Posted on 01/13/2013 6:53:40 AM PST by SeekAndFind
If you have not yet seen or acted upon Homeland Security's warning, I urge you to do so immediately:
The U.S. Department of Homeland Security is advising people to temporarily disable the Java software on their computers to avoid potential hacking attacks. The recommendation came in an advisory issued late Thursday, following up on concerns raised by computer security experts.
BlazingCatFur explains the situation:
My suspicion is that it's related to this: Iran blamed for massive cyber attack on U.S. banks data centers as 'puppet hacking group' says they did it because the anti-Mohammed movie is still on the internet.
BCF links to a helpful site, but the instructions may be a bit confusing to some:
Last month Oracle released a new Java version, Update 10, that includes a one-stop option for disabling Java in all browsers in the Java Control Panel. Open Control Panel and launch the Java applet. If you don't see it, switch to Classic View (in XP) or small icons (in Vista or Windows 7). Click the Security tab. In previous versions this tab just allowed advanced users to manage Java-related certificates. It now displays a security-level slider and, more important, a single checkbox titled "Enable Java content in the browser." Un-check this box, click OK, and you're done.
(Excerpt) Read more at americanthinker.com ...
Question is how will I know if a pop up saying "for those who uninstalled JAVA, download this latest version that has been patched to resolved any potential problems", is legit or just a way for the hacker to get control of my computer?
What I don’t get is why there are several versions of Java on my computer. After you do an update you’d think it would delete the former update prior to it. I remember back in the Windows XP days, you’d see several 100+ MB files of Java Updates that were still there, instead of deleting the old files when it updates a new file.
Ah, got it:
“The exploit takes advantage of two issues in JDK 7: The ClassFinder and MethodFinder.findMethod(). Both were newly introduced in JDK 7. ClassFinder is a replacement for classForName back in JDK 6. It allows untrusted code to obtain a reference and have access to a restricted package in JDK 7, which can be used to abuse sun.awt.SunToolkit (a restricted package). With sun.awt.SunToolkit, we can actually invoke getField() by abusing findMethod() in Statement.invokeInternal() (but getField() must be public, and that’s not always the case in JDK 6) in order to access Statement.acc’s private field, modify AccessControlContext, and then disable Security Manager. Once Security Manager is disabled, we can execute arbitrary Java code. Our exploit has been tested successfully against multiple platforms, including: IE, Firefox, Safari, Chrome; Windows, Ubuntu, OS X, Solaris, etc.”
So if you don’t have Java 7, but are running 6 or 5, then you are good.
mmm...
Geeks who actually understand it tend to have their own sources, but there’s a fair amount of details like
http://blogs.cisco.com/security/new-java-vulnerability-being-exploited-in-the-wild/
...This Java vulnerability is due to improper security protections on built-in classes in the Java Runtime Environment.
An unsigned Java applet can use the setSecurityManager() function to bypass security checks and access an elevated security context.
There are a few allegations that the exploit for this new Java vulnerability (CVE-2013-0422) is very similar to the Java vulnerability reported late last year (CVE-2012-5088); however, it seems they are fairly different.
This article describes some of the technical details of the exploit...
Here is a full description of the vulnerability with sample code:
http://immunityproducts.blogspot.com/2012/08/java-0day-analysis-cve-2012-4681.html
They are basically using tricks to get access to a private field in the security context object and changing it.
The article I posted explains the relation between the two vulnerabilities. They added the AccessControlContext field to stop the first problem. When they released Java 1.7, it turned out that some of the new methods could be used to change the value of this field.
I know nothing about computers. I’m on an ancient Quicksilver Power Mac G4, running 10.4.1. My Java plugin settings are from 2005, and 2009. Do I need to do anything?
“Since when do we trust DHS?”
Me too.
And I should believe anything Big Sis has to say????
Most IE browsers (8 and 9) have the “manage add ons” feature and you can disable java/sun there. But then again, I don’t trust anything Big Sis says either. I can tell you that most local gov’ts are dependent on web apps that use ancient versions of java. These contracted web developers have no incentive to upgrade their apps since the gov’t money just keeps rolling in and most gov’t computers are ancient (they put all taxpayer funds into salaries, benefits and pensions, not equipment)
The solution to this problem is not disabling anything unless you also disable or uninstall Flash, Adobe reader and all other browser plug-ins that you might have. It is true that Java has a zero-day and the others don’t (that we know about). But you can only get pwned by going to a malicious website. YOu will not get pwned by running java applets from legitimate websites. When Flash has their next zero day, the DHS will probably tell you to disable that, or may they won’t. Relying on their advice is foolish. Just don’t surf to shady websites (e.g. get rich quick, porn, too-good-to-be-true, etc).
Html5 is on verge of replacing java.
That will eventually be exploited.
Thanks, Morris. I’ll wait until Tuesday to see what happens. Meanwhile, I’ve noticed that streaming videos can be watched using my internet service without Java....apparently.
I do not view “The Department of Homeland Security” as a legal organization, because it infringes on my Constitutional rights.
There’s a lot of misinformation posted on this thread (not the original post but the responses to it).
This *really* is a *legitimate* threat - this is not some trumped up tempest in a teapot dreamed up by the government. It’s not just DHS that has issued this sort of warning - it’s basically anyone that has anything to say about computer security.
And no - confining yourself to “legitimate” websites may not be adequate - as these sites have the potential to be compromised by the bad guys.
Uninstalling Java is fine - but turning off the Java plugin in your browser is good enough.
No need to “save a copy” of what you uninstall - as you can always get a copy of the new code when it’s been released and deemed “secure”.
I can’t even find JAVA on my computer. I can disable Java script on Firefox and Internet Explorer, but there is no “Java” program installed, that I can find.
Just go to Google Maps and type in "Indonesia". ;)
May or may not make sense but “javascript” and “java” are, in fact, two different things.
http://gizmodo.com/5975475/how-to-disable-java-in-your-browser
Google “how to disable java in your browser”. If there are no enabled java “Plugins” in your browser(s) then you’re fine.
After the 18 update of firefox , went in reactivated and this 'puter speed-ed up. Must be H S must be useing a program that java is catching and not allowing their programs run
Wonderful, but you’re over-reacting.
That Java update has been out since October, everybody and their cat has noted/taken action on the problem and now that DHS has decided to justify their existence for this week by broadcasting old news, I’m supposed to go run after this latest Shiny Thing?
The ONLY reason I can see for this “news” (other than the desire to justify existence that I’ve already noted) is that somebody decided that Sun (the evil corporation that did Java) didn’t donate enough to The 0’s campaign and will have to be destroyed.
Exactly as the very same people tried to do to Toyota.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.