US-CERT Alert (2013-01-10) : Disable Java for web browsers

 

The Department of Homeland Security's United States Computer Emergency Readiness Team (US-CERT) issued an alert last Thursday (2013-01-10) regarding a Java 7 security vulnerability. They recommend disabling Java for all browser content. For more information and instructions on how to secure your system, see the following link:

http://www.us-cert.gov/cas/techalerts/TA13-010A.html

Page 1>>

Thanks

Thanks for the info.

I've disabled java now and will watch over the next couple of days to see if I've lost any functional use of my browser.

Java

CraigW wrote:

Thanks for the info.

I've disabled java now and will watch over the next couple of days to see if I've lost any functional use of my browser.

I shut Java down in my browser this morning. Then found that I had lost the ability to navigate most of the sites I normally visit. Re-enabled Java.

Yep

that's the problem with just shutting JAVA down. rolleyes

--
Nuvi 350, 760, 1695LM, 3790LMT, 2460LMT, 3597LMTHD, DriveLuxe 50LMTHD and TomTom XXL540s, HereWeGo for Android.

Java, not JavaScript

Just to be clear, the CERT alert is about Java, not JavaScript. They are very different things. A very small percentage of websites use Java. (JavaScript, on the other hand, is used by a rather large percentage of sites.)

My Firefox had automatically

My Firefox had automatically blocked it in Oct 2012.

--
All the worlds indeed a stage and we are merely players. Rush

How do I disable Java?

I'm on Win 7. How do I disable Java?

--
Phil in Mentor, Ohio -- Garmin Nuvi 1450

Check the initial link again

VersatileGuy wrote:

Just to be clear, the CERT alert is about Java, not JavaScript. They are very different things. A very small percentage of websites use Java. (JavaScript, on the other hand, is used by a rather large percentage of sites.)

As posted in the link from the OP, the latest Java (Version 7, Update 10) has a very easy way to disable Java. And for folks using earlier Java, an update to 7,10 is probably a good idea in and of itself. So far, I haven't come across any web sites that fail to run with Java disabled.

I disabled Java on three PC (Win7-64, Win7-32, and XP). On one PC, the option to disable all Java appeared as expected. On the other two for some reason, I had to find and run javacpl.exe to get to the Security tab allowing for the easy disabling feature.

Once again, thanks, VG.

From the link

plunder wrote:

I'm on Win 7. How do I disable Java?

Solution

Disable Java in web browsers

This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available. As with any software, unnecessary features should be disabled or removed as appropriate for your environment.

Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. From Setting the Security Level of the Java Client:

For installations where the highest level of security is required, it is possible to entirely prevent any Java apps (signed or unsigned) from running in a browser by de-selecting Enable Java content in the browser in the Java Control Panel under the Security tab.

More

Thanks, CraigW

Seems that I'm on Java 6 so I guess I should be okay.

Phil

--
Phil in Mentor, Ohio -- Garmin Nuvi 1450

look at this

plunder wrote:

I'm on Win 7. How do I disable Java?

http://nakedsecurity.sophos.com/2012/08/30/how-turn-off-java...

My Java didn't

CraigW wrote:

Check your current enabled Java, if installed:

http://java.com/en/download/installed.jsp

Disable Java:

http://java.com/en/download/help/disable_browser.xml

Install Java:

http://java.com/en/download/manual.jsp

My Java didn't look like the one in the disable link.
I had Java 7 9 so I updated to Java 7 10 and I still don't have that.??

--
Mary, Nuvi 2450, Garmin Viago, Honda Navigation, Nuvi 750 (gave to son)

Me, too X2

mgarledge wrote:
CraigW wrote:

Check your current enabled Java, if installed:

http://java.com/en/download/installed.jsp

Disable Java:

http://java.com/en/download/help/disable_browser.xml

Install Java:

http://java.com/en/download/manual.jsp

My Java didn't look like the one in the disable link.
I had Java 7 9 so I updated to Java 7 10 and I still don't have that.??

Ha, I had the same issue on two of my three PCs. Apparently, it's some kind of a bug that prevents it from being easily run from the java icon in Control Panel.

The solution is to run javacpl.exe (which is probably in your computer's C:\ProgramFiles\Java\jre7\bin folder).

Run this file and you should see the appropriate Security page allowing you to uncheck "Enable Java content in the browser" and this will disable java in all browsers on your computer.

Thanks for the info

My thanks to VersatileGuy for advising us and to CraigW for providing the links.

I am Running XP SP3 with Internet Explorer 8 and Firefox V 17.01.
I checked CraigW's link and it showed nothing was installed on either IE8 or Firefox
"Check your current enabled Java, if installed:
http://java.com/en/download/installed.jsp

To double check I ran a search on XP and the file
"javacpl.exe" was not present so it appears I'm OK.

--
Nuvi 2460LMT 2 Units

To confirm

mgarledge wrote:
CraigW wrote:

Check your current enabled Java, if installed:

http://java.com/en/download/installed.jsp

Disable Java:

http://java.com/en/download/help/disable_browser.xml

Install Java:

http://java.com/en/download/manual.jsp

My Java didn't look like the one in the disable link.
I had Java 7 9 so I updated to Java 7 10 and I still don't have that.??

Once you've disabled Java in all browsers, you can confirm it by clicking the big red "Verify Java version" button in:

http://java.com/en/download/installed.jsp

and receiving a message stating "No working Java was detected on your system. Install Java by clicking the button below."

And to beat a dead horse, ...

...it's strongly recommended that older versions (currently, pre-version 7, Update 10) be uninstalled:

http://java.com/en/download/faq/remove_olderversions.xml

Other options--

Run a different browser than IE, such as Chrome or Firefox.

With Firefox, adding NoScript and AdBlock Plus lets you control java/javascript use by websites as well as cross-scripting and other attacks (NoScript), and filters out ads and other nasties (AdBlock Plus).

--
Nuvi 2460, 680, DATUM Tymserve 2100, Trimble Thunderbolt, Ham radio, Macintosh, Linux, Windows

Are you saying

CraigW wrote:

...it's strongly recommended that older versions (currently, pre-version 7, Update 10) be uninstalled:

http://java.com/en/download/faq/remove_olderversions.xml

Are you saying that Verison 7 update 10 is ok?

--
Mary, Nuvi 2450, Garmin Viago, Honda Navigation, Nuvi 750 (gave to son)

Thanks

Thanks for all the help

--
Mary, Nuvi 2450, Garmin Viago, Honda Navigation, Nuvi 750 (gave to son)

No

mgarledge wrote:
CraigW wrote:

...it's strongly recommended that older versions (currently, pre-version 7, Update 10) be uninstalled:

http://java.com/en/download/faq/remove_olderversions.xml

Are you saying that Verison 7 update 10 is ok?

No, we're hearing that v7u10 is still to be disabled according to CERT and many tech web sites this week.

But besides the issue now present that brought this big warning, earlier versions of Java had other security issues--and for folks still using the older versions, these other older security issues remain.

(bleep) Acronyms

In my life, CERT = Community Emergency Response Team.

Stupid government...

--
*Keith* MacBook Pro *wifi iPad(2012) w/BadElf GPS & iPhone6 + Navigon*

Suggested reading

Thanks

Thanks.

Given what I've read there, rather than just disabling Java, I'm going to uninstall it and see how things work without it.

Thanks CrigW

CraigW wrote:
mgarledge wrote:
CraigW wrote:

Check your current enabled Java, if installed:

http://java.com/en/download/installed.jsp

Disable Java:

http://java.com/en/download/help/disable_browser.xml

Install Java:

http://java.com/en/download/manual.jsp

My Java didn't look like the one in the disable link.
I had Java 7 9 so I updated to Java 7 10 and I still don't have that.??

Ha, I had the same issue on two of my three PCs. Apparently, it's some kind of a bug that prevents it from being easily run from the java icon in Control Panel.

The solution is to run javacpl.exe (which is probably in your computer's C:\ProgramFiles\Java\jre7\bin folder).

Run this file and you should see the appropriate Security page allowing you to uncheck "Enable Java content in the browser" and this will disable java in all browsers on your computer.

This worked.
How will we know when there is a fix for Java?
Thank you very much. Nice to have all of this information on here.

--
Mary, Nuvi 2450, Garmin Viago, Honda Navigation, Nuvi 750 (gave to son)

How do I disable Java 6?

CraigW wrote:

...it's strongly recommended that older versions (currently, pre-version 7, Update 10) be uninstalled:

http://java.com/en/download/faq/remove_olderversions.xml

How do I disable (not uninstall) Java 6? The examples all show Java 7.

Phil

--
Phil in Mentor, Ohio -- Garmin Nuvi 1450

This is interesting

I took a look at my computer and played with the different links that are listed here. I wanted to see what I had and how correctly things were displayed.

The "check this version" states that there are no versions installed.

The Java control link in control panel shows I have version 7 update 10. That is confirmed in the add/ remove control panel. That makes no sense. I then unchecked the "disable in all browsers".

I also used a program called javara to get rid of all old versions. It will get rid of all old versions and keep the latest.
Javara is here: http://sourceforge.net/projects/javara/

Bottom line is that you may think you don't have any installed, but you are being lied to. I would also recommend you check in the add/remove programs.

This is on a XP pro with SP3.

--
Nuvi 2460LMT.

Me too!

Me too!

you can't

plunder wrote:
CraigW wrote:

...it's strongly recommended that older versions (currently, pre-version 7, Update 10) be uninstalled:

http://java.com/en/download/faq/remove_olderversions.xml

How do I disable (not uninstall) Java 6? The examples all show Java 7.

Phil

From the way I understand the article you can not disable any version of Java except the latest version, 7.10

You'd have to uninstall version 6, install version 7.10 then disable java.

--
. Nuvi 2689, two Nuvi 2460, Zumo 550, Zumo 450, Uniden R3 radar detector with GPS built in, includes RLC info. Uconnect 430N, Garmin, built into my Jeep. .

Update will be coming out shortly

--
Nüvi 255WT with nüMaps Lifetime North America born on 602117815 / Nüvi 3597LMTHD born on 805972514 / I love Friday’s except when I’m on holidays ~ canuk

Re: Update will be coming out shortly

canuk wrote:

http://www.pcworld.com/article/2025171/oracle-says-java-update-coming-tuesday.html

That's good news. I have seen some blog posts saying that Oracle intended to release a patch sometime in mid-February. Maybe the US-CERT advisory and the attendant publicity got them moving a bit faster.

Alphabet Soup

kch50428 wrote:

In my life, CERT = Community Emergency Response Team.

Stupid government...

I'm afraid that I must accept some of the blame since I was sloppy in choosing the original title for this thread. US-CERT is run by DHS. The CERT Program is run by the Software Engineering Program at CMU.

CAM? ITS.

("Clear As Mud? I Thought So.")

Uninstall Java 6?

soberbyker wrote:
plunder wrote:
CraigW wrote:

...it's strongly recommended that older versions (currently, pre-version 7, Update 10) be uninstalled:

http://java.com/en/download/faq/remove_olderversions.xml

How do I disable (not uninstall) Java 6? The examples all show Java 7.

Phil

From the way I understand the article you can not disable any version of Java except the latest version, 7.10

You'd have to uninstall version 6, install version 7.10 then disable java.

Thanks, soberbyker, that's exactly the precise answer I was looking for.

Phil

--
Phil in Mentor, Ohio -- Garmin Nuvi 1450

~

VersatileGuy wrote:
kch50428 wrote:

In my life, CERT = Community Emergency Response Team.

Stupid government...

I'm afraid that I must accept some of the blame since I was sloppy in choosing the original title for this thread. US-CERT is run by DHS. The CERT Program is run by the Software Engineering Program at CMU.

CAM? ITS.

("Clear As Mud? I Thought So.")

Government needs an agency to oversee acronyms to prevent duplication/confusion. smile

--
*Keith* MacBook Pro *wifi iPad(2012) w/BadElf GPS & iPhone6 + Navigon*

Even Better...

kch50428 wrote:

Government needs an agency to oversee acronyms to prevent duplication/confusion. smile

What would be even better would be multiple overlapping agencies, e.g., one in each of...

- the Department of Commerce,

- the Department of Homeland Security,

- the Department of Defense (man, they would have a field day!)

- etc.

...and they could all be coordinated by the Department of Redundancy Department. grin

Acronyms

When using acronyms I try to always follow one with its full definition the first time it is used. Other wise I get confused myself. redface

Java SE 7 Update 11 plugs security hole.

Java SE 7 Update 11 is available on the Java website and addresses the security vulnerability.

Java SE 7 Update 11 Released:
https://blogs.oracle.com/java/entry/java_vulnerabilities_add...

--
Zumo 550 & Zumo 665 My alarm clock is sunshine on chrome.

Good to know

dave817 wrote:

Java SE 7 Update 11 is available on the Java website and addresses the security vulnerability.

Java SE 7 Update 11 Released:
https://blogs.oracle.com/java/entry/java_vulnerabilities_addressed

It's good to know there's now a fix.

But for now, I've uninstalled my Java and haven't seen anything not working, so I won't install the new version unless I find that I need it.

I tried looking but didn't find any list. Does anyone know what common web sites or software requires Java (not javascript) to work?

I'm also trying to remember--does Java pretty much come on Windows PCs or did I think I needed it and therefore manually installed it to my PCs at some point in the distant past?

Remove?

I am very reluctant to follow any advice given by your "Homeland" agency.

I have yet to see any adverse effects on my laptop, but then I am using "Firefox" and NOT Internet Explorer.

They also advise against travel to and into Mexico. I, as well as hundreds of thousands people spend their winters or vacations in Mexico without any incidents.
I have been in Mexico since October the 29th.

--
Nuvi 350 long gone, Nuvi 855LMT Retired now, Nuvi 2797LMT, SmartDrive 50 LMT-HD, 3790LMT now my daughters. Using Windows 10. DashCam A108C with GPS.

.

CraigW wrote:

I tried looking but didn't find any list. Does anyone know what common web sites or software requires Java (not javascript) to work?

There's a list of "Popular sites using Java" at...

http://w3techs.com/technologies/details/pl-java/all/all

...but that list includes LinkedIn.com and PayPal.com -- both of which I use -- so I don't fully believe it. It may be that those sites used to use Java, or perhaps they have specific features that can use Java if it is available, but it certainly doesn't seem to be an absolute requirement.

CraigW wrote:

I'm also trying to remember--does Java pretty much come on Windows PCs or did I think I needed it and therefore manually installed it to my PCs at some point in the distant past?

Plain installs of Windows do not include Java. IIRC, years ago Microsoft used to bundle its own version of Java with IE but (mercifully) that stopped.

Beware

Beware

--
A GPS can take you where You want to go but never where you WANT to be.

.

Melaqueman wrote:

I am very reluctant to follow any advice given by your "Homeland" agency.

Suit yourself, I guess. BTW, it's not my "'Homeland' agency"; I'm a Canadian too.

Melaqueman wrote:

They also advise against travel to and into Mexico. I, as well as hundreds of thousands people spend their winters or vacations in Mexico without any incidents.
I have been in Mexico since October the 29th.

The U.S. Department of State (not DHS) has issued warnings about travel to certain areas of Mexico, but so has the Government of Canada. Some parts of Mexico are very dangerous places right now.

Experts say new Java update does *NOT* solve the many problems

dave817 wrote:

Java SE 7 Update 11 is available on the Java website and addresses the security vulnerability.

Java SE 7 Update 11 Released:
https://blogs.oracle.com/java/entry/java_vulnerabilities_addressed

NOT TRUE! It only addresses two of the many vulnerabilities, and experts still advise removing Java from your system despite this update:
http://www.msnbc.msn.com/id/50453720#.UPQRZoaKWSo

One effective way to remove all versions of Java from your system is to go to Control Panel in Start and Add or Remove Programs and nuke each version of Java from there.

Then open each web browser you use and go to http://javatester.org/version.html and make sure it does not show Java as still working.

--
JMoo On

Thanks

VersatileGuy wrote:
CraigW wrote:

I tried looking but didn't find any list. Does anyone know what common web sites or software requires Java (not javascript) to work?

There's a list of "Popular sites using Java" at...

http://w3techs.com/technologies/details/pl-java/all/all

...but that list includes LinkedIn.com and PayPal.com -- both of which I use -- so I don't fully believe it...

Thanks. I agree with you. I routinely use three sites listed as Popular sites using Java and all work fine with Java fully uninstalled.

Rev 11

Rev 11 is out today.

Java, MS...

New stuff from Oracle on Java, but as others have said, if you don't need it, don't install it.

Also an update from Microsoft fixing some current issues with one of their programs, explorer or some such.

--
Nuvi 2460, 680, DATUM Tymserve 2100, Trimble Thunderbolt, Ham radio, Macintosh, Linux, Windows

Off the original question

Melaqueman wrote:

I am very reluctant to follow any advice given by your "Homeland" agency.

I have yet to see any adverse effects on my laptop, but then I am using "Firefox" and NOT Internet Explorer.

They also advise against travel to and into Mexico. I, as well as hundreds of thousands people spend their winters or vacations in Mexico without any incidents.
I have been in Mexico since October the 29th.

We would love to go to Mexico again some day but have been told not to.
Where in Mexico do you go and how safe is it?
Thanks

--
Mary, Nuvi 2450, Garmin Viago, Honda Navigation, Nuvi 750 (gave to son)

E-Bay

I use e-bay a lot. I went to my account and see everything.
Has anyone tried to buy somehting since they disabled Java and did it work?

--
Mary, Nuvi 2450, Garmin Viago, Honda Navigation, Nuvi 750 (gave to son)

Pay pal

Also logged into Pay pal and it worked also.

--
Mary, Nuvi 2450, Garmin Viago, Honda Navigation, Nuvi 750 (gave to son)

It should be fixed soon, too

It should be fixed soon, too bad SUN MS doesn't see the need to rush so who knows. IE is always going to be a target, I rarely use it. Stick with Firefox or Chrome.

Problem installing JRE7u11

If you have a problem installing 7u11, uninstall (using add/remove programs) the old JavaFX. It's obsolete and useless and interferes with the new plugin installation.

Page 1>>