Experts urge PC users to disable Java, cite security flaw

reuters.com ^ | Jan 10, 2013 5:06pm EST | Jim Finkle

[alancarp]

[No quote due to Reuters source. Title is accurate representation of article. Please see link.]

[The Cajun]

Bookmark.

[palmer]

I still don’t see it. The linked page says almost nothing and the link on the linked page (Kaspersky) doesn’t say much either.

[palmer]

I have a mac. But I also have clicktoflash installed in Safari and that blocks any java (along with any flash) from running until I click on it to tell it to run. The basic use is to stop animated crap, usually ads, but IMO all animations are crap unless I say otherwise. It will stop malware too.

[2 Kool 2 Be 4-Gotten]

This is a serious threat that probably all versions of java are susceptible to but since it is carried out via a web browswer plugin all you need to do is to disconnect your java plugin from your browser as detailed here - https://krebsonsecurity.com/how-to-unplug-java-from-the-browser/

In my case I do have a mission-critical app (java plugin based) that I need for my job but in my case I use firefox for that app and google chrome for everything else. The server for the app is behind a firewall so I’m going to bet that I’m OK there. So I’ll unplug java from google-chrome and leave it on on firefox and hopefully that’s ok. I’m also on linux which may have a measure of security through obscurity. (Or not).

I thought that maybe updating to java 1.7(10) might afford some protection but it most definitely does not. So far there is no known version of java that is without this security hole.

Unplug java from your browsers - it just takes a few seconds. I guess to be ultra safe one could uninstall java completely - I just cannot afford to do that unfortunately.

[rawcatslyentist]

caca edit? Ya gets whut ya pays fer.

[The Mayor]

mark for home

[roamer_1]

meh. Add NoScript to any Mozilla browser... then only allow script from known good sites. No Problemo.

[MarineBrat]

>>Many web pages require Java.

You’re thinking of JavaScript, which is bundled into every browser. IE, FireFox, Chrome, etc... all have their own JavaScript.

Java is a programming language that may be required to run certain programs, but primarily it’s a vector that viruses use to get into your system. Very few programs require actual Java to be installed.

It’s perfectly safe to uninstall Java from your Control Panel. Disable Java Deployment Toolkit from your browser also if you like... though once Java is uninstalled the Deployment Toolkit is defanged. If you find that you have a program that actually requires Java, simply go to java.com and reinstall it.

[MarineBrat]

>>>meh. Add NoScript to any Mozilla browser... then only allow script from known good sites. No Problemo.

Exactly! I’ve been calling for people to do that for years now. Firefox with NoScript is the way to go. I end up having to do a little extra training of people, but it pays off in the long run. There’s also ScriptNo for Chrome, though I don’t have any experience with that.

In the long run though, uninstalling Java is the way to go even when running NoScript. Unless you have a mission critical program that requires it.

The two SecurityNow! links I posted above are a great resource for Java security.

[phockthis]

sfl

[mrsmith]

Tells you if JAVA is installed/working and has a link to simple instructions on how to disable it in your browser:
http://www.java.com/en/download/testjava.jsp

[Graewoulf]

Thanks for the warning!

_______

An FYI PING!

[Revolting cat!]

THIS JUST IN:

PC Users Urge Humans to Disable Experts!

[MarineBrat]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Awareness System

US-CERT Alert TA13-010A
Oracle Java 7 Security Manager Bypass Vulnerability

Original release date: January 10, 2013
Last revised: --

Systems Affected

    Any system using Oracle Java 7 (1.7, 1.7.0) including

    * Java Platform Standard Edition 7 (Java SE 7)
    * Java SE Development Kit (JDK 7)
    * Java SE Runtime Environment (JRE 7)

    All versions of Java 7 through update 10 are affected.  Web
    browsers using the Java 7 plug-in are at high risk.


Overview

  A vulnerability in the way Java 7 restricts the permissions of Java
  applets could allow an attacker to execute arbitrary commands on a
  vulnerable system.


Description

  A vulnerability in the Java Security Manager allows a Java applet
  to grant itself permission to execute arbitrary code. An attacker
  could use social engineering techniques to entice a user to visit a
  link to a website hosting a malicious Java applet. An attacker
  could also compromise a legitimate web site and upload a malicious
  Java applet (a "drive-by download" attack).

  Any web browser using the Java 7 plug-in is affected. The Java
  Deployment Toolkit plug-in and Java Web Start can also be used as
  attack vectors.

  Reports indicate this vulnerability is being actively exploited,
  and exploit code is publicly available.

  Further technical details are available in Vulnerability Note
  VU#625617.


Impact

  By convincing a user to load a malicious Java applet or Java
  Network Launching Protocol (JNLP) file, an attacker could execute
  arbitrary code on a vulnerable system with the privileges of the
  Java plug-in process.


Solution

  Disable Java in web browsers

  This and previous Java vulnerabilities have been widely targeted by
  attackers, and new Java vulnerabilities are likely to be
  discovered. To defend against this and future Java vulnerabilities,
  disable Java in web browsers.

  Starting with Java 7 Update 10, it is possible to disable Java
  content in web browsers through the Java control panel applet. From
  Setting the Security Level of the Java Client:

  For installations where the highest level of security is required,
  it is possible to entirely prevent any Java apps (signed or
  unsigned) from running in a browser by de-selecting Enable Java
  content in the browser in the Java Control Panel under the Security
  tab.

  If you are unable to update to Java 7 Update 10 please see the
  solution section of Vulnerability Note VU#636312 for instructions
  on how to disable Java on a per browser basis.


References

* Vulnerability Note VU#625617
  <http://www.kb.cert.org/vuls/id/625617>

* Setting the Security Level of the Java Client
  <http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html>

* The Security Manager
  <http://docs.oracle.com/javase/tutorial/essential/environment/security.html>

* How to disable the Java web plug-in in Safari
  <https://support.apple.com/kb/HT5241>

* How to turn off Java applets
  <https://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets>

* NoScript
  <http://noscript.net/>

* Securing Your Web Browser
  <https://www.us-cert.gov/reading_room/securing_browser/#Safari>

* Vulnerability Note VU#636312
  <http://www.kb.cert.org/vuls/id/636312#solution>


Revision History

 January 10, 2013: Initial release

____________________________________________________________________

  Feedback can be directed to US-CERT Technical Staff. Please send
  email to <cert@cert.org> with "TA13-010A Feedback VU#625617" in
  the subject.
____________________________________________________________________

  Produced by US-CERT, a government organization.
____________________________________________________________________

This product is provided subject to this Notification:
http://www.us-cert.gov/privacy/notification.html

Privacy & Use policy:
http://www.us-cert.gov/privacy/

This document can also be found at
http://www.us-cert.gov/cas/techalerts/TA13-010A.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit http://www.us-cert.gov/cas/signup.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBUO83IXdnhE8Qi3ZhAQLdxQf6A2LhLrArDieg41fxTuIViOXbgH6fZrDt
6bODaZIeTcvQfMMURbUb8MnTQEe7ogNbytb+XQaEzXE6A0YMdWp+93TxFy80wUI0
VpF0lBDwNyeAlwtzicLSQa5oa5Me0k5KPVUn9/mFJZh5Ff0cYjW1dt8dfXJUbH9/
OZ6ZJsnJchymJFlVax3Y87yZh9fPQC4n6dJ86CdLXqC9GaBihgBd1DUpborfWYoR
njvrtbcX+7iy+J8fS2C8/JtnQ5M+uilvqxrdU/Z9SdmebIF5HQjafLae9OmwH7Te
nxUcwwmuNqIA1Y9aN2DrStv+HnTi121DIxyaVgNOKjPnO/t5mDPKlw==
=xi3d
-----END PGP SIGNATURE-----

[Slainte]

I’m not sure what you’re expecting to see?

An executable can be run remotely on the compromised system. In the screenshot, they fired off the Windows calculator to prove the concept, but the point is once Java has been compromised code other than Calc can be executed.

The Kaspersky site talks about how the vulnerability is exploited. Java is compromised after hitting a site that has the code for one of the mentioned exploit kits, such as Blackhole. Kaspersky says they are seeing multiple ad networks pointing to these sites, as well as some weather and news sites, etc. So there’s potential exposure to the vulnerability from a variety of sites.

[palmer]

The Kaspersky site talks about how the vulnerability is exploited. Java is compromised after hitting a site that has the code for one of the mentioned exploit kits, such as Blackhole.

Sort of. The blackhole and other exploit kits are used to build an exploit. That exploit is packaged into a jar and hosted on a website. The web page itself will have one of those gray squares on it, and on my browser that's where it ends because I have clicktoflash. The website hosting the exploit and the web page with the Java applet itself is either malicious or compromised.

It has always been the case since the beginning of the web that if you go to a malicious or compromised site you can get pwned. Those sites are typically porn, but also scamware and various out-of-mainstream sites particularly overseas (although they can easily get a ".com" address if they want to). The point is that someone malicious has made the site and has to attract you to go there.

If anyone put up a link to a site like that here, they would be called out (and should be banned for at least carelessness). If you visit sites like news and weather they will NOT have links to such sites unless they are very poorly operated or malicious themselves. Other sites coming up on Google search results are less certain, but Google will often warn about scam sites. Also searching for porn or things like that are going to bring up those hits much more likely than legitimate topics.

So the bottom line is the same old same old. If you click on a malicious site you may get pwned, perhaps more easily with Java, but there are plenty of other vulnerable plugins. You may have heard of Adobe reader, I don't use it. Or flash? I don't use it either except when I allow it (by click-to-flash).

[roamer_1]

[roamer_1:] meh. Add NoScript to any Mozilla browser... then only allow script from known good sites. No Problemo.

Exactly! I’ve been calling for people to do that for years now. [...]

In the long run though, uninstalling Java is the way to go even when running NoScript. Unless you have a mission critical program that requires it.

I dunno... without java and flash, the interwebs are pretty dang boring. I'll just stick to NoScript. Thanks though! : )

Incidentally, since we are talking about java, another really good tip is to uninstall ALL versions except the most current one - It has long been a pet peeve of mine that java's installer doesn't clean up (uninstall) previous versions on install. One can have many instances of JRE installed on the same dang machine.

Even when this bug is fixed (which will be pretty much immediately), The exploit remains because the old versions remain, and IIRC, can be called exclusively.

The uninstall process can be laborious if never done before, but is possible through normal means ('A&R Programs' in win9x-XP, 'Programs & Features' in vista-Win7), just uninstall every instance of Java except the most current one (the one with the highest version and build number).

OR, One can use a free and nifty aftermarket java maintenance utility, JavaRa, which will automate the process (among other utility features). This is a great tool for any service tech's toolkit.

[MarineBrat]

TFS: In the long run though, uninstalling Java is the way to go even when running NoScript. Unless you have a mission critical program that requires it.

ROAMER_1: I dunno... without java and flash, the interwebs are pretty dang boring.

Which is why I didn't advocate uninstalling flash, though hopefully HTML5 will soon make Flash obsolete (and the many vulnerabilities that come with it). Java does nothing for web site browsing. Literally... nothing. Web browsers are all bundled with their own JavaScript, which is what makes websites work. JavaScript is not Java. They are different things with similar names. Java is not needed for an interesting web experience. Uninstall it and you will see no difference on the web.

Now if you visit sites that want you to download and execute programs written in Java, then that's a different story. But those sites are extremely rare.

[bryan999]

No comment from Oracle anywhere.

http://www.kb.cert.org/vuls/id/625617

Why can’t the DHS go after the people who they KNOW are onto this...?? This is such nonsense.

It’s as if a rumor got around that a couple people figured out how to make a key that opens almost all doors. So instead of going after the few people who made the key, which is what they should be doing, the government tells us to lock ourselves behind our own doors - and then remove the lock.

Now everyone panics thinking they 1) have Java installed and 2) are first in line to be exploited. I’m an IT consultant and I work on quite a few networks with this stuff installed. I guess I’ll need to keep reading up on the severity of this before I start disabling everything and warning all my clients (before they all start hounding me about it), because the recommendation from DHS is not satisfactory enough for me. No comment from Oracle as far as I can tell...