Free Republic
Browse · Search
Topics · Post Article

Skip to comments.

Urgent: Disable Java on Your Computer (Homeland Security warns of potential hacker attack)
American Thinker ^ | 01/13/2013 | Bill Schanefelt

Posted on 01/13/2013 6:53:40 AM PST by SeekAndFind

If you have not yet seen or acted upon Homeland Security's warning, I urge you to do so immediately:

The U.S. Department of Homeland Security is advising people to temporarily disable the Java software on their computers to avoid potential hacking attacks.  The recommendation came in an advisory issued late Thursday, following up on concerns raised by computer security experts.

BlazingCatFur explains the situation:

My suspicion is that it's related to this: Iran blamed for massive cyber attack on U.S. banks data centers as 'puppet hacking group' says they did it because the anti-Mohammed movie is still on the internet.

BCF links to a helpful site, but the instructions may be a bit confusing to some:

Last month Oracle released a new Java version, Update 10, that includes a one-stop option for disabling Java in all browsers in the Java Control Panel. Open Control Panel and launch the Java applet. If you don't see it, switch to Classic View (in XP) or small icons (in Vista or Windows 7). Click the Security tab. In previous versions this tab just allowed advanced users to manage Java-related certificates. It now displays a security-level slider and, more important, a single checkbox titled "Enable Java content in the browser." Un-check this box, click OK, and you're done.

(Excerpt) Read more at ...

KEYWORDS: hacker; homelandsecurity; java
Navigation: use the links below to view more comments.
first previous 1-2021-4041-56 next last
To: SeekAndFind
I transferred JAVA to my flash drive. Then I deleated it from my computer. Figured I could reinstall it later if needed.

Question is how will I know if a pop up saying "for those who uninstalled JAVA, download this latest version that has been patched to resolved any potential problems", is legit or just a way for the hacker to get control of my computer?

21 posted on 01/13/2013 7:23:37 AM PST by Evil Slayer ((Onward, Christian soldiers, marching as to war....))
[ Post Reply | Private Reply | To 1 | View Replies]

To: SeekAndFind

What I don’t get is why there are several versions of Java on my computer. After you do an update you’d think it would delete the former update prior to it. I remember back in the Windows XP days, you’d see several 100+ MB files of Java Updates that were still there, instead of deleting the old files when it updates a new file.

22 posted on 01/13/2013 7:27:56 AM PST by Blue Highway
[ Post Reply | Private Reply | To 1 | View Replies]

To: jjotto; SeekAndFind

Ah, got it:

“The exploit takes advantage of two issues in JDK 7: The ClassFinder and MethodFinder.findMethod(). Both were newly introduced in JDK 7. ClassFinder is a replacement for classForName back in JDK 6. It allows untrusted code to obtain a reference and have access to a restricted package in JDK 7, which can be used to abuse sun.awt.SunToolkit (a restricted package). With sun.awt.SunToolkit, we can actually invoke getField() by abusing findMethod() in Statement.invokeInternal() (but getField() must be public, and that’s not always the case in JDK 6) in order to access Statement.acc’s private field, modify AccessControlContext, and then disable Security Manager. Once Security Manager is disabled, we can execute arbitrary Java code. Our exploit has been tested successfully against multiple platforms, including: IE, Firefox, Safari, Chrome; Windows, Ubuntu, OS X, Solaris, etc.”

So if you don’t have Java 7, but are running 6 or 5, then you are good.

23 posted on 01/13/2013 7:28:38 AM PST by proxy_user
[ Post Reply | Private Reply | To 17 | View Replies]

To: proxy_user


Geeks who actually understand it tend to have their own sources, but there’s a fair amount of details like

...This Java vulnerability is due to improper security protections on built-in classes in the Java Runtime Environment.

An unsigned Java applet can use the setSecurityManager() function to bypass security checks and access an elevated security context.

There are a few allegations that the exploit for this new Java vulnerability (CVE-2013-0422) is very similar to the Java vulnerability reported late last year (CVE-2012-5088); however, it seems they are fairly different.

This article describes some of the technical details of the exploit...

24 posted on 01/13/2013 7:28:58 AM PST by jjotto ("Ya could look it up!")
[ Post Reply | Private Reply | To 19 | View Replies]

To: jjotto; SeekAndFind

Here is a full description of the vulnerability with sample code:

They are basically using tricks to get access to a private field in the security context object and changing it.

25 posted on 01/13/2013 7:40:53 AM PST by proxy_user
[ Post Reply | Private Reply | To 23 | View Replies]

To: jjotto

The article I posted explains the relation between the two vulnerabilities. They added the AccessControlContext field to stop the first problem. When they released Java 1.7, it turned out that some of the new methods could be used to change the value of this field.

26 posted on 01/13/2013 7:44:16 AM PST by proxy_user
[ Post Reply | Private Reply | To 24 | View Replies]

To: SeekAndFind

I know nothing about computers. I’m on an ancient Quicksilver Power Mac G4, running 10.4.1. My Java plugin settings are from 2005, and 2009. Do I need to do anything?

27 posted on 01/13/2013 7:48:57 AM PST by Dr. Bogus Pachysandra ( Ya can't pick up a turd by the clean end!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Clump

“Since when do we trust DHS?”

Me too.

28 posted on 01/13/2013 7:57:23 AM PST by duffee (In need of new tag line)
[ Post Reply | Private Reply | To 15 | View Replies]

To: SeekAndFind

And I should believe anything Big Sis has to say????

29 posted on 01/13/2013 7:58:31 AM PST by Lion Den Dan
[ Post Reply | Private Reply | To 1 | View Replies]

To: Lion Den Dan

Most IE browsers (8 and 9) have the “manage add ons” feature and you can disable java/sun there. But then again, I don’t trust anything Big Sis says either. I can tell you that most local gov’ts are dependent on web apps that use ancient versions of java. These contracted web developers have no incentive to upgrade their apps since the gov’t money just keeps rolling in and most gov’t computers are ancient (they put all taxpayer funds into salaries, benefits and pensions, not equipment)

30 posted on 01/13/2013 8:04:55 AM PST by AbolishCSEU (Percentage of Income in CS is inversely proportionate to Mother's parenting of children)
[ Post Reply | Private Reply | To 29 | View Replies]

To: SeekAndFind

The solution to this problem is not disabling anything unless you also disable or uninstall Flash, Adobe reader and all other browser plug-ins that you might have. It is true that Java has a zero-day and the others don’t (that we know about). But you can only get pwned by going to a malicious website. YOu will not get pwned by running java applets from legitimate websites. When Flash has their next zero day, the DHS will probably tell you to disable that, or may they won’t. Relying on their advice is foolish. Just don’t surf to shady websites (e.g. get rich quick, porn, too-good-to-be-true, etc).

31 posted on 01/13/2013 8:05:41 AM PST by palmer (Obama = Carter + affirmative action)
[ Post Reply | Private Reply | To 1 | View Replies]

To: IbJensen

Html5 is on verge of replacing java.
That will eventually be exploited.

32 posted on 01/13/2013 8:07:50 AM PST by Morris70
[ Post Reply | Private Reply | To 5 | View Replies]

To: Morris70

Thanks, Morris. I’ll wait until Tuesday to see what happens. Meanwhile, I’ve noticed that streaming videos can be watched using my internet service without Java....apparently.

33 posted on 01/13/2013 8:12:42 AM PST by IbJensen (Liberals are like Slinkies, good for nothing, but you smile as you push them down the stairs.)
[ Post Reply | Private Reply | To 32 | View Replies]

To: SeekAndFind

I do not view “The Department of Homeland Security” as a legal organization, because it infringes on my Constitutional rights.

34 posted on 01/13/2013 8:18:06 AM PST by Terry L Smith
[ Post Reply | Private Reply | To 1 | View Replies]

To: SeekAndFind

There’s a lot of misinformation posted on this thread (not the original post but the responses to it).

This *really* is a *legitimate* threat - this is not some trumped up tempest in a teapot dreamed up by the government. It’s not just DHS that has issued this sort of warning - it’s basically anyone that has anything to say about computer security.

And no - confining yourself to “legitimate” websites may not be adequate - as these sites have the potential to be compromised by the bad guys.

Uninstalling Java is fine - but turning off the Java plugin in your browser is good enough.

No need to “save a copy” of what you uninstall - as you can always get a copy of the new code when it’s been released and deemed “secure”.

35 posted on 01/13/2013 8:30:34 AM PST by 2 Kool 2 Be 4-Gotten
[ Post Reply | Private Reply | To 1 | View Replies]

To: SeekAndFind

I can’t even find JAVA on my computer. I can disable Java script on Firefox and Internet Explorer, but there is no “Java” program installed, that I can find.

36 posted on 01/13/2013 8:42:25 AM PST by mark3681
[ Post Reply | Private Reply | To 1 | View Replies]

To: mark3681
I can’t even find JAVA on my computer

Just go to Google Maps and type in "Indonesia". ;)

37 posted on 01/13/2013 8:50:44 AM PST by dfwgator
[ Post Reply | Private Reply | To 36 | View Replies]

To: mark3681

May or may not make sense but “javascript” and “java” are, in fact, two different things.

Google “how to disable java in your browser”. If there are no enabled java “Plugins” in your browser(s) then you’re fine.

38 posted on 01/13/2013 8:54:59 AM PST by 2 Kool 2 Be 4-Gotten
[ Post Reply | Private Reply | To 36 | View Replies]

To: cripplecreek
It appears that firefox disabled it for me.

After the 18 update of firefox , went in reactivated and this 'puter speed-ed up. Must be H S must be useing a program that java is catching and not allowing their programs run

39 posted on 01/13/2013 9:04:20 AM PST by piroque ("In times of universal deceit, telling the truth becomes a revolutionary act")
[ Post Reply | Private Reply | To 2 | View Replies]

To: 2 Kool 2 Be 4-Gotten

Wonderful, but you’re over-reacting.

That Java update has been out since October, everybody and their cat has noted/taken action on the problem and now that DHS has decided to justify their existence for this week by broadcasting old news, I’m supposed to go run after this latest Shiny Thing?

The ONLY reason I can see for this “news” (other than the desire to justify existence that I’ve already noted) is that somebody decided that Sun (the evil corporation that did Java) didn’t donate enough to The 0’s campaign and will have to be destroyed.

Exactly as the very same people tried to do to Toyota.

40 posted on 01/13/2013 9:05:02 AM PST by Unrepentant VN Vet
[ Post Reply | Private Reply | To 35 | View Replies]

Navigation: use the links below to view more comments.
first previous 1-2021-4041-56 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794 is powered by software copyright 2000-2008 John Robinson