Security threat for Java whether Windows, Apple, or Linux!

[GomJabbar]

Advised to disable or uninstall Java of all versions up through Java 7, update 10.

http://www.mercurynews.com/business/ci_ ... =inthenews

http://www.consumeraffairs.com/news/hom ... 11213.html

http://www.us-cert.gov/cas/techalerts/TA13-010A.html

[RealBlackStuff]

Important addition: the above is about JAVA, and NOT about javascript!

EDIT: I uninstalled all I could find on my PC (running XP-pro/SP3): Java FX, Java 6 and Java 7.
It was not enabled on Firefox and I never use IE, so I doubt if I will notice any impact.

[wolfman]

It looks like all versions of Oracle Java 7 up through Oracle Java 7 update 10... I didn't see that previous (e.g., Java 6, etc) versions were affected nor mention of alternative JVM's (many linux distributions ship with alternative JVM's)... That said, thanks for sharing this as I'm positive it impacts my work workstation.

[emeraldgirl08]

Well this is slightly confusing. What happens when we get the yellow bar on top of FF indicating that we need a Java plug-in to view the page content? I am going to completely uninstall Java from my X200T and my T400 tonight before I go to sleep. I wonder if any specific problems have come about as a result of the Java exploits?

[GomJabbar]

Regarding Firefox (and other Mozilla-based browsers):
From the dragon's mouth, so to speak.

Issue
Mozilla is aware of a security vulnerability in the current version of Java (Java 7 Update 10) that is being actively exploited and affects any browser using the Java plugin. Firefox users may be vulnerable to this issue if they have the Java plugin installed in their browser. Information on how to check which plugins are installed can be found here.

Impact
An attacker could exploit this vulnerability to execute malicious software on a victim’s machine. This vulnerability is being actively used in attacks and the malicious exploit code is also available in common exploit kits.

http://blog.mozilla.org/security/

More info regarding Java security issues:
http://www.sophos.com/en-us/security-ne ... urity.aspx

http://www.f-secure.com/en/web/labs_glo ... va-plugins

Personally I am going to try and live without Java and see how it goes. Don't know presently if any of the web sites I frequent, really require Java or not. I uninstalled Java this morning.

[loyukfai]

Just un-install it (or at least, disable the browser plug-in) already, if you don't have a mandatory need of it.

Flash has seen lots of exploits, but Adobe and co. have done enough to update it fast enough. The same cannot be said of Oracle.

Unfortunately, some governments and businesses require the use of the Java browser plug-in. In that case, a white-list could be used.

Cheers.

[GomJabbar]

Some more interesting info regarding Java that I ran across.

The current Java flaw boils down to this: view a web page, get infected with a virus.

On Windows, it's worse than that. US-CERT warns that "applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for this vulnerability".

So while Mac users have to click a link in an email to visit a malicious web page, there is a chance that Windows users running Outlook can get infected just by reading their email. The security section of Microsoft's website has nothing about the latest Java flaw. I tried to contact Microsoft about this. If I hear back, I'll update this topic.

http://blogs.computerworld.com/cybercri ... sible-java

I just removed the Java web browser support in my Linux installations. For two of those installations, this only required the removal of "icedtea". I verified that Java couldn't run by pointing my browser to a couple of webpages that test Java (found with Google). On Arch, I didn't have "icedtea" installed, but had to uninstall about 4 other packages instead.

[TTY]

Oracle has released Java version 7 update 11. On my computer, which runs Vista x86, it works with IE9 and Safari 5.1.7, but not with Opera 12.12, Firefox 18.0 or Chrome 24.

[ThinkRob]

Important addition: the above is about JAVA, and NOT about javascript!

It's also not even about Java, but about the Java plug in.

You don't need to uninstall Java.

Just disable the plugin and you're all set.

[RealBlackStuff]

Here is an illustrated quick link on how to disable JAVA for different browsers and OS: http://www.zdnet.com/how-to-disable-jav ... 000009732/

[Radioguy]

So...it would seem 7/11 contains an early release of the plugin build touted to fix the hole. No need for any disabling now, yes?

[RealBlackStuff]

I would disable it, regardless.
http://www.zdnet.com/homeland-security- ... s_cid=e589

It is also said that it might take up to two years to fix all that is rotten in JAVA!
http://www.zdnet.com/security-experts-o ... s_cid=e589

[Radioguy]

Gah! Well, it's done. I feel like uninstalling the whole thing now, though.

[BillP]

Gah! Well, it's done. I feel like uninstalling the whole thing now, though.

That's what I did two days ago. So far no ill effects.

[ThinkRob]

It is also said that it might take up to two years to fix all that is rotten in JAVA!
http://www.zdnet.com/security-experts-o ... s_cid=e589

As somebody whose job is writing and maintaining software in Java, take it from me when I say that this guy -- assuming he's quoted accurately -- doesn't have a clue what he's talking about.

He's failing to distinguish between Java the language, Java the library, and the JVM.

Also, where did he get the "two years" figure? From extensive studies of... nothing. He simply seems to have stated it with pretty much zero supporting evidence.

The Java browser plugin is relatively useless for most people. I'd agree that they should disable it. But the rest of the Java runtime? As far as I see there's no reason to ditch it (other than failing to distinguish between it and the plugin, as many sites have...)

[GomJabbar]

The Java browser plugin is relatively useless for most people. I'd agree that they should disable it. But the rest of the Java runtime? As far as I see there's no reason to ditch it (other than failing to distinguish between it and the plugin, as many sites have...)

This seems to jive with what 2 reputable sites have said (quotes below from links in post #5).

Many users today have little or no need for browser-based Java programs, known as applets. JavaScript and other technologies have largely taken over from applets inside the browser. Unless you genuinely need, and know you need, Java in your browser, Sophos recommends that you turn it off.

In recent years, the Java development platform has become a favored target for hackers, leading to a growing list of Java-specific vulnerabilities being discovered and exploited by various malware.

As such, many security researchers and national computer security organizations caution users to limit their usage of the Java Runtime Environment (JRE), unless required for business reasons, or to remove it entirely, including disabling Java plug-ins in web browsers.

[loyukfai]

The issue is that, many people don't need the JRE on their desktops at all. So why not un-install it...?

Cheers.

[Johan]

Oracle has released Java version 7 update 11. On my computer, which runs Vista x86, it works with IE9 and Safari 5.1.7, but not with Opera 12.12, Firefox 18.0 or Chrome 24.

I am using Firefox 18.0 under Windows 7, and after updating to the most recent Java (Ver. 7, Update 11, issued Jan. 13, 2013), I lost the ability to run Java in Firefox (here in Denmark, Java is used for e.g. homebanking access via the internet, by all banks). After messing with this issue I found the cause and cure as described in the page Java Platform add-on is not showing in the Add-ons manager | Firefox Support Forum | Mozilla Support where the following fix is described:

Code: Select all

In HKEY_LOCAL_MACHINE/SOFTWARE/MozillaPlugins, a new branch with the name @java.com/JavaPlugin,version=10.11.2 needs to be created, with the following 7 keys:

(Default)    REG_SZ     (value not set)
Description  REG_SZ     Oracle® Next Generation Java™ Plug-In
GeckoVersion REG_SZ     1.9
Path         REG_SZ     C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll
ProductName  REG_SZ     Oracle® Java™ Plug-In
Vendor       REG_SZ     Oracle Corp.
Version      REG_SZ     1.7.0_11 

There's a bug reported to Sun (Oracle Corp.) here who will fix this issue in subsequent updates of Java.

PS: Red highlightning in quoted text added by me.

Johan