New Java vulnerability

Discussion in 'Security' started by Chiefcrowe, Jan 11, 2013.

  1. Chiefcrowe

    Chiefcrowe Diamond Member

    Joined:
    Sep 15, 2008
    Messages:
    4,302
    Likes Received:
    2
  2. olds

    olds Elite Member

    Joined:
    Mar 3, 2000
    Messages:
    48,533
    Likes Received:
    10
    So how would one be exploited, by visiting an infected web site?
     
  3. MustISO

    MustISO Lifer

    Joined:
    Oct 9, 1999
    Messages:
    11,812
    Likes Received:
    1
    Seems like mostly drive-by-download but I haven't seen any specifics. I will never have Java installed on a system I own.
     
  4. power_hour

    power_hour Senior member

    Joined:
    Oct 16, 2010
    Messages:
    789
    Likes Received:
    1
    What a mess. Make sure you uninstall it and confirm your browser doesn't use any Java. I would even go so far as to search for any Java files and note their location. A drive-by might attempt to conceal its location (remove it from programs list but still exist).

    Unbelievable mess.
     
  5. olds

    olds Elite Member

    Joined:
    Mar 3, 2000
    Messages:
    48,533
    Likes Received:
    10
  6. moparacer

    moparacer Golden Member

    Joined:
    Dec 10, 2003
    Messages:
    1,336
    Likes Received:
    0
    Thats what I did to all my machines this morning. Just remove all java and wait till its patched and install the updated version.

    I had someone call me last night that had a machine that was compromised and taken over by this exploit I would assume.
     
  7. mechBgon

    mechBgon Super Moderator<br>Elite Member
    Super Moderator

    Joined:
    Oct 31, 1999
    Messages:
    30,699
    Likes Received:
    0
    Before doing that, and simply starting the cycle over, also ask yourself whether you have any use for Java at all. If not, leave it uninstalled.
     
  8. bruceb

    bruceb Diamond Member

    Joined:
    Aug 20, 2004
    Messages:
    7,816
    Likes Received:
    1
    I disabled the plug in in Firefox (my primary browser) and I do use Java on some game sites (crosswords and the like sometimes use it). I figure Java will likely have a fix for it sometime this week. If the issue is as bad as CERT is leading us to believe, the coders will have to find a fix for it real fast.

    Chief, that link is from Aug 2012 and is referencing Java 7 Update 7 ... There is another topic in Software For Windows, that I believe is referencing the latest CERT warning.

    http://forums.anandtech.com/showthread.php?t=2295240

    http://www.chicagotribune.com/busin...sers-to-disable-java-20130111,0,5686660.story
     
    #8 bruceb, Jan 13, 2013
    Last edited: Jan 13, 2013
  9. power_hour

    power_hour Senior member

    Joined:
    Oct 16, 2010
    Messages:
    789
    Likes Received:
    1
    Good catch. I think the main message here is to remove Java (any version) until a patched version can be deemed safe and clear of any known issues.

    If you really want to run Java, deploy a VM with it (using Oracle's VirtualBox its a snap and free, and Windows 7 gives you 90 day trial or any flavour of Linux). That way if its compromised you are not affected at all.
     
  10. pyonir

    pyonir Lifer

    Joined:
    Dec 18, 2001
    Messages:
    40,697
    Likes Received:
    218
  11. wirednuts

    wirednuts Diamond Member

    Joined:
    Jan 26, 2007
    Messages:
    7,121
    Likes Received:
    0
    oh java... you suck so hard
     
  12. bruceb

    bruceb Diamond Member

    Joined:
    Aug 20, 2004
    Messages:
    7,816
    Likes Received:
    1
    I did the update to Java 7 Update 11 about 30 minutes ago. Wasn't online last night.
     
  13. MadScientist

    MadScientist Platinum Member

    Joined:
    Jul 15, 2001
    Messages:
    2,002
    Likes Received:
    0
    The best way to update Java is to uninstall it.
     
  14. McLovin

    McLovin Golden Member

    Joined:
    Jul 8, 2007
    Messages:
    1,774
    Likes Received:
    1
    So what do you guys suggest as an alternative, if any, to Java? Is removing Java completely the only viable solution? If I help out grandma and grandpa who, like Bruceb, frequent sites that require java for games and such, what's the best recommendation I could give them to stay protected?

    It's scary at work because we have a medical chart software that requires java to run and ADP requires us to run version 6. ADP's official stance is that j6u7 is the only version that is approved, but thankfully works with j6u38 on the client side. Java 7 will not work with ADP, period. Removing Java is not an option unfortunately.
     
  15. mechBgon

    mechBgon Super Moderator<br>Elite Member
    Super Moderator

    Joined:
    Oct 31, 1999
    Messages:
    30,699
    Likes Received:
    0
    If you have a non-negotiable need for Java, then my suggestion would be:

    1. use Software Restriction Policy combined with a non-Admin account, as shown here, if practical for them: http://www.mechbgon.com/srp An exploit's not much use to the attacker if SRP keeps nuking the payload when it tries to execute.


    2. if they use Internet Explorer, then enable Java only for the Trusted Sites zone*, raise the Trusted Sites security level to Medium-High so it matches the Internet Zone, and add the Java sites to Trusted Sites Zone on a site-by-site basis. This isn't bulletproof; if one of the Trusted Sites is hosting a Java exploit, it's going to be able to run. See #1.

    *this is done using Group Policy Editor, I can cough up more details if you're interested.


    3. corollary to #2, you could achieve a similar effect by enabling ActiveX Filtering, so that for any given ActiveX goodie, whether it's Flash or Java or whatever, they're all disabled by default and can be enabled on a site-by-site basis. I use ActiveX Filtering at work, and it's bearable to live with once you've approved the sites you use routinely... I occasionally have to remind my users about it when a new site's not working as expected (e.g. hey, why can't I stream NPR audio).


    edit: 4. It would be worth installing and configuring Microsoft EMET too. Here's some info on that: http://www.mechbgon.com/build/security2.html#sehop


    I would also make my displeasure known to software vendors or sites that are requiring Java for anything. They need to hear it.
     
    #15 mechBgon, Jan 15, 2013
    Last edited: Jan 15, 2013
  16. seepy83

    seepy83 Platinum Member

    Joined:
    Nov 12, 2003
    Messages:
    2,132
    Likes Received:
    0
    I'll add another possibility to mechBgon's list -

    Install 2 browsers on the PC. 1 has java installed/enabled, and the other doesn't. Instruct the user to use the browser with java if, and only if, the website they are accessing requires java. If they are browsing websites that don't require Java, then they use the browser that does not have Java installed/enabled. If they are only using java for truly trusted applications (someone mentioned ADP, or an internal webapp), then using 2 different browsers can very thoroughly mitigate the risk.
     
  17. Chiefcrowe

    Chiefcrowe Diamond Member

    Joined:
    Sep 15, 2008
    Messages:
    4,302
    Likes Received:
    2
  18. Modular

    Modular Diamond Member

    Joined:
    Jul 1, 2005
    Messages:
    4,885
    Likes Received:
    0
    What about noscript? Seems to block all Java activity on my PC...
     
  19. dyna

    dyna Senior member

    Joined:
    Oct 20, 2006
    Messages:
    406
    Likes Received:
    0
    I received an email from Norton Anti-Virus that their product protects against this vulnerability.
     
  20. ultimatebob

    ultimatebob Lifer

    Joined:
    Jul 1, 2001
    Messages:
    18,723
    Likes Received:
    6
    I like how Chrome handles Java... it's smart enough to ask for your permission before running a Java applet, and will warn you if your Java plugin is out of date.

    Mozilla takes it a step further and just flat out disables Java if it's out of date... which is a great idea unless you happen to manage a few hundred systems that require a specific version of Java to function. Then it becomes a nightmare!
     
  21. Lemon law

    Lemon law Lifer

    Joined:
    Nov 6, 2005
    Messages:
    20,991
    Likes Received:
    0
    I have a big problem with Java update 7-11. On one hand I can do without Java at all, but my wife needs an application that totally relies on Java sometimes but not always. So I am hoping to disable Java script in my wife's Firefox, and IE browsers, and then find a "safe?" web browser for my wife to run only the Java requiring apps in.

    I note some recommend google chrome, but barf, gag yeech yuck, I have always hated google chrome. Not to mention the fact, since I am limited to only 10 gigabytes of data per month, I cannot afford a 30 MB browser that keeps updating itself every few days. My try #1 was Palemoon, but that is not working for my wife.

    The natives are already rest less tonight, so helpup, helpup, any suggestion welcome, before wrathful wife beats me to death with a rolling pin.

    PS, the app my wife needs Java for is pogo games, something that worked fine at even dial up speeds.
     
  22. MrColin

    MrColin Platinum Member

    Joined:
    May 21, 2003
    Messages:
    2,394
    Likes Received:
    1
    Java and javascript are not related. This vulnerability is with the Java runtime from Oracle not javascript which can sometimes be dangerous too.