Disable Java NOW, users told, as 0-day exploit hits web (reg headline)

[Gary]

A new browser-based exploit for a Java vulnerability that allows attackers to execute arbitrary code on client systems has been spotted in the wild – and because of Oracle's Java patch schedule, it may be some time before a fix becomes widely available.

The vulnerability is present in the Java Runtime Environment (JRE) version 1.7 or later, Atif Mushtaq of security firm FireEye reported on Sunday, while PCs with Java versions 1.6 or earlier installed are not at risk.

The vulnerability allows attackers to use a custom web page to force systems to download and run an arbitrary payload – for example, a keylogger or some other type of malware. The payload does not need to be a Java app itself.


http://www.theregister.co.uk/2012/08/27/disable_java_to_block_exploit/

[Technical Ben]

Disable browser plugins, or a full uninstall of Java? (Not much will work if it's uninstalled. )

[Gary]

I don't have it installed, seems Java is worse than Flash these days  I imagine most people will still have Java 1.6 anyway.

[Baz]

strange you should say that Gary, my AV picked up something with java last week after a java update   


with out sound ing daft   how do you disable it and what will stop working when its disabled.

I have version 7   is it that one?

[Steve]

You disable from with in the browser settings/preferences. You may wish to keep a separate browser with java enabled just for the times you need it ie a diagnostic BT Speedtest.

[Baz]

dont think I would be able to manage with it disabled on some sites.Just tried it and one site I need for work is not even showing drop down menus for log off options, and some content of diary/info type listings

[Steve]

That's why I suggested using two browsers, one for sites that need java and the other browser for general Internet use.

[pctech]

Or you could use Sandboxie http://www.sandboxie.com/

[Technical Ben]

Is Sandboxie now Win7 compatible? Was only XP last time I checked (really useful program too, especially for not breaking too much ).

[jezuk1]

Confirmed here too:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4681

Lets hope they push out an update soon

[sobranie]

Is Sandboxie now Win7 compatible? Was only XP last time I checked (really useful program too, especially for not breaking too much ).

Seems to work OK on Win7 64bit (just d/l it).

[JB]

How can I tell which version I have? This is a screen grab from my Firefox add-on manager:-

[Steve]

I found a site last night which if java was enabled gave the version. I thought that useful as you can also reassure yourself that you've disabled it. 

http://javatester.org/version.html

[JB]

Thanks Steve 

[Baz]

How can I tell which version I have? This is a screen grab from my Firefox add-on manager:-

Im on XP and can tell by      control panel > double click Java icon > in the general tab click About       the version is there


Im not sure but the addons in Firefox are just that,  add ons,   and have to be disabled from the add on manager...I think. Correct me if i'm wrong please.


then if you go to the  ' Java '   tab  then the ' View ' button it will show ch you have installed and if they are enabled.

I have   1.7  and 1.6   installed, both were ticked so I just unticked 1.7 for now and left 1.6 enabled.

[Steve]

Java SE 7 Update 7  is now available , this is supposed to block the security exploit.

http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html

[Rik]

Thanks, Steve. 

[Simon]

I did nothing about this, and the world hasn't ended.  I sometimes wonder if The Register is getting a little knee jerk and alarmist.

[Rik]

Getting?? 

[.Griff.]

I did nothing about this, and the world hasn't ended.  I sometimes wonder if The Register is getting a little knee jerk and alarmist.

Same here. I sometimes think people like to find something to worry about.

[Steve]

It was widely reported on the Internet, however I would think the risk for the majority of home users was neglible. Those of us who are less fastidious with java updates seemed also to be unaffected.

[armadillo]

In Firefox, I use the Prefbar addon. This has a little dropdown menu that allows you to toggle java, flash and many other nuisances features.

I browse with java and flash turned off unless I am on some site where I feel the need to enable either of them.

[Baz]

In Firefox, I use the Prefbar addon. This has a little dropdown menu that allows you to toggle java, flash and many other nuisances features.

I browse with java and flash turned off unless I am on some site where I feel the need to enable either of them.

but how do you tell if you need it on or off.if its a new site you wont know how its supposed to look, will you 

like I said earlier I have a work related site that I need and only noticed it displaying differently because I visit it regularly and noticed things not working.

What does Java actually do.

[jezuk1]

Version 7 update 7 has been released. Notes: "This releases address security concerns.  Oracle strongly recommends that all Java SE 7 users upgrade to this release."

Edit: Steve has already posted this 

[Rik]

And I've already updated it. 

[armadillo]

but how do you tell if you need it on or off.if its a new site you wont know how its supposed to look, will you 

Usually it is fairly obvious. With Flash, Firefox will display a "missing plugins" box or an invitation to "install Flash" in place of the feature that uses Flash.

With Java, some sites display a warning that Java appears not be installed. But more often, you find out because something that you click on does nothing at all or some feature which is referred to is nowhere to be seen.

like I said earlier I have a work related site that I need and only noticed it displaying differently because I visit it regularly and noticed things not working.

Exactly.

What does Java actually do.

It is a programming language extension that allows processes to run on your machine and potentially alter data there. In effect, it can do the same things as .exe files can. It is supposed to contain safeguards that prevent it doing malicious things but malware writers can get around those fairly easily and are well clued up to exploit weaknesses as soon as they are introduced in Java upgrades.

Common uses of Java include speed testers and also calculators in which you input some parameters and a calculation is displayed.

If you are browsing in work related sites or mainstream reputable places, you are unlikely to encounter malicious Java. I tend to know if I am browsing in potentially dangerous places but I suspect that most of the reported problems happen to people who browse obviously risky sites with all features enabled. The biggest danger is lack of commonsense and it is easy to exploit.

[Rik]

The biggest danger is lack of commonsense and it is easy to exploit.

Well put.

[pctech]

Oh dear, think work just got tougher for me as one of the systems I support is Java based so I'll have to persuade some frightened user who has been told by their Son, Daughter, neighbour who 'knows about computers' that its ok to install Java.

(deep sigh)

[Niall]

Ah tits,  I just thought, I haven't updated my mums laptop. Argh!

* Niall pokes off button on router

[Gary]

Seriously if people think hey browse safely (no offence to anyone) that is a mistake as I see it...no site is safe really, sites can have exploits on them without knowing until its to late or a dns redirect can snag you, which happened to this very site we are now on, what would have happened if that redirect had a malicious payload? Common sense helps but its by no means a safety net anymore when exploits download with no user interaction.

  Java like Flash is a vector for attack and sometimes holes in it are open for along time. The less vulnerable you are on the net the better. Java is not needed by most, and if I need a piece of technology just to run one speed tester  then I would rather not bother. More and more often Java and Flash are used as a way in now as Os's are getting harder to get through, so its the low hanging fruit they go for.

Adobe seem to be at this time patching Flash much faster which is a blessing. I have to say I don't see the need to risk you computer, your Identity and your credit ratings or your cash for a BT speed tester. if that's all you use it for, if you have programs that need it fine, just turn it off in your browser, that's not exactly hard work. Installing Java on a computer to a person that is not tech savvy and who may never use it is pointless. If they need it fair enough but don't start drilling holes in their defences because common sense prevails and there is no need to worry...common sense often doesn't even have a chance to notice the issue until its to late. The less plugins the better I think.

Yes the reg love a story, but there is a moral to their sensationalism, and its not just that site that seems to have legitimate concerns.

[pctech]

Is Sandboxie now Win7 compatible? Was only XP last time I checked (really useful program too, especially for not breaking too much ).

Only program I haven't yet installed on Win 7, will do tonight and report back and it'll be a double challenge as am running 64-bit whereas my XP was 32.