Posted on 01/13/2013 6:53:40 AM PST by SeekAndFind
If you have not yet seen or acted upon Homeland Security's warning, I urge you to do so immediately:
The U.S. Department of Homeland Security is advising people to temporarily disable the Java software on their computers to avoid potential hacking attacks. The recommendation came in an advisory issued late Thursday, following up on concerns raised by computer security experts.
BlazingCatFur explains the situation:
My suspicion is that it's related to this: Iran blamed for massive cyber attack on U.S. banks data centers as 'puppet hacking group' says they did it because the anti-Mohammed movie is still on the internet.
BCF links to a helpful site, but the instructions may be a bit confusing to some:
Last month Oracle released a new Java version, Update 10, that includes a one-stop option for disabling Java in all browsers in the Java Control Panel. Open Control Panel and launch the Java applet. If you don't see it, switch to Classic View (in XP) or small icons (in Vista or Windows 7). Click the Security tab. In previous versions this tab just allowed advanced users to manage Java-related certificates. It now displays a security-level slider and, more important, a single checkbox titled "Enable Java content in the browser." Un-check this box, click OK, and you're done.
(Excerpt) Read more at americanthinker.com ...
It appears that firefox disabled it for me.
Why can’t we just remove Java as I did yesterday in control panel’s ‘uninstall a program’ feature in Windows 7?
You can also remove Java, but don’t you want it back later?
Yes, but will we be notified when it’s safe to reinstall the latest version?
Also is there any alternative to Java that has been proven safe?
So is this legit or what? I just looked at mine - it’s the 6.0 version - way behind on updating I am.
FYI
From Firefox/Mozilla:
“In order to protect you, Firefox has stopped the Java plugin from running automatically because it has a security issue. However, you can still use Java on trusted sites if necessary. We’ll show you how [via the link below]”:
https://support.mozilla.org/en-US/kb/how-to-use-java-if-its-been-blocked
HERE IS A HELPFUL SITE:
HOW TO DISABLE JAVA ON YOUR BROWSER
http://www.gizmodo.com.au/2013/01/how-to-disable-java-in-your-browser/
RE: So is this legit or what?
It is a legitimate computer threat being reported now.
See here for various reports:
Oracle confirms latest Java 7 vulnerability and announces ‘a fix will be available shortly’
http://www.techsupportalert.com/
Get a free Firewall(Comodo), Anti-Virus (Panda that uses Cloud), Anti-Malware, and a few other scanning software - and you will be fine...disabling JAVA will upset certain websites and other things on your computer...
A multi-approach defense is better than cancelling out a needed software program like JAVA...
Since when do we trust DHS?
I don’t even know what Java is, but when I see FEMA or DHS tell me to do something I’m going to be suspicious right off.
Maybe this is one f those times DHS gets the broken clock award of the day though.
Thanks Tom - I noticed FF installing an update the other day, but paid no attention.
This is a variant of a Java problem since 2011 (I think). DHS didn’t find it. This is an example of the slavish MSM giving credit to a bungling government for something done by free markets.
Ok I should have known that.
They don’t even get the broken clock award.
They get the “day late dollar short irrelevant useless goobermint agency” of the day award.
I can’t find anywhere that explains what the vulnerability is, or gives sample exploit code.
Nothing new here.
Java has always been computing security hell.
Question is how will I know if a pop up saying "for those who uninstalled JAVA, download this latest version that has been patched to resolved any potential problems", is legit or just a way for the hacker to get control of my computer?
What I don’t get is why there are several versions of Java on my computer. After you do an update you’d think it would delete the former update prior to it. I remember back in the Windows XP days, you’d see several 100+ MB files of Java Updates that were still there, instead of deleting the old files when it updates a new file.
Ah, got it:
“The exploit takes advantage of two issues in JDK 7: The ClassFinder and MethodFinder.findMethod(). Both were newly introduced in JDK 7. ClassFinder is a replacement for classForName back in JDK 6. It allows untrusted code to obtain a reference and have access to a restricted package in JDK 7, which can be used to abuse sun.awt.SunToolkit (a restricted package). With sun.awt.SunToolkit, we can actually invoke getField() by abusing findMethod() in Statement.invokeInternal() (but getField() must be public, and that’s not always the case in JDK 6) in order to access Statement.acc’s private field, modify AccessControlContext, and then disable Security Manager. Once Security Manager is disabled, we can execute arbitrary Java code. Our exploit has been tested successfully against multiple platforms, including: IE, Firefox, Safari, Chrome; Windows, Ubuntu, OS X, Solaris, etc.”
So if you don’t have Java 7, but are running 6 or 5, then you are good.
mmm...
Geeks who actually understand it tend to have their own sources, but there’s a fair amount of details like
http://blogs.cisco.com/security/new-java-vulnerability-being-exploited-in-the-wild/
...This Java vulnerability is due to improper security protections on built-in classes in the Java Runtime Environment.
An unsigned Java applet can use the setSecurityManager() function to bypass security checks and access an elevated security context.
There are a few allegations that the exploit for this new Java vulnerability (CVE-2013-0422) is very similar to the Java vulnerability reported late last year (CVE-2012-5088); however, it seems they are fairly different.
This article describes some of the technical details of the exploit...
Here is a full description of the vulnerability with sample code:
http://immunityproducts.blogspot.com/2012/08/java-0day-analysis-cve-2012-4681.html
They are basically using tricks to get access to a private field in the security context object and changing it.
The article I posted explains the relation between the two vulnerabilities. They added the AccessControlContext field to stop the first problem. When they released Java 1.7, it turned out that some of the new methods could be used to change the value of this field.
I know nothing about computers. I’m on an ancient Quicksilver Power Mac G4, running 10.4.1. My Java plugin settings are from 2005, and 2009. Do I need to do anything?
“Since when do we trust DHS?”
Me too.
And I should believe anything Big Sis has to say????
Most IE browsers (8 and 9) have the “manage add ons” feature and you can disable java/sun there. But then again, I don’t trust anything Big Sis says either. I can tell you that most local gov’ts are dependent on web apps that use ancient versions of java. These contracted web developers have no incentive to upgrade their apps since the gov’t money just keeps rolling in and most gov’t computers are ancient (they put all taxpayer funds into salaries, benefits and pensions, not equipment)
The solution to this problem is not disabling anything unless you also disable or uninstall Flash, Adobe reader and all other browser plug-ins that you might have. It is true that Java has a zero-day and the others don’t (that we know about). But you can only get pwned by going to a malicious website. YOu will not get pwned by running java applets from legitimate websites. When Flash has their next zero day, the DHS will probably tell you to disable that, or may they won’t. Relying on their advice is foolish. Just don’t surf to shady websites (e.g. get rich quick, porn, too-good-to-be-true, etc).
Html5 is on verge of replacing java.
That will eventually be exploited.
Thanks, Morris. I’ll wait until Tuesday to see what happens. Meanwhile, I’ve noticed that streaming videos can be watched using my internet service without Java....apparently.
I do not view “The Department of Homeland Security” as a legal organization, because it infringes on my Constitutional rights.
There’s a lot of misinformation posted on this thread (not the original post but the responses to it).
This *really* is a *legitimate* threat - this is not some trumped up tempest in a teapot dreamed up by the government. It’s not just DHS that has issued this sort of warning - it’s basically anyone that has anything to say about computer security.
And no - confining yourself to “legitimate” websites may not be adequate - as these sites have the potential to be compromised by the bad guys.
Uninstalling Java is fine - but turning off the Java plugin in your browser is good enough.
No need to “save a copy” of what you uninstall - as you can always get a copy of the new code when it’s been released and deemed “secure”.
I can’t even find JAVA on my computer. I can disable Java script on Firefox and Internet Explorer, but there is no “Java” program installed, that I can find.
Just go to Google Maps and type in "Indonesia". ;)
May or may not make sense but “javascript” and “java” are, in fact, two different things.
http://gizmodo.com/5975475/how-to-disable-java-in-your-browser
Google “how to disable java in your browser”. If there are no enabled java “Plugins” in your browser(s) then you’re fine.
After the 18 update of firefox , went in reactivated and this 'puter speed-ed up. Must be H S must be useing a program that java is catching and not allowing their programs run
Wonderful, but you’re over-reacting.
That Java update has been out since October, everybody and their cat has noted/taken action on the problem and now that DHS has decided to justify their existence for this week by broadcasting old news, I’m supposed to go run after this latest Shiny Thing?
The ONLY reason I can see for this “news” (other than the desire to justify existence that I’ve already noted) is that somebody decided that Sun (the evil corporation that did Java) didn’t donate enough to The 0’s campaign and will have to be destroyed.
Exactly as the very same people tried to do to Toyota.
Thank you for your service in VN - but on this one you’re just plain wrong. The new security hole was just discovered a few days ago. And it wasn’t the government that originally sounded the alarm - if anything the government is a bit late to the party.
There is a simple and effective solution to this and other threats. Do you want a bullet-proof web surfing computer that can’t be corrupted? Any perceived problems can be fixed by a quick reboot. No anti-virus programs required to protect it, either.
Keep your Windows or Mac computer isolated offline. Many of us have older desktop computers laying around or can scrounge one up for little or nothing. A hard drive isn’t even needed, just a DVD drive. I use a 10-year-old Dell with 512Mb memory, but could get by with even less. Boot that old desktop PC off an operating system demo disk. Oops, Windows and Apple don’t offer one. Use a Linux demo disk, such as Ubuntu or Mint. You can buy demo disks online or else download and burn images from the Linux websites to create CD or DVD boot disks.
If you ever believe you stumbled across a boobytrapped website, just reboot to purge the problem - you have no hard disk to compromise.
Is a little inconvenience worth the simplicity and safety?
Oracle, like most tech companies, overwhelmingly supported Obama and other Democrats. And, like most companies these days, also supported some select Republicans too.
Oracle says the patch for the latest Java exploit will be out this week, as is being widely reported.
http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html
My MS security scan picked up and quarantined 3 “JS/BlacoleRef.W” trojans this morning after I got a clean scan with AVIRA premium just hours prior.
Any connection?
I use “NoScript” which is a Mozilla app for Sea Monkey. It allows me to selectively block or permit Java - which many sites require for things to work.
Just more BS to confuse Internet innocents. JAVA has always been insecure, but many web pages won’t work without it. Furthermore, Microsoft Windows itself is fundamentally insure in almost every way conceivable anyway. The government suddenly telling people to quit using JAVA would be like them telling people to quit driving their cars because some other driver might hit them.
Do remember, this is the Obama administration issuing this statement! While at the same time as giving out worse-than-useless advice to people that will make their web browsing quit working, they’re also busily undefending our borders, playing kissy-kiss with our enemies, and instituting a massive domestic spy apparatus.
So there you have it. Are you really going to screw around with your PC because the Obama Administration told you to?
Thanks for the reply. SOrry to get back to you so late. Got sidetracked.
I looked in control panel, all programs, etc., etc. Nothing there. Disabled Javascript in Firefox and Explorer. From what I have been told, javascript and java are two different things. Javascript is O.K.?? Java is not?
Anyway, I even searched the C drive for “Java”. Only thing that comes up is Javascript in Adobe Reader 10.
Thanks!!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.