Posted on 01/10/2013 2:51:44 PM PST by alancarp
[No quote due to Reuters source. Title is accurate representation of article. Please see link.]
(Excerpt) Read more at reuters.com ...
Bookmark.
I still don’t see it. The linked page says almost nothing and the link on the linked page (Kaspersky) doesn’t say much either.
I have a mac. But I also have clicktoflash installed in Safari and that blocks any java (along with any flash) from running until I click on it to tell it to run. The basic use is to stop animated crap, usually ads, but IMO all animations are crap unless I say otherwise. It will stop malware too.
This is a serious threat that probably all versions of java are susceptible to but since it is carried out via a web browswer plugin all you need to do is to disconnect your java plugin from your browser as detailed here - https://krebsonsecurity.com/how-to-unplug-java-from-the-browser/
In my case I do have a mission-critical app (java plugin based) that I need for my job but in my case I use firefox for that app and google chrome for everything else. The server for the app is behind a firewall so I’m going to bet that I’m OK there. So I’ll unplug java from google-chrome and leave it on on firefox and hopefully that’s ok. I’m also on linux which may have a measure of security through obscurity. (Or not).
I thought that maybe updating to java 1.7(10) might afford some protection but it most definitely does not. So far there is no known version of java that is without this security hole.
Unplug java from your browsers - it just takes a few seconds. I guess to be ultra safe one could uninstall java completely - I just cannot afford to do that unfortunately.
caca edit? Ya gets whut ya pays fer.
mark for home
>>Many web pages require Java.
You’re thinking of JavaScript, which is bundled into every browser. IE, FireFox, Chrome, etc... all have their own JavaScript.
Java is a programming language that may be required to run certain programs, but primarily it’s a vector that viruses use to get into your system. Very few programs require actual Java to be installed.
It’s perfectly safe to uninstall Java from your Control Panel. Disable Java Deployment Toolkit from your browser also if you like... though once Java is uninstalled the Deployment Toolkit is defanged. If you find that you have a program that actually requires Java, simply go to java.com and reinstall it.
>>>meh. Add NoScript to any Mozilla browser... then only allow script from known good sites. No Problemo.
Exactly! I’ve been calling for people to do that for years now. Firefox with NoScript is the way to go. I end up having to do a little extra training of people, but it pays off in the long run. There’s also ScriptNo for Chrome, though I don’t have any experience with that.
In the long run though, uninstalling Java is the way to go even when running NoScript. Unless you have a mission critical program that requires it.
The two SecurityNow! links I posted above are a great resource for Java security.
sfl
Tells you if JAVA is installed/working and has a link to simple instructions on how to disable it in your browser:
http://www.java.com/en/download/testjava.jsp
Thanks for the warning!
_______
An FYI PING!
I’m not sure what you’re expecting to see?
An executable can be run remotely on the compromised system. In the screenshot, they fired off the Windows calculator to prove the concept, but the point is once Java has been compromised code other than Calc can be executed.
The Kaspersky site talks about how the vulnerability is exploited. Java is compromised after hitting a site that has the code for one of the mentioned exploit kits, such as Blackhole. Kaspersky says they are seeing multiple ad networks pointing to these sites, as well as some weather and news sites, etc. So there’s potential exposure to the vulnerability from a variety of sites.
Sort of. The blackhole and other exploit kits are used to build an exploit. That exploit is packaged into a jar and hosted on a website. The web page itself will have one of those gray squares on it, and on my browser that's where it ends because I have clicktoflash. The website hosting the exploit and the web page with the Java applet itself is either malicious or compromised.
It has always been the case since the beginning of the web that if you go to a malicious or compromised site you can get pwned. Those sites are typically porn, but also scamware and various out-of-mainstream sites particularly overseas (although they can easily get a ".com" address if they want to). The point is that someone malicious has made the site and has to attract you to go there.
If anyone put up a link to a site like that here, they would be called out (and should be banned for at least carelessness). If you visit sites like news and weather they will NOT have links to such sites unless they are very poorly operated or malicious themselves. Other sites coming up on Google search results are less certain, but Google will often warn about scam sites. Also searching for porn or things like that are going to bring up those hits much more likely than legitimate topics.
So the bottom line is the same old same old. If you click on a malicious site you may get pwned, perhaps more easily with Java, but there are plenty of other vulnerable plugins. You may have heard of Adobe reader, I don't use it. Or flash? I don't use it either except when I allow it (by click-to-flash).
Exactly! Ive been calling for people to do that for years now. [...]
In the long run though, uninstalling Java is the way to go even when running NoScript. Unless you have a mission critical program that requires it.
I dunno... without java and flash, the interwebs are pretty dang boring. I'll just stick to NoScript. Thanks though! : )
Incidentally, since we are talking about java, another really good tip is to uninstall ALL versions except the most current one - It has long been a pet peeve of mine that java's installer doesn't clean up (uninstall) previous versions on install. One can have many instances of JRE installed on the same dang machine.
Even when this bug is fixed (which will be pretty much immediately), The exploit remains because the old versions remain, and IIRC, can be called exclusively.
The uninstall process can be laborious if never done before, but is possible through normal means ('A&R Programs' in win9x-XP, 'Programs & Features' in vista-Win7), just uninstall every instance of Java except the most current one (the one with the highest version and build number).
OR, One can use a free and nifty aftermarket java maintenance utility, JavaRa, which will automate the process (among other utility features). This is a great tool for any service tech's toolkit.
ROAMER_1: I dunno... without java and flash, the interwebs are pretty dang boring.
Which is why I didn't advocate uninstalling flash, though hopefully HTML5 will soon make Flash obsolete (and the many vulnerabilities that come with it). Java does nothing for web site browsing. Literally... nothing. Web browsers are all bundled with their own JavaScript, which is what makes websites work. JavaScript is not Java. They are different things with similar names. Java is not needed for an interesting web experience. Uninstall it and you will see no difference on the web.
Now if you visit sites that want you to download and execute programs written in Java, then that's a different story. But those sites are extremely rare.
No comment from Oracle anywhere.
http://www.kb.cert.org/vuls/id/625617
Why can’t the DHS go after the people who they KNOW are onto this...?? This is such nonsense.
It’s as if a rumor got around that a couple people figured out how to make a key that opens almost all doors. So instead of going after the few people who made the key, which is what they should be doing, the government tells us to lock ourselves behind our own doors - and then remove the lock.
Now everyone panics thinking they 1) have Java installed and 2) are first in line to be exploited. I’m an IT consultant and I work on quite a few networks with this stuff installed. I guess I’ll need to keep reading up on the severity of this before I start disabling everything and warning all my clients (before they all start hounding me about it), because the recommendation from DHS is not satisfactory enough for me. No comment from Oracle as far as I can tell...
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.