selecting Enable Java
  content in the browser in the Java Control Panel under the Security
  tab.

  If you are unable to update to Java 7 Update 10 please see the
  solution section of Vulnerability Note VU#636312 for instructions
  on how to disable Java on a per browser basis.


References

* Vulnerability Note VU#625617
  <http://www.kb.cert.org/vuls/id/625617>

* Setting the Security Level of the Java Client
  <http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html>

* The Security Manager
  <http://docs.oracle.com/javase/tutorial/essential/environment/security.html>

* How to disable the Java web plug-in in Safari
  <https://support.apple.com/kb/HT5241>

* How to turn off Java applets
  <https://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets>

* NoScript
  <http://noscript.net/>

* Securing Your Web Browser
  <https://www.us-cert.gov/reading_room/securing_browser/#Safari>

* Vulnerability Note VU#636312
  <http://www.kb.cert.org/vuls/id/636312#solution>


Revision History

 January 10, 2013: Initial release

____________________________________________________________________

  Feedback can be directed to US-CERT Technical Staff. Please send
  email to <cert@cert.org> with "TA13-010A Feedback VU#625617" in
  the subject.
____________________________________________________________________

  Produced by US-CERT, a government organization.
____________________________________________________________________

This product is provided subject to this Notification:
http://www.us-cert.gov/privacy/notification.html

Privacy & Use policy:
http://www.us-cert.gov/privacy/

This document can also be found at
http://www.us-cert.gov/cas/techalerts/TA13-010A.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit http://www.us-cert.gov/cas/signup.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBUO83IXdnhE8Qi3ZhAQLdxQf6A2LhLrArDieg41fxTuIViOXbgH6fZrDt
6bODaZIeTcvQfMMURbUb8MnTQEe7ogNbytb+XQaEzXE6A0YMdWp+93TxFy80wUI0
VpF0lBDwNyeAlwtzicLSQa5oa5Me0k5KPVUn9/mFJZh5Ff0cYjW1dt8dfXJUbH9/
OZ6ZJsnJchymJFlVax3Y87yZh9fPQC4n6dJ86CdLXqC9GaBihgBd1DUpborfWYoR
njvrtbcX+7iy+J8fS2C8/JtnQ5M+uilvqxrdU/Z9SdmebIF5HQjafLae9OmwH7Te
nxUcwwmuNqIA1Y9aN2DrStv+HnTi121DIxyaVgNOKjPnO/t5mDPKlw==
=xi3d
-----END PGP SIGNATURE-----
34 posted on 01/10/2013 9:55:26 PM PST by MarineBrat (Better dead than red!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: palmer

I’m not sure what you’re expecting to see?

An executable can be run remotely on the compromised system. In the screenshot, they fired off the Windows calculator to prove the concept, but the point is once Java has been compromised code other than Calc can be executed.

The Kaspersky site talks about how the vulnerability is exploited. Java is compromised after hitting a site that has the code for one of the mentioned exploit kits, such as Blackhole. Kaspersky says they are seeing multiple ad networks pointing to these sites, as well as some weather and news sites, etc. So there’s potential exposure to the vulnerability from a variety of sites.


35 posted on 01/10/2013 10:15:39 PM PST by Slainte
[ Post Reply | Private Reply | To 22 | View Replies]

To: Slainte
The Kaspersky site talks about how the vulnerability is exploited. Java is compromised after hitting a site that has the code for one of the mentioned exploit kits, such as Blackhole.

Sort of. The blackhole and other exploit kits are used to build an exploit. That exploit is packaged into a jar and hosted on a website. The web page itself will have one of those gray squares on it, and on my browser that's where it ends because I have clicktoflash. The website hosting the exploit and the web page with the Java applet itself is either malicious or compromised.

It has always been the case since the beginning of the web that if you go to a malicious or compromised site you can get pwned. Those sites are typically porn, but also scamware and various out-of-mainstream sites particularly overseas (although they can easily get a ".com" address if they want to). The point is that someone malicious has made the site and has to attract you to go there.

If anyone put up a link to a site like that here, they would be called out (and should be banned for at least carelessness). If you visit sites like news and weather they will NOT have links to such sites unless they are very poorly operated or malicious themselves. Other sites coming up on Google search results are less certain, but Google will often warn about scam sites. Also searching for porn or things like that are going to bring up those hits much more likely than legitimate topics.

So the bottom line is the same old same old. If you click on a malicious site you may get pwned, perhaps more easily with Java, but there are plenty of other vulnerable plugins. You may have heard of Adobe reader, I don't use it. Or flash? I don't use it either except when I allow it (by click-to-flash).

36 posted on 01/11/2013 3:21:17 AM PST by palmer (Obama = Carter + affirmative action)
[ Post Reply | Private Reply | To 35 | View Replies]

To: MarineBrat
[roamer_1:] meh. Add NoScript to any Mozilla browser... then only allow script from known good sites. No Problemo.

Exactly! I’ve been calling for people to do that for years now. [...]

In the long run though, uninstalling Java is the way to go even when running NoScript. Unless you have a mission critical program that requires it.

I dunno... without java and flash, the interwebs are pretty dang boring. I'll just stick to NoScript. Thanks though! : )

Incidentally, since we are talking about java, another really good tip is to uninstall ALL versions except the most current one - It has long been a pet peeve of mine that java's installer doesn't clean up (uninstall) previous versions on install. One can have many instances of JRE installed on the same dang machine.

Even when this bug is fixed (which will be pretty much immediately), The exploit remains because the old versions remain, and IIRC, can be called exclusively.

The uninstall process can be laborious if never done before, but is possible through normal means ('A&R Programs' in win9x-XP, 'Programs & Features' in vista-Win7), just uninstall every instance of Java except the most current one (the one with the highest version and build number).

OR, One can use a free and nifty aftermarket java maintenance utility, JavaRa, which will automate the process (among other utility features). This is a great tool for any service tech's toolkit.

37 posted on 01/11/2013 7:46:47 AM PST by roamer_1 (Globalism is just socialism in a business suit.)
[ Post Reply | Private Reply | To 29 | View Replies]

To: roamer_1
TFS: In the long run though, uninstalling Java is the way to go even when running NoScript. Unless you have a mission critical program that requires it.

ROAMER_1: I dunno... without java and flash, the interwebs are pretty dang boring.

Which is why I didn't advocate uninstalling flash, though hopefully HTML5 will soon make Flash obsolete (and the many vulnerabilities that come with it). Java does nothing for web site browsing. Literally... nothing. Web browsers are all bundled with their own JavaScript, which is what makes websites work. JavaScript is not Java. They are different things with similar names. Java is not needed for an interesting web experience. Uninstall it and you will see no difference on the web.

Now if you visit sites that want you to download and execute programs written in Java, then that's a different story. But those sites are extremely rare.

38 posted on 01/11/2013 8:36:03 AM PST by MarineBrat (Better dead than red!)
[ Post Reply | Private Reply | To 37 | View Replies]

To: alancarp

No comment from Oracle anywhere.

http://www.kb.cert.org/vuls/id/625617

Why can’t the DHS go after the people who they KNOW are onto this...?? This is such nonsense.

It’s as if a rumor got around that a couple people figured out how to make a key that opens almost all doors. So instead of going after the few people who made the key, which is what they should be doing, the government tells us to lock ourselves behind our own doors - and then remove the lock.

Now everyone panics thinking they 1) have Java installed and 2) are first in line to be exploited. I’m an IT consultant and I work on quite a few networks with this stuff installed. I guess I’ll need to keep reading up on the severity of this before I start disabling everything and warning all my clients (before they all start hounding me about it), because the recommendation from DHS is not satisfactory enough for me. No comment from Oracle as far as I can tell...


39 posted on 01/12/2013 6:33:14 AM PST by bryan999
[ Post Reply | Private Reply | To 1 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson