Go Back   AnandTech Forums > Software > Security

Forums
· Hardware and Technology
· CPUs and Overclocking
· Motherboards
· Video Cards and Graphics
· Memory and Storage
· Power Supplies
· Cases & Cooling
· SFF, Notebooks, Pre-Built/Barebones PCs
· Networking
· Peripherals
· General Hardware
· Highly Technical
· Computer Help
· Home Theater PCs
· Consumer Electronics
· Digital and Video Cameras
· Mobile Devices & Gadgets
· Audio/Video & Home Theater
· Software
· Software for Windows
· All Things Apple
· *nix Software
· Operating Systems
· Programming
· PC Gaming
· Console Gaming
· Distributed Computing
· Security
· Social
· Off Topic
· Politics and News
· Discussion Club
· Love and Relationships
· The Garage
· Health and Fitness
· Merchandise and Shopping
· For Sale/Trade
· Hot Deals with Free Stuff/Contests
· Black Friday 2013
· Forum Issues
· Technical Forum Issues
· Personal Forum Issues
· Suggestion Box
· Moderator Resources
· Moderator Discussions
   

Reply
 
Thread Tools
Old 01-11-2013, 02:47 PM   #1
Chiefcrowe
Diamond Member
 
Chiefcrowe's Avatar
 
Join Date: Sep 2008
Posts: 3,560
Default New Java vulnerability

yep, here we go again!

https://www.cert.org/blogs/certcc/20...h_my.html#more

more on this:
http://arstechnica.com/security/2013...complete-patch

Last edited by Chiefcrowe; 01-11-2013 at 04:37 PM.
Chiefcrowe is offline   Reply With Quote
Old 01-11-2013, 07:58 PM   #2
oldsmoboat
Elite Member
 
oldsmoboat's Avatar
 
Join Date: Mar 2000
Location: Kaliforniastan
Posts: 46,268
Default

So how would one be exploited, by visiting an infected web site?
__________________
For A Friend

It's not the odds that guide me, it's the stakes
oldsmoboat is online now   Reply With Quote
Old 01-11-2013, 08:50 PM   #3
MustISO
Lifer
 
MustISO's Avatar
 
Join Date: Oct 1999
Location: USA
Posts: 10,629
Default

Quote:
Originally Posted by oldsmoboat View Post
So how would one be exploited, by visiting an infected web site?
Seems like mostly drive-by-download but I haven't seen any specifics. I will never have Java installed on a system I own.
__________________
HEAT 104-0-0
MustISO is offline   Reply With Quote
Old 01-11-2013, 10:23 PM   #4
power_hour
Senior Member
 
power_hour's Avatar
 
Join Date: Oct 2010
Location: nowhere important
Posts: 789
Default

What a mess. Make sure you uninstall it and confirm your browser doesn't use any Java. I would even go so far as to search for any Java files and note their location. A drive-by might attempt to conceal its location (remove it from programs list but still exist).

Unbelievable mess.
power_hour is offline   Reply With Quote
Old 01-12-2013, 07:12 AM   #5
oldsmoboat
Elite Member
 
oldsmoboat's Avatar
 
Join Date: Mar 2000
Location: Kaliforniastan
Posts: 46,268
Default

Had to google how to disable it in by browser
http://nakedsecurity.sophos.com/how-...le-java-chrome
oldsmoboat is online now   Reply With Quote
Old 01-12-2013, 10:10 AM   #6
moparacer
Golden Member
 
Join Date: Dec 2003
Posts: 1,336
Default

Quote:
Originally Posted by power_hour View Post
What a mess. Make sure you uninstall it and confirm your browser doesn't use any Java. I would even go so far as to search for any Java files and note their location. A drive-by might attempt to conceal its location (remove it from programs list but still exist).

Unbelievable mess.
Thats what I did to all my machines this morning. Just remove all java and wait till its patched and install the updated version.

I had someone call me last night that had a machine that was compromised and taken over by this exploit I would assume.
moparacer is offline   Reply With Quote
Old 01-12-2013, 05:21 PM   #7
mechBgon
Super Moderator
Elite Member
 
mechBgon's Avatar
 
Join Date: Oct 1999
Posts: 30,699
Default

Quote:
Originally Posted by moparacer View Post
Thats what I did to all my machines this morning. Just remove all java and wait till its patched and install the updated version.
Before doing that, and simply starting the cycle over, also ask yourself whether you have any use for Java at all. If not, leave it uninstalled.
mechBgon is offline   Reply With Quote
Old 01-13-2013, 07:40 AM   #8
bruceb
Diamond Member
 
bruceb's Avatar
 
Join Date: Aug 2004
Location: Wayne, New Jersey
Posts: 7,150
Default

I disabled the plug in in Firefox (my primary browser) and I do use Java on some game sites (crosswords and the like sometimes use it). I figure Java will likely have a fix for it sometime this week. If the issue is as bad as CERT is leading us to believe, the coders will have to find a fix for it real fast.

Chief, that link is from Aug 2012 and is referencing Java 7 Update 7 ... There is another topic in Software For Windows, that I believe is referencing the latest CERT warning.

http://forums.anandtech.com/showthread.php?t=2295240

http://www.chicagotribune.com/busine...,5686660.story

Last edited by bruceb; 01-13-2013 at 07:47 AM.
bruceb is offline   Reply With Quote
Old 01-13-2013, 04:00 PM   #9
power_hour
Senior Member
 
power_hour's Avatar
 
Join Date: Oct 2010
Location: nowhere important
Posts: 789
Default

Quote:
Originally Posted by bruceb View Post
I disabled the plug in in Firefox (my primary browser) and I do use Java on some game sites (crosswords and the like sometimes use it). I figure Java will likely have a fix for it sometime this week. If the issue is as bad as CERT is leading us to believe, the coders will have to find a fix for it real fast.

Chief, that link is from Aug 2012 and is referencing Java 7 Update 7 ... There is another topic in Software For Windows, that I believe is referencing the latest CERT warning.

http://forums.anandtech.com/showthread.php?t=2295240

http://www.chicagotribune.com/busine...,5686660.story
Good catch. I think the main message here is to remove Java (any version) until a patched version can be deemed safe and clear of any known issues.

If you really want to run Java, deploy a VM with it (using Oracle's VirtualBox its a snap and free, and Windows 7 gives you 90 day trial or any flavour of Linux). That way if its compromised you are not affected at all.
power_hour is offline   Reply With Quote
Old 01-13-2013, 08:17 PM   #10
pyonir
Lifer
 
pyonir's Avatar
 
Join Date: Dec 2001
Location: Omnipresent
Posts: 40,294
Default

Java 7 Update 11 has been posted on the Oracle site: http://www.oracle.com/technetwork/ja...ads/index.html
__________________
"To get back my youth I would do anything in the world, except take exercise, get up early, or be respectable." Oscar Wilde, "The Picture of Dorian Gray"

FunTrivia - Yes, I realize it's a referral, but I'd appreciate it. I get a few (useless) points if you sign up.
pyonir is offline   Reply With Quote
Old 01-13-2013, 09:04 PM   #11
wirednuts
Diamond Member
 
Join Date: Jan 2007
Posts: 7,121
Default

oh java... you suck so hard
wirednuts is offline   Reply With Quote
Old 01-14-2013, 07:21 AM   #12
bruceb
Diamond Member
 
bruceb's Avatar
 
Join Date: Aug 2004
Location: Wayne, New Jersey
Posts: 7,150
Default

I did the update to Java 7 Update 11 about 30 minutes ago. Wasn't online last night.
bruceb is offline   Reply With Quote
Old 01-14-2013, 08:59 AM   #13
MadScientist
Golden Member
 
MadScientist's Avatar
 
Join Date: Jul 2001
Location: TN
Posts: 1,862
Default

The best way to update Java is to uninstall it.
__________________
Asrock Z68 Extreme 4, i5-2500K @4.6 Ghz, 1.340V, Lian Li PC-7A Plus, Corsair A70, Corsair Force Series 3 120GB SSD, Samsung Spinpoint HD103SJ 1TB, 16GB Kingston HyperX DDR3 1600 @1.575V,Seasonic M12II 620W PSU, MSI GeForce GTX 650 Ti, Samsung SH-S223B, Win 7 Ultimate 64bit
MadScientist is offline   Reply With Quote
Old 01-14-2013, 04:07 PM   #14
McLovin
Golden Member
 
McLovin's Avatar
 
Join Date: Jul 2007
Posts: 1,363
Default

Quote:
Originally Posted by bruceb View Post
I disabled the plug in in Firefox (my primary browser) and I do use Java on some game sites (crosswords and the like sometimes use it). I figure Java will likely have a fix for it sometime this week. If the issue is as bad as CERT is leading us to believe, the coders will have to find a fix for it real fast.

Chief, that link is from Aug 2012 and is referencing Java 7 Update 7 ... There is another topic in Software For Windows, that I believe is referencing the latest CERT warning.

http://forums.anandtech.com/showthread.php?t=2295240

http://www.chicagotribune.com/busine...,5686660.story
So what do you guys suggest as an alternative, if any, to Java? Is removing Java completely the only viable solution? If I help out grandma and grandpa who, like Bruceb, frequent sites that require java for games and such, what's the best recommendation I could give them to stay protected?

It's scary at work because we have a medical chart software that requires java to run and ADP requires us to run version 6. ADP's official stance is that j6u7 is the only version that is approved, but thankfully works with j6u38 on the client side. Java 7 will not work with ADP, period. Removing Java is not an option unfortunately.
__________________
HEAT

Corsair 650D (3 Noctua NF-P12's and stock 200MM), Corsair HX850W, Corsair H100i, Xeon X5639, EVGA x58 FTW3, Corsair 12 GB (6 x 2 GB CML4GX3M2A1600C9B), EVGA GTX 780 FTW , Intel 520 240GB SSD (Boot Drive), 2 xWD 2 TB Reds, Auzentech Forte, Sennheiser PC350, 2 x Acer AL2216W's
McLovin is offline   Reply With Quote
Old 01-14-2013, 11:13 PM   #15
mechBgon
Super Moderator
Elite Member
 
mechBgon's Avatar
 
Join Date: Oct 1999
Posts: 30,699
Default

Quote:
Originally Posted by McLovin View Post
So what do you guys suggest as an alternative, if any, to Java? Is removing Java completely the only viable solution? If I help out grandma and grandpa who, like Bruceb, frequent sites that require java for games and such, what's the best recommendation I could give them to stay protected?
If you have a non-negotiable need for Java, then my suggestion would be:

1. use Software Restriction Policy combined with a non-Admin account, as shown here, if practical for them: http://www.mechbgon.com/srp An exploit's not much use to the attacker if SRP keeps nuking the payload when it tries to execute.


2. if they use Internet Explorer, then enable Java only for the Trusted Sites zone*, raise the Trusted Sites security level to Medium-High so it matches the Internet Zone, and add the Java sites to Trusted Sites Zone on a site-by-site basis. This isn't bulletproof; if one of the Trusted Sites is hosting a Java exploit, it's going to be able to run. See #1.

*this is done using Group Policy Editor, I can cough up more details if you're interested.


3. corollary to #2, you could achieve a similar effect by enabling ActiveX Filtering, so that for any given ActiveX goodie, whether it's Flash or Java or whatever, they're all disabled by default and can be enabled on a site-by-site basis. I use ActiveX Filtering at work, and it's bearable to live with once you've approved the sites you use routinely... I occasionally have to remind my users about it when a new site's not working as expected (e.g. hey, why can't I stream NPR audio).


edit: 4. It would be worth installing and configuring Microsoft EMET too. Here's some info on that: http://www.mechbgon.com/build/security2.html#sehop


I would also make my displeasure known to software vendors or sites that are requiring Java for anything. They need to hear it.

Last edited by mechBgon; 01-15-2013 at 10:06 AM.
mechBgon is offline   Reply With Quote
Old 01-15-2013, 10:08 AM   #16
seepy83
Platinum Member
 
seepy83's Avatar
 
Join Date: Nov 2003
Posts: 2,007
Default

I'll add another possibility to mechBgon's list -

Install 2 browsers on the PC. 1 has java installed/enabled, and the other doesn't. Instruct the user to use the browser with java if, and only if, the website they are accessing requires java. If they are browsing websites that don't require Java, then they use the browser that does not have Java installed/enabled. If they are only using java for truly trusted applications (someone mentioned ADP, or an internal webapp), then using 2 different browsers can very thoroughly mitigate the risk.
seepy83 is offline   Reply With Quote
Old 01-18-2013, 06:09 PM   #17
Chiefcrowe
Diamond Member
 
Chiefcrowe's Avatar
 
Join Date: Sep 2008
Posts: 3,560
Default

Researchers find critical vulnerabilities in Java 7 Update 11

https://www.computerworld.com/s/arti...va_7_Update_11
Chiefcrowe is offline   Reply With Quote
Old 01-18-2013, 11:58 PM   #18
Modular
Diamond Member
 
Modular's Avatar
 
Join Date: Jul 2005
Location: Intarwebz
Posts: 4,885
Default

What about noscript? Seems to block all Java activity on my PC...
__________________
quote:
Originally posted by: waggy
i wanted to make fun of you on this. but being a noob sucks.
Modular is online now   Reply With Quote
Old 01-19-2013, 08:56 AM   #19
dyna
Senior Member
 
Join Date: Oct 2006
Posts: 385
Default

I received an email from Norton Anti-Virus that their product protects against this vulnerability.
dyna is offline   Reply With Quote
Old 01-19-2013, 01:27 PM   #20
ultimatebob
Lifer
 
ultimatebob's Avatar
 
Join Date: Jun 2001
Location: Connecticutistan
Posts: 16,597
Default

I like how Chrome handles Java... it's smart enough to ask for your permission before running a Java applet, and will warn you if your Java plugin is out of date.

Mozilla takes it a step further and just flat out disables Java if it's out of date... which is a great idea unless you happen to manage a few hundred systems that require a specific version of Java to function. Then it becomes a nightmare!
__________________
<---
<--- Blame this guy if you do not like this post.
<---
ultimatebob is offline   Reply With Quote
Old 01-21-2013, 07:09 PM   #21
Lemon law
Lifer
 
Lemon law's Avatar
 
Join Date: Nov 2005
Posts: 20,991
Default

I have a big problem with Java update 7-11. On one hand I can do without Java at all, but my wife needs an application that totally relies on Java sometimes but not always. So I am hoping to disable Java script in my wife's Firefox, and IE browsers, and then find a "safe?" web browser for my wife to run only the Java requiring apps in.

I note some recommend google chrome, but barf, gag yeech yuck, I have always hated google chrome. Not to mention the fact, since I am limited to only 10 gigabytes of data per month, I cannot afford a 30 MB browser that keeps updating itself every few days. My try #1 was Palemoon, but that is not working for my wife.

The natives are already rest less tonight, so helpup, helpup, any suggestion welcome, before wrathful wife beats me to death with a rolling pin.

PS, the app my wife needs Java for is pogo games, something that worked fine at even dial up speeds.
Lemon law is offline   Reply With Quote
Old 01-21-2013, 08:18 PM   #22
MrColin
Platinum Member
 
MrColin's Avatar
 
Join Date: May 2003
Posts: 2,203
Default

Quote:
Originally Posted by Modular View Post
What about noscript? Seems to block all Java activity on my PC...
Quote:
Originally Posted by Lemon law View Post
I have a big problem with Java update 7-11. On one hand I can do without Java at all, but my wife needs an application that totally relies on Java sometimes but not always. So I am hoping to disable Java script in my wife's Firefox, and IE browsers, and then find a "safe?" web browser for my wife to run only the Java requiring apps in.

I note some recommend google chrome, but barf, gag yeech yuck, I have always hated google chrome. Not to mention the fact, since I am limited to only 10 gigabytes of data per month, I cannot afford a 30 MB browser that keeps updating itself every few days. My try #1 was Palemoon, but that is not working for my wife.

The natives are already rest less tonight, so helpup, helpup, any suggestion welcome, before wrathful wife beats me to death with a rolling pin.

PS, the app my wife needs Java for is pogo games, something that worked fine at even dial up speeds.
Java and javascript are not related. This vulnerability is with the Java runtime from Oracle not javascript which can sometimes be dangerous too.
__________________
"Your heart is in the right place. But still, you are a very disturbed individual."

-Xionide
MrColin is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 04:00 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.