Security threat for Java whether Windows, Apple, or Linux!

General Questions, Rumors, Real news & More
Post Reply
Message
Author
GomJabbar
Moderator
Moderator
Posts: 9765
Joined: Tue Jun 07, 2005 6:57 am

Security threat for Java whether Windows, Apple, or Linux!

#1 Post by GomJabbar » Sat Jan 12, 2013 6:54 am

DKB

RealBlackStuff
Admin
Admin
Posts: 17495
Joined: Mon Sep 18, 2006 5:17 am
Location: Mt. Cobb, PA USA
Contact:

Re: Security threat for Java whether Windows, Apple, or Linux!

#2 Post by RealBlackStuff » Sat Jan 12, 2013 7:43 am

Important addition: the above is about JAVA, and NOT about javascript!

EDIT: I uninstalled all I could find on my PC (running XP-pro/SP3): Java FX, Java 6 and Java 7.
It was not enabled on Firefox and I never use IE, so I doubt if I will notice any impact.
Last edited by RealBlackStuff on Sat Jan 12, 2013 9:26 am, edited 1 time in total.
Lovely day for a Guinness! (The Real Black Stuff)

Check out The Boardroom for Parts, Mods and Other Services.

wolfman
Senior Member
Senior Member
Posts: 837
Joined: Sat Jun 19, 2004 8:40 pm
Location: Pine Grove, PA

Re: Security threat for Java whether Windows, Apple, or Linux!

#3 Post by wolfman » Sat Jan 12, 2013 8:47 am

It looks like all versions of Oracle Java 7 up through Oracle Java 7 update 10... I didn't see that previous (e.g., Java 6, etc) versions were affected nor mention of alternative JVM's (many linux distributions ship with alternative JVM's)... That said, thanks for sharing this as I'm positive it impacts my work workstation. :(
Thinkpad T420 | Core i-5 2520M | 16gb RAM | 120gb Intel 520 SSD + 750gb 7200 RPM | 6300 N | Ubuntu 12.04 x64
Desktop: AMD FX-8350 (8 cores) | 32gb ECC RAM | 240gb Intel 530 SSD + 1tb 7200 RPM | Ubuntu 14.04 x64 | HP ZR24w
Previous Thinkpads: A21m, R40, X61, T410

emeraldgirl08
ThinkPadder
ThinkPadder
Posts: 1759
Joined: Sun Mar 01, 2009 6:59 pm
Location: Window Rock, Arizona

Re: Security threat for Java whether Windows, Apple, or Linux!

#4 Post by emeraldgirl08 » Sat Jan 12, 2013 8:42 pm

Well this is slightly confusing. What happens when we get the yellow bar on top of FF indicating that we need a Java plug-in to view the page content? I am going to completely uninstall Java from my X200T and my T400 tonight before I go to sleep. I wonder if any specific problems have come about as a result of the Java exploits?
Thinkpad X230 | Lenovo Yoga Tablet 2 | mATX Haswell Desktop

GomJabbar
Moderator
Moderator
Posts: 9765
Joined: Tue Jun 07, 2005 6:57 am

Re: Security threat for Java whether Windows, Apple, or Linux!

#5 Post by GomJabbar » Sat Jan 12, 2013 10:08 pm

Regarding Firefox (and other Mozilla-based browsers):
From the dragon's mouth, so to speak.
mozilla.org wrote:Issue
Mozilla is aware of a security vulnerability in the current version of Java (Java 7 Update 10) that is being actively exploited and affects any browser using the Java plugin. Firefox users may be vulnerable to this issue if they have the Java plugin installed in their browser. Information on how to check which plugins are installed can be found here.

Impact
An attacker could exploit this vulnerability to execute malicious software on a victim’s machine. This vulnerability is being actively used in attacks and the malicious exploit code is also available in common exploit kits.
http://blog.mozilla.org/security/

More info regarding Java security issues:
http://www.sophos.com/en-us/security-ne ... urity.aspx

http://www.f-secure.com/en/web/labs_glo ... va-plugins

Personally I am going to try and live without Java and see how it goes. Don't know presently if any of the web sites I frequent, really require Java or not. I uninstalled Java this morning.
DKB

loyukfai
ThinkPadder
ThinkPadder
Posts: 1085
Joined: Tue Aug 08, 2006 2:08 pm
Location: Hong Kong

Re: Security threat for Java whether Windows, Apple, or Linux!

#6 Post by loyukfai » Sun Jan 13, 2013 1:34 am

Just un-install it (or at least, disable the browser plug-in) already, if you don't have a mandatory need of it.

Flash has seen lots of exploits, but Adobe and co. have done enough to update it fast enough. The same cannot be said of Oracle.

Unfortunately, some governments and businesses require the use of the Java browser plug-in. In that case, a white-list could be used.

Cheers.

GomJabbar
Moderator
Moderator
Posts: 9765
Joined: Tue Jun 07, 2005 6:57 am

Re: Security threat for Java whether Windows, Apple, or Linux!

#7 Post by GomJabbar » Sun Jan 13, 2013 7:24 am

Some more interesting info regarding Java that I ran across.
Michael Horowitz of Computer World wrote:The current Java flaw boils down to this: view a web page, get infected with a virus.

On Windows, it's worse than that. US-CERT warns that "applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for this vulnerability".

So while Mac users have to click a link in an email to visit a malicious web page, there is a chance that Windows users running Outlook can get infected just by reading their email. The security section of Microsoft's website has nothing about the latest Java flaw. I tried to contact Microsoft about this. If I hear back, I'll update this topic.
http://blogs.computerworld.com/cybercri ... sible-java

I just removed the Java web browser support in my Linux installations. For two of those installations, this only required the removal of "icedtea". I verified that Java couldn't run by pointing my browser to a couple of webpages that test Java (found with Google). On Arch, I didn't have "icedtea" installed, but had to uninstall about 4 other packages instead.
DKB

TTY
Senior Member
Senior Member
Posts: 527
Joined: Tue Aug 28, 2007 7:39 pm
Location: graz, austria

Re: Security threat for Java whether Windows, Apple, or Linux!

#8 Post by TTY » Sun Jan 13, 2013 9:28 pm

Oracle has released Java version 7 update 11. On my computer, which runs Vista x86, it works with IE9 and Safari 5.1.7, but not with Opera 12.12, Firefox 18.0 or Chrome 24.

ThinkRob
Senior ThinkPadder
Senior ThinkPadder
Posts: 2364
Joined: Wed May 20, 2009 9:54 am
Location: near RTP, NC

Re: Security threat for Java whether Windows, Apple, or Linux!

#9 Post by ThinkRob » Sun Jan 13, 2013 10:29 pm

RealBlackStuff wrote:Important addition: the above is about JAVA, and NOT about javascript!
It's also not even about Java, but about the Java plug in.

You don't need to uninstall Java.

Just disable the plugin and you're all set.
Need help with Linux or FreeBSD? Catch me on IRC: I'm ThinkRob on FreeNode and EFnet.

Code: Select all

Current laptop: X1 Carbon 3
Current workstation: none

RealBlackStuff
Admin
Admin
Posts: 17495
Joined: Mon Sep 18, 2006 5:17 am
Location: Mt. Cobb, PA USA
Contact:

Re: Security threat for Java whether Windows, Apple, or Linux!

#10 Post by RealBlackStuff » Mon Jan 14, 2013 11:52 am

Here is an illustrated quick link on how to disable JAVA for different browsers and OS: http://www.zdnet.com/how-to-disable-jav ... 000009732/
Lovely day for a Guinness! (The Real Black Stuff)

Check out The Boardroom for Parts, Mods and Other Services.

Radioguy
ThinkPadder
ThinkPadder
Posts: 1101
Joined: Fri Feb 29, 2008 2:45 pm
Location: Brooklyn, New York

Re: Security threat for Java whether Windows, Apple, or Linux!

#11 Post by Radioguy » Mon Jan 14, 2013 1:21 pm

So...it would seem 7/11 contains an early release of the plugin build touted to fix the hole. No need for any disabling now, yes?
  • T61 - 6465CTO - T9500 - 15.4" LG WSXGA+ - 8GB OCZ- 120GB EVO 850 SSD - X3100 - Win 8.1 Pro 64-bit
    X301 - 2774W8Q - U9400 - 13.3" BOEHYDIS WXGA - 8GB Elpida - 128GB C400 mSATA SSD - 4500MHD - Win 10 Pro 64-Bit

RealBlackStuff
Admin
Admin
Posts: 17495
Joined: Mon Sep 18, 2006 5:17 am
Location: Mt. Cobb, PA USA
Contact:

Re: Security threat for Java whether Windows, Apple, or Linux!

#12 Post by RealBlackStuff » Mon Jan 14, 2013 5:28 pm

I would disable it, regardless.
http://www.zdnet.com/homeland-security- ... s_cid=e589

It is also said that it might take up to two years to fix all that is rotten in JAVA! :help:
http://www.zdnet.com/security-experts-o ... s_cid=e589
Lovely day for a Guinness! (The Real Black Stuff)

Check out The Boardroom for Parts, Mods and Other Services.

Radioguy
ThinkPadder
ThinkPadder
Posts: 1101
Joined: Fri Feb 29, 2008 2:45 pm
Location: Brooklyn, New York

Re: Security threat for Java whether Windows, Apple, or Linux!

#13 Post by Radioguy » Mon Jan 14, 2013 5:51 pm

Gah! Well, it's done. I feel like uninstalling the whole thing now, though.
  • T61 - 6465CTO - T9500 - 15.4" LG WSXGA+ - 8GB OCZ- 120GB EVO 850 SSD - X3100 - Win 8.1 Pro 64-bit
    X301 - 2774W8Q - U9400 - 13.3" BOEHYDIS WXGA - 8GB Elpida - 128GB C400 mSATA SSD - 4500MHD - Win 10 Pro 64-Bit

BillP
Sophomore Member
Posts: 143
Joined: Mon Jul 23, 2007 4:04 pm
Location: Woodstock, NY

Re: Security threat for Java whether Windows, Apple, or Linux!

#14 Post by BillP » Mon Jan 14, 2013 6:23 pm

Radioguy wrote:Gah! Well, it's done. I feel like uninstalling the whole thing now, though.
That's what I did two days ago. So far no ill effects.
ThinkPad T60 1951-43U (with many upgrades)

ThinkRob
Senior ThinkPadder
Senior ThinkPadder
Posts: 2364
Joined: Wed May 20, 2009 9:54 am
Location: near RTP, NC

Re: Security threat for Java whether Windows, Apple, or Linux!

#15 Post by ThinkRob » Mon Jan 14, 2013 9:39 pm

RealBlackStuff wrote: It is also said that it might take up to two years to fix all that is rotten in JAVA! :help:
http://www.zdnet.com/security-experts-o ... s_cid=e589
As somebody whose job is writing and maintaining software in Java, take it from me when I say that this guy -- assuming he's quoted accurately -- doesn't have a clue what he's talking about.

He's failing to distinguish between Java the language, Java the library, and the JVM.

Also, where did he get the "two years" figure? From extensive studies of... nothing. He simply seems to have stated it with pretty much zero supporting evidence.

The Java browser plugin is relatively useless for most people. I'd agree that they should disable it. But the rest of the Java runtime? As far as I see there's no reason to ditch it (other than failing to distinguish between it and the plugin, as many sites have...)
Need help with Linux or FreeBSD? Catch me on IRC: I'm ThinkRob on FreeNode and EFnet.

Code: Select all

Current laptop: X1 Carbon 3
Current workstation: none

GomJabbar
Moderator
Moderator
Posts: 9765
Joined: Tue Jun 07, 2005 6:57 am

Re: Security threat for Java whether Windows, Apple, or Linux!

#16 Post by GomJabbar » Tue Jan 15, 2013 3:36 am

ThinkRob wrote:The Java browser plugin is relatively useless for most people. I'd agree that they should disable it. But the rest of the Java runtime? As far as I see there's no reason to ditch it (other than failing to distinguish between it and the plugin, as many sites have...)
This seems to jive with what 2 reputable sites have said (quotes below from links in post #5).
Sophos wrote:Many users today have little or no need for browser-based Java programs, known as applets. JavaScript and other technologies have largely taken over from applets inside the browser. Unless you genuinely need, and know you need, Java in your browser, Sophos recommends that you turn it off.
F-Secure wrote:In recent years, the Java development platform has become a favored target for hackers, leading to a growing list of Java-specific vulnerabilities being discovered and exploited by various malware.

As such, many security researchers and national computer security organizations caution users to limit their usage of the Java Runtime Environment (JRE), unless required for business reasons, or to remove it entirely, including disabling Java plug-ins in web browsers.
DKB

loyukfai
ThinkPadder
ThinkPadder
Posts: 1085
Joined: Tue Aug 08, 2006 2:08 pm
Location: Hong Kong

Re: Security threat for Java whether Windows, Apple, or Linux!

#17 Post by loyukfai » Tue Jan 15, 2013 1:39 pm

The issue is that, many people don't need the JRE on their desktops at all. So why not un-install it...?

Cheers.

Johan
Moderator1
Moderator1
Posts: 1977
Joined: Mon Mar 07, 2005 2:00 pm
Location: Copenhagen, Denmark

Re: Security threat for Java whether Windows, Apple, or Linux!

#18 Post by Johan » Tue Jan 15, 2013 4:13 pm

TTY wrote:Oracle has released Java version 7 update 11. On my computer, which runs Vista x86, it works with IE9 and Safari 5.1.7, but not with Opera 12.12, Firefox 18.0 or Chrome 24.
I am using Firefox 18.0 under Windows 7, and after updating to the most recent Java (Ver. 7, Update 11, issued Jan. 13, 2013), I lost the ability to run Java in Firefox (here in Denmark, Java is used for e.g. homebanking access via the internet, by all banks). After messing with this issue I found the cause and cure as described in the page Java Platform add-on is not showing in the Add-ons manager | Firefox Support Forum | Mozilla Support where the following fix is described:

Code: Select all

In HKEY_LOCAL_MACHINE/SOFTWARE/MozillaPlugins, a new branch with the name @java.com/JavaPlugin,version=10.11.2 needs to be created, with the following 7 keys:

(Default)    REG_SZ     (value not set)
Description  REG_SZ     Oracle® Next Generation Java™ Plug-In
GeckoVersion REG_SZ     1.9
Path         REG_SZ     C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll
ProductName  REG_SZ     Oracle® Java™ Plug-In
Vendor       REG_SZ     Oracle Corp.
Version      REG_SZ     1.7.0_11 
There's a bug reported to Sun (Oracle Corp.) here who will fix this issue in subsequent updates of Java.

PS: Red highlightning in quoted text added by me.

Johan
IBM T42p's (2373-Q1U & -Q2U): 2.1 GHz, 15" UXGA FlexView, 2 GB RAM, 128 MB FireGL T2, 128 GB 1.8" SATA SSD, IBM a/b/g, BT, Win 7 Ultimate
IBM T42 (2373-N1G): 1.8 GHz, 15" SXGA+ FlexView, 2 GB RAM, 64 MB Radeon 9600, 64 GB 1.8" SATA SSD, IBM a/b/g, BT, Win 7 Ultimate

Post Reply
  • Similar Topics
    Replies
    Views
    Last post

Return to “GENERAL ThinkPad News/Comments & Questions”

Who is online

Users browsing this forum: No registered users and 2 guests