Disable Java NOW, users told, as 0-day exploit hits web (reg headline)

Started by Gary, Aug 28, 2012, 16:16:53

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Gary

A new browser-based exploit for a Java vulnerability that allows attackers to execute arbitrary code on client systems has been spotted in the wild – and because of Oracle's Java patch schedule, it may be some time before a fix becomes widely available.

The vulnerability is present in the Java Runtime Environment (JRE) version 1.7 or later, Atif Mushtaq of security firm FireEye reported on Sunday, while PCs with Java versions 1.6 or earlier installed are not at risk.

The vulnerability allows attackers to use a custom web page to force systems to download and run an arbitrary payload – for example, a keylogger or some other type of malware. The payload does not need to be a Java app itself.


http://www.theregister.co.uk/2012/08/27/disable_java_to_block_exploit/
Damned, if you do damned if you don't

Technical Ben

Disable browser plugins, or a full uninstall of Java? (Not much will work if it's uninstalled. :P )
I use to have a signature, then it all changed to chip and pin.

Gary

I don't have it installed, seems Java is worse than Flash these days  :( I imagine most people will still have Java 1.6 anyway.
Damned, if you do damned if you don't

Baz

strange you should say that Gary, my AV picked up something with java last week after a java update    :o :o


with out sound ing daft   how do you disable it and what will stop working when its disabled.

I have version 7   is it that one?

Steve

You disable from with in the browser settings/preferences. You may wish to keep a separate browser with java enabled just for the times you need it ie a diagnostic BT Speedtest.
Steve
------------
This post reflects my own views, opinions and experience, not those of IDNet.

Baz

dont think I would be able to manage with it disabled on some sites.Just tried it and one site I need for work is not even showing drop down menus for log off options, and some content of diary/info type listings

Steve

That's why I suggested using two browsers, one for sites that need java and the other browser for general Internet use.
Steve
------------
This post reflects my own views, opinions and experience, not those of IDNet.


Technical Ben

Is Sandboxie now Win7 compatible? Was only XP last time I checked (really useful program too, especially for not breaking too much :P ).
I use to have a signature, then it all changed to chip and pin.


sobranie

Quote from: Technical Ben on Aug 28, 2012, 20:26:23
Is Sandboxie now Win7 compatible? Was only XP last time I checked (really useful program too, especially for not breaking too much :P ).
Seems to work OK on Win7 64bit (just d/l it).

JB

How can I tell which version I have? This is a screen grab from my Firefox add-on manager:-
JB

'Keyboard not detected ~ Press F1 to continue'

Steve

I found a site last night which if java was enabled gave the version. I thought that useful as you can also reassure yourself that you've disabled it. 

http://javatester.org/version.html
Steve
------------
This post reflects my own views, opinions and experience, not those of IDNet.

JB

JB

'Keyboard not detected ~ Press F1 to continue'

Baz

Quote from: JB on Aug 29, 2012, 08:54:39
How can I tell which version I have? This is a screen grab from my Firefox add-on manager:-


Im on XP and can tell by      control panel > double click Java icon > in the general tab click About       the version is there


Im not sure but the addons in Firefox are just that,  add ons,   and have to be disabled from the add on manager...I think. Correct me if i'm wrong please.


then if you go to the  ' Java '   tab  then the ' View ' button it will show ch you have installed and if they are enabled.

I have   1.7  and 1.6   installed, both were ticked so I just unticked 1.7 for now and left 1.6 enabled.

Steve

Steve
------------
This post reflects my own views, opinions and experience, not those of IDNet.

Rik

Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Simon

I did nothing about this, and the world hasn't ended.  I sometimes wonder if The Register is getting a little knee jerk and alarmist.
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

Rik

Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

.Griff.

Quote from: Simon on Aug 31, 2012, 11:14:46
I did nothing about this, and the world hasn't ended.  I sometimes wonder if The Register is getting a little knee jerk and alarmist.

Same here. I sometimes think people like to find something to worry about.


Steve

It was widely reported on the Internet, however I would think the risk for the majority of home users was neglible. Those of us who are less fastidious with java updates seemed also to be unaffected.
Steve
------------
This post reflects my own views, opinions and experience, not those of IDNet.

armadillo

In Firefox, I use the Prefbar addon. This has a little dropdown menu that allows you to toggle java, flash and many other nuisances features.

I browse with java and flash turned off unless I am on some site where I feel the need to enable either of them.

Baz

Quote from: armadillo on Aug 31, 2012, 23:19:36
In Firefox, I use the Prefbar addon. This has a little dropdown menu that allows you to toggle java, flash and many other nuisances features.

I browse with java and flash turned off unless I am on some site where I feel the need to enable either of them.

but how do you tell if you need it on or off.if its a new site you wont know how its supposed to look, will you  :dunno:

like I said earlier I have a work related site that I need and only noticed it displaying differently because I visit it regularly and noticed things not working.

What does Java actually do.

jezuk1

Version 7 update 7 has been released. Notes: "This releases address security concerns.  Oracle strongly recommends that all Java SE 7 users upgrade to this release."

Edit: Steve has already posted this  :D

Rik

Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

armadillo

Quote from: Baz on Sep 01, 2012, 07:32:37
but how do you tell if you need it on or off.if its a new site you wont know how its supposed to look, will you  :dunno:

Usually it is fairly obvious. With Flash, Firefox will display a "missing plugins" box or an invitation to "install Flash" in place of the feature that uses Flash.

With Java, some sites display a warning that Java appears not be installed. But more often, you find out because something that you click on does nothing at all or some feature which is referred to is nowhere to be seen.

Quote from: Baz on Sep 01, 2012, 07:32:37
like I said earlier I have a work related site that I need and only noticed it displaying differently because I visit it regularly and noticed things not working.

Exactly.

Quote from: Baz on Sep 01, 2012, 07:32:37
What does Java actually do.

It is a programming language extension that allows processes to run on your machine and potentially alter data there. In effect, it can do the same things as .exe files can. It is supposed to contain safeguards that prevent it doing malicious things but malware writers can get around those fairly easily and are well clued up to exploit weaknesses as soon as they are introduced in Java upgrades.

Common uses of Java include speed testers and also calculators in which you input some parameters and a calculation is displayed.

If you are browsing in work related sites or mainstream reputable places, you are unlikely to encounter malicious Java. I tend to know if I am browsing in potentially dangerous places but I suspect that most of the reported problems happen to people who browse obviously risky sites with all features enabled. The biggest danger is lack of commonsense and it is easy to exploit.

Rik

Quote from: armadilloThe biggest danger is lack of commonsense and it is easy to exploit.

Well put. :thumb:
Rik
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

pctech

Oh dear, think work just got tougher for me as one of the systems I support is Java based so I'll have to persuade some frightened user who has been told by their Son, Daughter, neighbour who 'knows about computers' that its ok to install Java.

(deep sigh)


Niall

Ah tits,  I just thought, I haven't updated my mums laptop. Argh!

* Niall pokes off button on router

;D
Flickr Deviant art
Art is not a handicraft, it is the transmission of feeling the artist has experienced.
Leo Tolstoy

Gary

Seriously if people think hey browse safely (no offence to anyone) that is a mistake as I see it...no site is safe really, sites can have exploits on them without knowing until its to late or a dns redirect can snag you, which happened to this very site we are now on, what would have happened if that redirect had a malicious payload? Common sense helps but its by no means a safety net anymore when exploits download with no user interaction.

  Java like Flash is a vector for attack and sometimes holes in it are open for along time. The less vulnerable you are on the net the better. Java is not needed by most, and if I need a piece of technology just to run one speed tester  then I would rather not bother. More and more often Java and Flash are used as a way in now as Os's are getting harder to get through, so its the low hanging fruit they go for.

Adobe seem to be at this time patching Flash much faster which is a blessing. I have to say I don't see the need to risk you computer, your Identity and your credit ratings or your cash for a BT speed tester. if that's all you use it for, if you have programs that need it fine, just turn it off in your browser, that's not exactly hard work. Installing Java on a computer to a person that is not tech savvy and who may never use it is pointless. If they need it fair enough but don't start drilling holes in their defences because common sense prevails and there is no need to worry...common sense often doesn't even have a chance to notice the issue until its to late. The less plugins the better I think.

Yes the reg love a story, but there is a moral to their sensationalism, and its not just that site that seems to have legitimate concerns.
Damned, if you do damned if you don't

pctech

Quote from: Technical Ben on Aug 28, 2012, 20:26:23
Is Sandboxie now Win7 compatible? Was only XP last time I checked (really useful program too, especially for not breaking too much :P ).

Only program I haven't yet installed on Win 7, will do tonight and report back and it'll be a double challenge as am running 64-bit whereas my XP was 32.