Disable Java NOW, users told, as 0-day exploit hits web (reg headline)

Gary · Aug 28, 2012, 16:16:53

A new browser-based exploit for a Java vulnerability that allows attackers to execute arbitrary code on client systems has been spotted in the wild – and because of Oracle's Java patch schedule, it may be some time before a fix becomes widely available.

The vulnerability is present in the Java Runtime Environment (JRE) version 1.7 or later, Atif Mushtaq of security firm FireEye reported on Sunday, while PCs with Java versions 1.6 or earlier installed are not at risk.

The vulnerability allows attackers to use a custom web page to force systems to download and run an arbitrary payload – for example, a keylogger or some other type of malware. The payload does not need to be a Java app itself.

http://www.theregister.co.uk/2012/08/27/disable_java_to_block_exploit/

Technical Ben · Aug 28, 2012, 16:21:09

Disable browser plugins, or a full uninstall of Java? (Not much will work if it's uninstalled.

)

Gary · Aug 28, 2012, 16:33:00

I don't have it installed, seems Java is worse than Flash these days

I imagine most people will still have Java 1.6 anyway.

Baz · Aug 28, 2012, 16:39:30

strange you should say that Gary, my AV picked up something with java last week after a java update

with out sound ing daft how do you disable it and what will stop working when its disabled.

I have version 7 is it that one?

Steve · Aug 28, 2012, 18:01:33

You disable from with in the browser settings/preferences. You may wish to keep a separate browser with java enabled just for the times you need it ie a diagnostic BT Speedtest.

Baz · Aug 28, 2012, 18:35:13

dont think I would be able to manage with it disabled on some sites.Just tried it and one site I need for work is not even showing drop down menus for log off options, and some content of diary/info type listings

Steve · Aug 28, 2012, 18:38:56

That's why I suggested using two browsers, one for sites that need java and the other browser for general Internet use.

pctech · Aug 28, 2012, 18:43:40

Or you could use Sandboxie http://www.sandboxie.com/

Technical Ben · Aug 28, 2012, 20:26:23

Is Sandboxie now Win7 compatible? Was only XP last time I checked (really useful program too, especially for not breaking too much

).

jezuk1 · Aug 28, 2012, 23:44:29

Confirmed here too:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4681

Lets hope they push out an update soon

sobranie · Aug 29, 2012, 00:54:49

Quote from: Technical Ben on Aug 28, 2012, 20:26:23
Is Sandboxie now Win7 compatible? Was only XP last time I checked (really useful program too, especially for not breaking too much ).

Seems to work OK on Win7 64bit (just d/l it).

JB · Aug 29, 2012, 08:54:39

How can I tell which version I have? This is a screen grab from my Firefox add-on manager:-

Steve · Aug 29, 2012, 09:38:00

I found a site last night which if java was enabled gave the version. I thought that useful as you can also reassure yourself that you've disabled it.

http://javatester.org/version.html

JB · Aug 29, 2012, 10:16:19

Thanks Steve

Baz · Aug 29, 2012, 10:17:35

Quote from: JB on Aug 29, 2012, 08:54:39
How can I tell which version I have? This is a screen grab from my Firefox add-on manager:-

Im on XP and can tell by control panel > double click Java icon > in the general tab click About the version is there

Im not sure but the addons in Firefox are just that, add ons, and have to be disabled from the add on manager...I think. Correct me if i'm wrong please.

then if you go to the ' Java ' tab then the ' View ' button it will show ch you have installed and if they are enabled.

I have 1.7 and 1.6 installed, both were ticked so I just unticked 1.7 for now and left 1.6 enabled.

Steve · Aug 30, 2012, 23:17:05

Java SE 7 Update 7 is now available , this is supposed to block the security exploit.

http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html

Rik · Aug 31, 2012, 10:10:00

Thanks, Steve.

Simon · Aug 31, 2012, 11:14:46

I did nothing about this, and the world hasn't ended. I sometimes wonder if The Register is getting a little knee jerk and alarmist.

Rik · Aug 31, 2012, 11:22:45

Getting??

.Griff. · Aug 31, 2012, 11:24:15

Quote from: Simon on Aug 31, 2012, 11:14:46
I did nothing about this, and the world hasn't ended. I sometimes wonder if The Register is getting a little knee jerk and alarmist.

Same here. I sometimes think people like to find something to worry about.

Steve · Aug 31, 2012, 12:39:36

It was widely reported on the Internet, however I would think the risk for the majority of home users was neglible. Those of us who are less fastidious with java updates seemed also to be unaffected.

armadillo · Aug 31, 2012, 23:19:36

In Firefox, I use the Prefbar addon. This has a little dropdown menu that allows you to toggle java, flash and many other ~~nuisances~~ features.

I browse with java and flash turned off unless I am on some site where I feel the need to enable either of them.

Baz · Sep 01, 2012, 07:32:37

Quote from: armadillo on Aug 31, 2012, 23:19:36
In Firefox, I use the Prefbar addon. This has a little dropdown menu that allows you to toggle java, flash and many other ~~nuisances~~ features.

I browse with java and flash turned off unless I am on some site where I feel the need to enable either of them.

but how do you tell if you need it on or off.if its a new site you wont know how its supposed to look, will you

like I said earlier I have a work related site that I need and only noticed it displaying differently because I visit it regularly and noticed things not working.

What does Java actually do.

jezuk1 · Sep 01, 2012, 11:38:39

Version 7 update 7 has been released. Notes: "This releases address security concerns. Oracle strongly recommends that all Java SE 7 users upgrade to this release."

Edit: Steve has already posted this

Rik · Sep 01, 2012, 12:18:13

And I've already updated it.