US-CERT Alert (2013-01-10) : Disable Java for web browsers

 

The Department of Homeland Security's United States Computer Emergency Readiness Team (US-CERT) issued an alert last Thursday (2013-01-10) regarding a Java 7 security vulnerability. They recommend disabling Java for all browser content. For more information and instructions on how to secure your system, see the following link:

http://www.us-cert.gov/cas/techalerts/TA13-010A.html

<<Page 2

.

VersatileGuy wrote:
CraigW wrote:

I tried looking but didn't find any list. Does anyone know what common web sites or software requires Java (not javascript) to work?

There's a list of "Popular sites using Java" at...

http://w3techs.com/technologies/details/pl-java/all/all

...but that list includes LinkedIn.com and PayPal.com -- both of which I use -- so I don't fully believe it. It may be that those sites used to use Java, or perhaps they have specific features that can use Java if it is available, but it certainly doesn't seem to be an absolute requirement.

Java is used on the server side (Apache web servers) but JRE (java runtime environment), the one we're talking about in this thread, isn't required on the client side (our computers). You will see no difference with or without JRE installed on your PC.

.

chewbacca wrote:

Java is used on the server side

Aha, okay. Thanks for the clarification.

Update #11 fixes all

Update #11 fixes all security holes:

download it here:
http://www.java.com/en/download/index.jsp

.

gadget_man wrote:

Update #11 fixes all security holes:

download it here:
http://www.java.com/en/download/index.jsp

I'm not sure update 11 contains the so called "fix". Oracle says: "Default Security Level Setting Changed to High".

Sounds like that is all they did. They didn't seem to address the bug. Instead, they added an extra step to prevent silent exploit.

All I see is a warning like the following:

Do you want to run this application?
An application from the location below is requesting permission to run.
Location: http://www.java.com/en/download/installed.jsp?detect=jre

Click Cancel to stop this app or Run to allow it to continue.

I can't rely on end users to answer properly (click Run or Cancel).

Downloaded & Installed

I downloaded & installed 7 update 11 today.

One cannot be sure that it closes ALL the doors that should be. Given that, I've kept Java off on my XP Pro version for a few days until we hear that the problems have dematerialized. If so, then I'll turn it on once again.

Fred

Do we really need Java?

VersatileGuy wrote:

Just to be clear, the CERT alert is about Java, not JavaScript. They are very different things. A very small percentage of websites use Java. (JavaScript, on the other hand, is used by a rather large percentage of sites.)

I have not had Java installed on my computer for several years already. And, I don't see any problem visiting almost all web sites, and I don't run into problem running application either.

Ideally, I think anything

Ideally, I think anything that compromises our PCs should be automatically sent to our desktop as a popup or something. Too much for everyone to note which software has a loophole for bypassing security.

Only 7?

My IE has Java 6, not 7. Not sure if that matters. Chrome doesn't have Java plugin.

--
><> Glenn <>< Garmin nüvi 2598

.

gdfaini wrote:

My IE has Java 6, not 7. Not sure if that matters. Chrome doesn't have Java plugin.

The vulnerability affects Oracle Java 7 (all updates). As far as I know, Java 6 is not affected but if you use Firefox browser, all flavors of Java 6 (up to update 38) have been blocked (or disabled) automatically by Firefox. Java 6 has its own problem which is not related to the problem posted in this thread. I don't use Chrome so I can't comment on it.

.

team.rocket wrote:

Ideally, I think anything that compromises our PCs should be automatically sent to our desktop as a popup or something. Too much for everyone to note which software has a loophole for bypassing security.

Not everyone can tell the difference between fake and real warnings. Ever heard of Antivirus 2010, 2011, 2012 pop-ups? Most users would happily click Yes please scan my computer which really means Yes please infect my computer.

From Oracle

More information from Oracle can be found here:

arrow https://blogs.oracle.com/security/entry/january_2013_critica...

--
Tampa, FL - Garmin nüvi 660 (Software Ver 4.90), 2019.30 CN NA NT maps | Magellan Meridian Gold

Norton Protection

Norton Internet Security products claim to have this covered already.

Quote:

You may have recently seen some of the extensive news coverage, including statements from the United States Department of Homeland Security, regarding a vulnerability in Java. Java is both a language and a platform to run websites and programs used by many computer users, both on the PC and Mac operating systems. This vulnerability leaves millions of computers open to malware attacks and can lure online traffic to virus-infected websites.
Rest assured, because you have a Norton security software product installed on your computer, you’re protected against the Java bug (CVE-2013-0422), as long as you have not disabled the automatic updates feature.
We also recommend that you apply Oracle’s recently released security patch and make sure you are running the most updated version of Java.

Two new flaws found:“We

Two new flaws found:
“We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11,”

https://threatpost.com/en_us/blogs/latest-java-update-broken...

I woke up this morning and signed in to Oanda.com (forex trading site) that relies on Java Runtime. Couldn't run any trading interface because Firefox blocked Java 7 Update 11 plugin. I had to manually click Enable to get it to run.

Wish I could get rid of Java completely. I'm tired of updating it at work. I'm not even done updating Java 7 Update 11, new flaws already discovered.

Java (or Oracle) is making Microsoft look very good today. All attacks are directed towards Java or Adobe Flash these days.

Norton

johnc wrote:

Norton Internet Security products claim to have this covered already.

Quote:

You may have recently seen some of the extensive news coverage, including statements from the United States Department of Homeland Security, regarding a vulnerability in Java. Java is both a language and a platform to run websites and programs used by many computer users, both on the PC and Mac operating systems. This vulnerability leaves millions of computers open to malware attacks and can lure online traffic to virus-infected websites.
Rest assured, because you have a Norton security software product installed on your computer, you’re protected against the Java bug (CVE-2013-0422), as long as you have not disabled the automatic updates feature.
We also recommend that you apply Oracle’s recently released security patch and make sure you are running the most updated version of Java.

Since I use Norton, I got the same email. I've upgraded both my PCs to Java 7 Update 11 and let it run. There is only one website I visit that uses Java.

--
Tampa, FL - Garmin nüvi 660 (Software Ver 4.90), 2019.30 CN NA NT maps | Magellan Meridian Gold

Are we...

having (java) fun yet?

I have disabled/uninstalled java (and flash)...

...on my main machine. Just too many problems, and I personally don't need those programs. If I do find myself needing them in the future, I will go to the trouble of installing them temporarily. A hassle perhaps, but to me there just seems to be too many problems with them these days.

Uninstalled

I uninstalled all versions of Java and Quicktime. If I ever find that I need them I'll consider reinstalling.

--
><> Glenn <>< Garmin nüvi 2598

Here is a good article

that uses java as an example.

It is good reading.

http://ask-leo.com/why_wouldnt_an_exploit_be_caught_by_my_an...

The sky's not falling.

Jeez,
Control Panel>Java (32-bit)>Security>Unselect Enable Java content in the browser
and quit worrying the sky's going to fall down.

--
Zumo 550 & Zumo 665 My alarm clock is sunshine on chrome.

Here all along

dave817 wrote:

Jeez,
Control Panel>Java (32-bit)>Security>Unselect Enable Java content in the browser
and quit worrying the sky's going to fall down.

Had to hunt and get help to find this and it was on the Control Panel all the time.
Thanks.

--
Mary, Nuvi 2450, Garmin Viago, Honda Navigation, Nuvi 750 (gave to son)

Facebook got hit by zero day

Facebook got hit by zero day Java exploit:
https://www.facebook.com/notes/facebook-security/protecting-...

Java Vulnerability

Thanks for the information.

--
Alan-Garmin c340

Use Noscript

Like k6rtm advised in a previous post, if you use Firefox then add the Noscript plugin. I can't emphasize enough how well it works at preventing viruses - and headaches. I installed it a few years ago and haven't had any problems while web browsing since. Prior to using Noscript I had to reinstall operating systems on a regular basis, and I'm so glad those days are behind me.

Apple Mac is not safe

Apple Mac is not safe either:
http://www.reuters.com/article/2013/02/19/us-apple-hackers-i...

Before some Mac fans attack me, this is Oracle Java problem, not Mac.

NoScript

If you use Chrome or Firefox, NoScript can block java, and any other script and some attacks. I have been using it for years. Some sites can be troublesome to get to work correctly using it, but otherwise its much safer.

Apple dumped Java

chewbacca wrote:

Apple Mac is not safe either:
http://www.reuters.com/article/2013/02/19/us-apple-hackers-i...

Before some Mac fans attack me, this is Oracle Java problem, not Mac.

I have several students that use Mac. One of our most important programs required Java. Thus, these students are assumedly out of luck. According to the IT geeks, older versions of the Apple OS can use Java, but the newer OS's can not.

An article I read said that Oracle is going to provide Apple with a 'Java' that will fix this.

Don't know if this is germane, but this program started crashing on Quicktime a few months ago.

--
NUVI40 Kingsport TN

For those interested

Another Java update was released today along with one from Adobe.

--
Nüvi 255WT with nüMaps Lifetime North America born on 602117815 / Nüvi 3597LMTHD born on 805972514 / I love Friday’s except when I’m on holidays ~ canuk

Updates

Yeah, I got alerts for those 2 updates as well. Installed both on 2 PCs.

--
Tampa, FL - Garmin nüvi 660 (Software Ver 4.90), 2019.30 CN NA NT maps | Magellan Meridian Gold
<<Page 2