New Java vulnerability

[Chiefcrowe]

yep, here we go again!

https://www.cert.org/blogs/certcc/2012/09/java_7_attack_vectors_oh_my.html#more

more on this:
http://arstechnica.com/security/201...ity-made-possible-by-earlier-incomplete-patch

 

[olds]

So how would one be exploited, by visiting an infected web site?

 

[MustISO]

So how would one be exploited, by visiting an infected web site?

Seems like mostly drive-by-download but I haven't seen any specifics. I will never have Java installed on a system I own.

 

[power_hour]

What a mess. Make sure you uninstall it and confirm your browser doesn't use any Java. I would even go so far as to search for any Java files and note their location. A drive-by might attempt to conceal its location (remove it from programs list but still exist).

Unbelievable mess.

 

[olds]

Had to google how to disable it in by browser
http://nakedsecurity.sophos.com/how-to-disable-java-chrome

 

[moparacer]

What a mess. Make sure you uninstall it and confirm your browser doesn't use any Java. I would even go so far as to search for any Java files and note their location. A drive-by might attempt to conceal its location (remove it from programs list but still exist).

Unbelievable mess.

Thats what I did to all my machines this morning. Just remove all java and wait till its patched and install the updated version.

I had someone call me last night that had a machine that was compromised and taken over by this exploit I would assume.

 

[mechBgon]

Thats what I did to all my machines this morning. Just remove all java and wait till its patched and install the updated version.

Before doing that, and simply starting the cycle over, also ask yourself whether you have any use for Java at all. If not, leave it uninstalled.

 

[bruceb]

I disabled the plug in in Firefox (my primary browser) and I do use Java on some game sites (crosswords and the like sometimes use it). I figure Java will likely have a fix for it sometime this week. If the issue is as bad as CERT is leading us to believe, the coders will have to find a fix for it real fast.

Chief, that link is from Aug 2012 and is referencing Java 7 Update 7 ... There is another topic in Software For Windows, that I believe is referencing the latest CERT warning.

http://forums.anandtech.com/showthread.php?t=2295240

http://www.chicagotribune.com/busin...sers-to-disable-java-20130111,0,5686660.story

 

[power_hour]

I disabled the plug in in Firefox (my primary browser) and I do use Java on some game sites (crosswords and the like sometimes use it). I figure Java will likely have a fix for it sometime this week. If the issue is as bad as CERT is leading us to believe, the coders will have to find a fix for it real fast.

Chief, that link is from Aug 2012 and is referencing Java 7 Update 7 ... There is another topic in Software For Windows, that I believe is referencing the latest CERT warning.

http://forums.anandtech.com/showthread.php?t=2295240

http://www.chicagotribune.com/busin...sers-to-disable-java-20130111,0,5686660.story

Good catch. I think the main message here is to remove Java (any version) until a patched version can be deemed safe and clear of any known issues.

If you really want to run Java, deploy a VM with it (using Oracle's VirtualBox its a snap and free, and Windows 7 gives you 90 day trial or any flavour of Linux). That way if its compromised you are not affected at all.

 

[pyonir]

Java 7 Update 11 has been posted on the Oracle site: http://www.oracle.com/technetwork/java/javase/downloads/index.html

 

[wirednuts]

oh java... you suck so hard

 

[bruceb]

I did the update to Java 7 Update 11 about 30 minutes ago. Wasn't online last night.

 

[MadScientist]

The best way to update Java is to uninstall it.

 

[McLovin]

I disabled the plug in in Firefox (my primary browser) and I do use Java on some game sites (crosswords and the like sometimes use it). I figure Java will likely have a fix for it sometime this week. If the issue is as bad as CERT is leading us to believe, the coders will have to find a fix for it real fast.

Chief, that link is from Aug 2012 and is referencing Java 7 Update 7 ... There is another topic in Software For Windows, that I believe is referencing the latest CERT warning.

http://forums.anandtech.com/showthread.php?t=2295240

http://www.chicagotribune.com/busin...sers-to-disable-java-20130111,0,5686660.story

So what do you guys suggest as an alternative, if any, to Java? Is removing Java completely the only viable solution? If I help out grandma and grandpa who, like Bruceb, frequent sites that require java for games and such, what's the best recommendation I could give them to stay protected?

It's scary at work because we have a medical chart software that requires java to run and ADP requires us to run version 6. ADP's official stance is that j6u7 is the only version that is approved, but thankfully works with j6u38 on the client side. Java 7 will not work with ADP, period. Removing Java is not an option unfortunately.

 

[mechBgon]

So what do you guys suggest as an alternative, if any, to Java? Is removing Java completely the only viable solution? If I help out grandma and grandpa who, like Bruceb, frequent sites that require java for games and such, what's the best recommendation I could give them to stay protected?

If you have a non-negotiable need for Java, then my suggestion would be:

1. use Software Restriction Policy combined with a non-Admin account, as shown here, if practical for them: http://www.mechbgon.com/srp An exploit's not much use to the attacker if SRP keeps nuking the payload when it tries to execute.


2. if they use Internet Explorer, then enable Java only for the Trusted Sites zone*, raise the Trusted Sites security level to Medium-High so it matches the Internet Zone, and add the Java sites to Trusted Sites Zone on a site-by-site basis. This isn't bulletproof; if one of the Trusted Sites is hosting a Java exploit, it's going to be able to run. See #1.

*this is done using Group Policy Editor, I can cough up more details if you're interested.


3. corollary to #2, you could achieve a similar effect by enabling ActiveX Filtering, so that for any given ActiveX goodie, whether it's Flash or Java or whatever, they're all disabled by default and can be enabled on a site-by-site basis. I use ActiveX Filtering at work, and it's bearable to live with once you've approved the sites you use routinely... I occasionally have to remind my users about it when a new site's not working as expected (e.g. hey, why can't I stream NPR audio).


edit: 4. It would be worth installing and configuring Microsoft EMET too. Here's some info on that: http://www.mechbgon.com/build/security2.html#sehop


I would also make my displeasure known to software vendors or sites that are requiring Java for anything. They need to hear it.

 

[seepy83]

I'll add another possibility to mechBgon's list -

Install 2 browsers on the PC. 1 has java installed/enabled, and the other doesn't. Instruct the user to use the browser with java if, and only if, the website they are accessing requires java. If they are browsing websites that don't require Java, then they use the browser that does not have Java installed/enabled. If they are only using java for truly trusted applications (someone mentioned ADP, or an internal webapp), then using 2 different browsers can very thoroughly mitigate the risk.

 

[Chiefcrowe]

Researchers find critical vulnerabilities in Java 7 Update 11

https://www.computerworld.com/s/art..._critical_vulnerabilities_in_Java_7_Update_11

 

[Modular]

What about noscript? Seems to block all Java activity on my PC...

 

[dyna]

I received an email from Norton Anti-Virus that their product protects against this vulnerability.

 

[ultimatebob]

I like how Chrome handles Java... it's smart enough to ask for your permission before running a Java applet, and will warn you if your Java plugin is out of date.

Mozilla takes it a step further and just flat out disables Java if it's out of date... which is a great idea unless you happen to manage a few hundred systems that require a specific version of Java to function. Then it becomes a nightmare!

 

[Lemon law]

I have a big problem with Java update 7-11. On one hand I can do without Java at all, but my wife needs an application that totally relies on Java sometimes but not always. So I am hoping to disable Java script in my wife's Firefox, and IE browsers, and then find a "safe?" web browser for my wife to run only the Java requiring apps in.

I note some recommend google chrome, but barf, gag yeech yuck, I have always hated google chrome. Not to mention the fact, since I am limited to only 10 gigabytes of data per month, I cannot afford a 30 MB browser that keeps updating itself every few days. My try #1 was Palemoon, but that is not working for my wife.

The natives are already rest less tonight, so helpup, helpup, any suggestion welcome, before wrathful wife beats me to death with a rolling pin.

PS, the app my wife needs Java for is pogo games, something that worked fine at even dial up speeds.

 

[MrColin]

What about noscript? Seems to block all Java activity on my PC...

I have a big problem with Java update 7-11. On one hand I can do without Java at all, but my wife needs an application that totally relies on Java sometimes but not always. So I am hoping to disable Java script in my wife's Firefox, and IE browsers, and then find a "safe?" web browser for my wife to run only the Java requiring apps in.

I note some recommend google chrome, but barf, gag yeech yuck, I have always hated google chrome. Not to mention the fact, since I am limited to only 10 gigabytes of data per month, I cannot afford a 30 MB browser that keeps updating itself every few days. My try #1 was Palemoon, but that is not working for my wife.

The natives are already rest less tonight, so helpup, helpup, any suggestion welcome, before wrathful wife beats me to death with a rolling pin.

PS, the app my wife needs Java for is pogo games, something that worked fine at even dial up speeds.

Java and javascript are not related. This vulnerability is with the Java runtime from Oracle not javascript which can sometimes be dangerous too.