Yet another Java exploit

Topic

New Reply

This is beginning to get tedious: (yet) another Java zero-day exploit is in the wild.

This one appears to have been floating around for a few days (but has just been publicly disclosed) and has been adopted by some of the more troublesome malware toolkits such as Blackhole. It affects all versions up to and including the latest version (Java 7 Update 10). This makes it rather more serious and dangerous. There are posts on various “grey” sites demonstrating real world exploits in use right now.

Here’s a quick guide to disabling Java plugins in the browser as a quick patch until Oracle can do something more permanent.

Even easier though: if you have Java 7 Update 10, you can open the Java Control Panel and un-tick the Enable Java content in browser setting under the Security tab….

32807-Disable-Java-plugin

Reply | Quote

Replies

I’m glad I uninstalled Java long ago. I do not miss it at all.

Reply | Quote

I can’t walk around to every station and uncheck that box, is there a group policy setting for this?

Reply | Quote

I can’t walk around to every station and uncheck that box, is there a group policy setting for this?

See Java Group Policy Network Settings for an approach to setting Java properties. Not sure if that property is in the configuration file mentioned – Deployment Configuration File and Properties.

Joe

--Joe

Reply | Quote

Another Java Scare Story

Chicago Tribune Headline — Homeland Security Urges Computer Users to Disable Java — WAIT A Minute!!

Homeland Security really only said:

“To defend against this and future Java vulnerabilities, disable Java in Web browsers.”

That’s the Java Runtime (JRE) browser plugins only. Hardly anything on the Web runs on these. This is not javascript, and not an issue with Java Apps.

TintoTech is correct:

Even easier though: if you have Java 7 Update 10, you can open the Java Control Panel and un-tick the Enable Java content in browser setting under the Security tab….

And no, BruceR, javascript is NOT Java. I just thought I’d pre-empt a repeat of a previous useless challenge and rebuttal string from another Lounge thread.

-- rc primak

Reply | Quote

And no, BruceR, javascript is NOT Java. I just thought I’d pre-empt a repeat of a previous useless challenge and rebuttal string from another Lounge thread.

You have a lousy memory. Our discussion of JavaScript was because you said Sun sued over the name; which they didn’t because they owned and licensed the name.

I had pointed out the difference many times before you jumped on the bandwagon:

It’s not really Java though, but JavaScript, which is a bit different: Java vs. JavaScript: Similarities and Differences

… because javascript and java are two totally different things,

It’s possible to disable Java use from a browser but leave it installed for use by a trusted program.

Most webmail sites require Javascript to be enabled (“Active Scripting” in Internet Explorer), but that is different from Java (applets, often animations or games).

Bruce

P.S. You must be missing the useful challenges and non-rebuttals badly to drag up ancient history out of the blue for no apparent reason.

Reply | Quote

”To defend against this and future Java vulnerabilities, disable Java in Web browsers.”

That’s the Java Runtime (JRE) browser plugins only. Hardly anything on the Web runs on these.

Try telling five million Danes.

Bruce

Reply | Quote

Try telling five million Danes.

Bruce

I am not a Dane. Hardly anyone outside of Denmark will be affected. Irrelevant in the extreme. And I do NOT believe that the article says that the application HAS to be written in Java. That is not what I think the Danish law requires at all.

Java is still a threat, and it is the browser plugins which carry that threat. While users may find their own level of risk tolerance in regard to this issue, it is not responsible to suggest that Windows Secrets readers should leave Java plugins active just to accommodate one unfortunate law in a small country with a small percentage of the world’s banking customers.

-- rc primak

Reply | Quote

I am not a Dane. Hardly anyone outside of Denmark will be affected. Irrelevant in the extreme. And I do NOT believe that the article says that the application HAS to be written in Java. That is not what I think the Danish law requires at all.

Obviously the Danish law wouldn’t require Java, but it does require NemID for myriad purposes (not just banking); and NemID needs a Java-enabled browser.

But there are also many enterprise applications in most countries which require Java in a browser; I have to use several every day for major functions.

Java is still a threat, and it is the browser plugins which carry that threat. While users may find their own level of risk tolerance in regard to this issue, it is not responsible to suggest that Windows Secrets readers should leave Java plugins active just to accommodate one unfortunate law in a small country with a small percentage of the world’s banking customers.

And in no way did I suggest any such thing. I was merely commenting on your “Hardly anything on the web runs on Java browser plugins” as being a stretch for some people.

Bruce

Reply | Quote

I wouldn’t panic over this. Remember to be impacted by this all of the following has to happen:
1. An exploit based on the flaw has to be released I know of none so far but it is likely in the future
2. You have to be running out of date Java once Oracle releases a patch to close the flaw. This should be done shortly. I recommend leaving the Java autoupdate app in Windows startup if you use Java.
3. You have to visit a web site employing the flaw usually part of the webs dark side – porn or illegal download sites.
4. Your security software doesn’t cover the malware in question.

With good web habits and keeping Java up to date, I believe you can safely use Java. I have used it for years without a problem and plan to continue to use it. Of course, if the web sites you visit work fine without Java, there’s no need to have it installed. But if you enjoy a Java web site, there’s no reason to panic.

Jerry

Reply | Quote

I not sure I completely agree on all of those points Jerry.

100% agree: I don’t think there is a need to panic, but I believe sensible precautions can be recommended. If those precautions impact on daily use of the machine they can be rolled back and the user make an informed judgement on how to proceed.

It should be borne in mind that this particular vulnerability is being exploited in the wild right now. It has also been ported to some of the more widely used malware tools and so we can expect that it will be seen much more frequently in the future.

Yes, for the most part these exploits will turn up on sites that have a certain “niche following”, but one shouldn’t discount the possibility of them being dropped onto more mainstream sites that have been compromised, or being packaged with malvertising that exploits vulnerabilities in Flash etc.

I do think it correct to employ a multi-layered security model that, among other items, includes keeping Java up to date as automatically as possible. The trouble with that one is that often the Oracle update release process is a slow beast to watch and often users have been “educated” or perhaps more accurately “scared” into not clicking on any pop up windows. I have seen machines that are prompting to update Java and Adobe products from way back when, but the user refuses to update because they are worried that the pop up is actually a threat.

Just as important in knowing how to stay safe, is knowing how to react if a threat does present itself. Regular automated image based backups, coupled with the knowledge of how to use them is a powerful thing…but sadly, you and I know from experience how few people protect themselves properly.

Reply | Quote

Java 7 update 11 is now available.

Reply | Quote

…often the Oracle update release process is a slow beast to watch

Java 7 update 11 is now available.

There you go, famous last words again!

Reply | Quote

When a vulnerability is as well publicized as this one, Oracle and the security apps tend to respond quickly. Your original statement probably applies to the non publicized issues.

Jerry

Reply | Quote

Note that in Windows 8, you have to do a Restart after installing the latest Java patch to complete its install. A Windows 8 Hybrid Shut Down won’t work.
Check Control Panel > Java > General Tab > About Button. It should read “Version 7 Update 11”.

Jerry

Reply | Quote

See Java 7 update 11 security patch fixes nothing[/url].

Joe

--Joe

Reply | Quote

I stand by my personal view that if you don’t need Java on any of your Web pages, uninstall it. If you have a Java game or a web page you enjoy, keep Java and your security software up to date, use common sense before clicking on links and don’t lose any sleep over it. As Tinto alluded to earlier, a good backup regimen is also recommended but that is not just because of Java threats.

Jerry

Reply | Quote

Yes, for some people, especially in business environments, Java is still an unfortunate fact of life. No argument there.

-- rc primak

Reply | Quote