dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
10358
share rss forum feed

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

3 edits
reply to trparky

Re: Warning: 0-Day vulnerability in Java 7

said by trparky:

So would disabling the Java browser plugin stop this exploit?

yes.. if you want to disable "java", to do that, go into windows "control panel", click "java" and, in the settings, there, find the option for disabling java and disable it.. you could also disable the java plugins/addons in the browsers that you use, from within the browsers' settings-options..

if you use the "chrome" browser, which comes with its own version of "java", i think that the only way that you can disable "java" in it is from within chrome's settings-options..

Also, would putting Microsoft EMET to work on the browser help mitigate the exploit?

my guess is that EMET would not mitigate the vulnerability since, from what i read, the vulnerability does not involve crashing "java" or the browser, which is the type of thing that EMET is intended to prevent..


Packeteers
Premium
join:2005-06-18
Forest Hills, NY
kudos:1
Reviews:
·Time Warner Cable
reply to chachazz

i disabled java in chrome first thing this morning cause i saw this news on reddit. does anyone know what link is the best place to watch for a true official fix from either oracle or google so i can get back to using a shopping cart - lot's of labor day sales coming up you know



therube

join:2004-11-11
Randallstown, MD

What kind of shopping cart uses Java ?



Packeteers
Premium
join:2005-06-18
Forest Hills, NY
kudos:1

If you see this message, your web browser doesn't support JavaScript or JavaScript is disabled. Please enable JavaScript in your browser settings so Newegg.com can function correctly.


redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

said by Packeteers:

If you see this message, your web browser doesn't support JavaScript or JavaScript is disabled. Please enable JavaScript in your browser settings so Newegg.com can function correctly.

packeteers, apparently you disabled "javascript" rather than disabling "java".. they are not the same thing.. you can go ahead and re-enable "javascript", though some of us have javascript restricted from running except on webpages where we want to allow it to run..

so, if you want to disable "java", you need to to go back and disable it, but that doesn't mean disabling "javascript"..

SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Houston, TX
kudos:4

said by redwolfe_98:

..packeteers, apparently you disabled "javascript" rather than disabling "java"..

What is the difference ? What / where is "Javascript" ? My control panel and add/remove programs only show "Java" as downloaded from here ;
»www.java.com/en/download/index.jsp
--
Breaker One Nine.


Packeteers
Premium
join:2005-06-18
Forest Hills, NY
kudos:1
Reviews:
·Time Warner Cable
reply to chachazz

OK thanks guys for helping me see that distinction. so i went into the java control panel from my desktop and disabled v1.7 of java, and enabled javascript in chrome so i am now back to spending money on items i can live without

so back to my original question...

what link can i watch to see when the fix is out from oracle on v1.7 of java?



therube

join:2004-11-11
Randallstown, MD
reply to SipSizzurp

It is Java that this vulnerability is concerned with.
And it would be Java that you would want to disable.

JavaScript is not Java


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

2 recommendations

reply to SipSizzurp

Click for full size
Firefox
Click for full size
Java 6 on XP
Javascript is enabled/disabled in your browser's options/preferences. Java's control panel is where you enable/disable it and it is located in the Windows Control Panel. You access the advanced tab and, if you have both IE and plugin browsers Java installed, you can enable just for one type of browser and not the other or, enable for both, or disable for both, and then when you need it you can temporarily enable it.

I have an early version of Java 6, so the Java Control Panel may look different in Java 7 but you can the idea from my screenshot.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to JALevinworth

said by JALevinworth :

said by Mele20:

I have Java 6 update 7 (still says "Sun" on the about tab).

I'm curious, Mele. Why are you still using version 6? and also update 7? The last update to 6 was 34. Between there (7-34) there have been a boat load of security fixes. I'm sure you have a reason but can't figure it out.

-Jim

Over the years, I have had a lot of trouble with Java installations/uninstallations. Probably more trouble with them than problems with Flash. (Years ago, I really liked Microsoft's stolen version of Java because it worked so much better than Sun's -which would be expected since Microsoft made it to run on their software - and installed properly so I always used it).

I have Process Guard and I have never told it to "Always Allow" Java to run. Thus, I get a popup from Process Guard if I go to a web page where Java is needed. Since the only time I need Java is when I have deliberately gone to a Web 100 server site to do a Java speed test or, more likely, opened my owned MySpeed software to run speed tests every so many minutes, or gone to VusualWare's web based Java speed tests (which are the best and most accurate of all speed tests), I am not about to say "yes" to Process Guard's popup about starting Java if I got a popup unexpectedly. So, I feel reasonably safe to use an old version. I think I recall it wouldn't uninstall. I have had that problem umpteen times on XP and on 98SE before that so I left it at that early version of Java 6. I suppose a Web 100 test server could become compromised, but unlikely. I belong to the Web100 list serv. I don't always read all the messages but that group of IT people are conscientious about the tests and keeping their servers up to date and it is unlikely one of their servers would become compromised. Plus, they are involved in the FCC broadband tests for which I am a panelist, hence another reason for them to not have compromised servers.

I rarely do dslr speed tests these days (used to do them a lot) but there again the Java ones here are much better than the flash ones.

This is probably the best speed test on the net. It is NOT a capacity test as almost all other speed tests Java or Flash are. It is a quality test. The site owner is a member here. It requires Java because it is a VisualWare test. He has dedicated high quality servers in several Mainland locations and recently put one in Los Angeles which is perfect for me in Hawaii.

»www.ispgeeks.com/wild/modules.ph···lityTest
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


sivran
Opera ex-pat
Premium
join:2003-09-15
Irving, TX
kudos:1
reply to chachazz

quote:
when a specially crafted web page is visited.

All I needed to know.

Java's disabled in all my browsers. I never need it, hell the only reason I even have a JVM these days is Minecraft.
--
Think Outside the Fox.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit

1 recommendation

reply to chachazz

Java Runtime Environment = Perpetual Vulnerability Machine Posted by Sean @ 11:49 GMT
Well folks… the perpetual vulnerability machine that is Oracle's Java Runtime Environment (JRE) has yet another highly exploitable vulnerability (CVE-2012-4681). And it's being commoditized at this very moment and will very soon find its way into popular exploit kits such as Blackhole.

Then, if you happen to have Java (JRE) installed, and have the browser plugin(s) enabled… you're at risk of a drive-by download. Based on the details we've examined thus far, all browsers can be exploited (though Chrome seems to be a bit of an open question).

»www.f-secure.com/weblog/archives···413.html

The malware that is currently exploiting the vulnerability
»www.symantec.com/connect/blogs/n···012-4681

The scariest part about all of this is that the next scheduled Oracle patch release is October 16. As Oracle has a policy of not issuing out-of-band updates, this means nearly two months of time where attackers can exploit this without root mitigation by the vendor. In the interim, security researcher Michael Schierl has released an unofficial patch, which is for now only available by request.

»vrt-blog.snort.org/2012/08/cve-2···ava.html

--
Gladiator Security Forum
»www.gladiator-antivirus.com/


DrStrange
Technically feasible
Premium
join:2001-07-23
West Hartford, CT
kudos:1
reply to chachazz

Hopefully, Oracle decides that 'only a fool fights in a burning house' and releases a patch out-of-band.

Otherwise I'll have to recommend downgrading all deployed Java back to v. 6 for all machines I maintain.


redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

1 recommendation

reply to SipSizzurp

said by SipSizzurp:

said by redwolfe_98:

..packeteers, apparently you disabled "javascript" rather than disabling "java"..

What is the difference ? What / where is "Javascript" ? My control panel and add/remove programs only show "Java" as downloaded from here ;
»www.java.com/en/download/index.jsp

yes, "java" is "java" and that is what you are seeing when you see "java" in windows "add/remove" and in "control panel".. "java" is a program that you install, like when you install "java" at "java.com"..

"javascript" is a function of a browser which is built into a browser, and it can be enabled or disabled in a browser's settings-options.. (it also can be controlled by using the "noscript" addon with the "firefox" browser)..

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

4 edits

1 recommendation

reply to Packeteers

said by Packeteers:

OK thanks guys for helping me see that distinction. so i went into the java control panel from my desktop and disabled v1.7 of java, and enabled javascript in chrome so i am now back to spending money on items i can live without

i just want to mention that you should disable JAVA (not "javascript" ) within chrome's settings-options.. chrome comes with its own version of "java" and you have to disable it from within chrome's settings-options, at least that is my understanding..

to answer your question about how to know when an update for "java" is available, you are joking, right? you know the answer.. visit the DSLReports forum

p.s. if you don't need "java" you could just uninstall it and forget about it.. i don't have it installed on my computer.. yea, there are some compromises.. if something requires java, you can't run it, not without "java" installed..

mele said that she needs "java" in order to be able run a particular "speed-test".. she doesn't want to compromise.. (there are lots of "speed-tests" that don't require "java" )..

personally, i try to lock down my computer, to make it secure, and part of doing that is not having "java" installed when i can live without it..

if you think that you have to have "java", i would suggest that you keep it disabled except for when it is needed, which probably would be very very very rarely..

there might be some websites that prompt you to install "java", but that doesn't mean that it has to be installed in order to be able to use the websites.. i just go ahead and use the websites without installing "java"..

if someone plays games at the "pogo" website, they would need "java" for that.. personally, i don't care for the "pogo" website and i don't mind compromising and not playing games there.. actually, i think the "pogo" website was responsible for a lot of malware-infections, in the past, because it required people to install "java" which then was exploited, where many people were getting infected with "coolwebsearch".. the version of "java" that was being distributed by the "pogo" website was outdated and vulnerable, which led to the "coolwebsearch" infections..


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit

I run it on win7 with chrome...and I doubt they can whacked it in XP on chrome sandbox no matter what is claimed they can do.

News of the vulnerability (CVE-2012-4681) surfaced late last week in a somewhat sparse blog post by FireEye, which said the exploit seemed to work against the latest version of Java 7, which is version 1.7, Update 6. This morning, researchers Andre’ M. DiMino & Mila Parkour published additional details on the targeted attacks seen so far, confirming that the zero-day affects Java 7 Update 0 through 6, but does not appear to impact Java 6 and below.

Initial reports indicated that the exploit code worked against all versions of Internet Explorer, Firefox and Opera, but did not work against Google Chrome. But according to Rapid 7, there is a Metasploit module in development that successfully deploys this exploit against Chrome (on at least Windows XP).

»krebsonsecurity.com/tag/cve-2012-4681/

CNET noted earlier today that most Mac users are not currently susceptible to the issue, as Java 7 is not installed by default on Macs. The current version of Java installed on Mac remains Java 6 for the time being, so users would have to have manually updated to Java 7 in order for their systems to be vulnerable.

--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to chachazz

Rapid7 / Metasploit indicate that they tested their module on Chrome on Windows XP. In our experience, if Java is allowed to run like you see on the picture above, the malicious binary does not get downloaded. We tested several times with the same results - Java runs but no contact with the second server and binary download. Testing on the same VM with Internet Explorer or Firefox immediately causes infection. Don't know, maybe Rapid 7 'improved' the exploit and you can send them your thanks if you wish, but the original exploit does not work on Chrome.

»www.deependresearch.org/2012/08/···ion.html
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Reimer

join:2006-08-14
Toronto, ON
reply to Name Game

Chromes sandbox doesn't protect against plugins though. Except, of course, for its built-in PDF and flash.

However, Chrome does block java applets by default. The question is whether or how the exploit seems to bypass that.


SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Houston, TX
kudos:4
reply to chachazz

said by chachazz:

6. If the exploit is successful, it downloads and executes a malicious binary, which calls to another IP address/domain hello.icon.pk / 223.25.233.244

I would assume that my Faronics Anti-Executable would deny execution of the malicious code, but would my Anti-Executable also interfere with legitimate Java activity ? ( sorry for the hijack...)
--
Breaker One Nine.

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

2 edits
reply to Name Game

said by Name Game:

I doubt they can whacked it in XP on chrome sandbox no matter what is claimed they can do

this vulnerability seems different from what is normally seem..

thinking about it, from what i read, the vulnerability functions in a way that is similar to what was done when "chrome" was "pwned" by "vupen", not too long ago, where they were able to run code in a place where it wasn't suppose to be able to run..

from what i read about the vulnerability, i got the impression that someone just overlooked something, in the coding, making "java" vulnerable to being exploited..

in the past, google has been pretty quick to respond to problems with chrome.. (incidentally, it seems like there have been a whole hell of a lot of patches for chrome, lately).. if google is serious about having a secure browser, i think they should promptly "kick out" a java-free version of chrome.. or, using their "cloud" remote-control, nuke "java", instead..one or the other, if they are serious about having a secure browser..

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to redwolfe_98

said by redwolfe_98:

mele said that she needs "java" in order to be able run a particular "speed-test".. she doesn't want to compromise.. (there are lots of "speed-tests" that don't require "java" )..

personally, i try to lock down my computer, to make it secure, and part of doing that is not having "java" installed when i can live without it..

It is not because I am unwilling to "compromise". Flash speed tests are completely worthless. For one thing, they test capacity only...In other words...they test to see if your ISP has actually allocated the amount of speed that you pay for. But capacity has NOTHING to do with your actual speed or the quality of your speed. For instance, I am paying for 15mbps down. I got it about a month ago and it is a RIP OFF. I get EXACTLY the SAME speed, quality wise, on it that I was getting on Standard RR at 10 mbps down. Plus, on Standard RR, I got PowerBoost. Anyone with that on their line (and your ISP cannot remove it just for you) should never do a Flash speed test as it will be grossly inflated by PowerBoost ...less inflated by Java speed test and on the quality test I linked to earlier no inflation but that is the only test out there (except for Sam Knows for us FCC testers) that can do an accurate quality test on a line with PowerBoost. I don't get PowerBoost at all on 15mbps down. So, I could do a Flash capacity test (to avoid Java) but that would tell me my speed is 14.85 mbps. I do a quality test which REQUIRES JAVA and I see that my line quality is shit...the speed is extremely erratic and I see a lot of other problems ...nicely detailed for me with a lot of explanation and white papers I can read so I can be educated and force my ISP to fix things...until the next breakdown and those happen really frequently here.

Also, on the Quality test, to a fancy dedicated server in Los Angles, I get 7.25mbps down and, sometimes, a Quality of Service of 95% (other times as low as 2%). This test tells me what speed I have for NetFlix streaming, Hulu streaming, etc. This test tells me the truth. A Flash test to most locations in California would say (if I still had PowerBoost) that I have around 23mbps down. That is on 10mbps down. But if I did this Java Quality test, when I had 10mbps down, I would average 7.25mbps down and quality ranging from 95% to as low as 2%.

On 15mbps down, I still get 7.25mbps on the Quality Java test from the link I gave earlier. That means that paying $10 a month more for 15mbps down is not worth it. It is a ripoff. It APPEARS worth it if you do a crappy flash test which just tests to see the capacity of your line not the quality. Quality of your connection is the ONLY important thing as long as you have 3mbps down (or higher).

So, I choose to see the truth about my speed. Plus, I happen to own MySpeed (an older version and I want to upgrade to a newer version). I can start it and tell it to test to a particular server in the list, every 10 minutes, for as long as I want. I get great data to show my ISP and they have fixed my line several times based on the data. They use MySpeed test on their gateways so they know it is the best in the industry and they respect its results.

So, you think I should just forget the money I spent on MySpeed software because I am unwilling to "compromise"? It is a lot more than a minor compromise. I do wish that Oracle would take better care of Java but I can't force them to do that. I also suspect that if I could afford DOCSIS 3 speeds now offered by ISP that it might not matter about speed tests but I really had to think hard before adding just an additional $10 per month to my bill. No way I can afford now, or probably ever, the higher DOCSIS 3 speeds.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to nolz

Click for full size
said by nolz :

Curious as to how Chrome is vulnerable if it doesn't even allow java to run unless manually given permission

Exactly..

Test page to see if you are vulnerable..but even if it lists your version ..java will not run in chrome unless you give it specific permission.
»zulu.zscaler.com/research/java_version.html

By default java is a blocked plugin for Chrome.

Google Chrome now blocks plug-ins that are not widely used. When this happens, you will see a message such as the following:

"The Java plug-in needs your permission to run."

You should only run the plug-in if you trust the website you are visiting (for example, your banking website might legitimately use a Java applet).

To let the plug-in run on the site, follow these steps:

To run the plug-in just this once, click Run this time in the message. The plug-in will run, but if you re-visit the site, you'll be asked for permission to run the plug-in again.
To always allow the current site to run the plug-in, click Always run on this site. Subsequent visits to the site will run the plug-in without asking again.
To always allow this type of plug-in to run, go to chrome://plugins, find the plug-in and select the Always allowed checkbox.
»support.google.com/chrome/bin/an···d_plugin
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
reply to chachazz

Good thing I am still using v6. :P



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Mele20

Here is a java one I use while in Pennsylvania..how does it work for you ?

»ptd.net/tiki-index.php?page=PTD_Speedtest



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to antdude

said by antdude:

Good thing I am still using v6. :P

No it is not..all those versions are also vulnerable to other crap that is out there big time...just a different CVE from the past.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Name Game

typing with one hand...lot's of pain, stiffness suddenly in one hand around the thumb...typing aggravates greatly. icing now...

that test is abbreviated version of MySpeed. gave me 2.34mbps down. too far away...150ms round trip...too high for good speed.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


starfish8

join:2004-06-30
reply to chachazz

After uninstalling Java 7 Update 6 I still have an IE add-on from Oracle called Deployment Toolkit. What is it and why wasn't it uninstalled when I uninstalled Java? I don't have JavaFX either.



rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA

1 edit
reply to redwolfe_98

I have found that if Java is disabled by way of the Java console, then it does not work in Chrome. Chrome comes with its own version of Flash, but not Java, so far as I can see. If it did, then why would it not work when Java is disabled in the Java console? There are plugins for Java in Chrome, so it is possible to disable Java in Chrome without disabling Java completely or uninstalling Java. I did not want to uninstall Java so that is why I disabled it via the console as well as disabling the plugins.
--
It is easier for a camel to put on a bikini than an old man to thread a needle.



EmoHobo

join:2010-07-16
reply to chachazz

Seems Mozilla has added a warning on this page:

»www.mozilla.org/en-US/plugincheck/

"Missing JAVA?

For your safety, Firefox has disabled your outdated version of Java. Please upgrade to the latest version."

So hopefully this helps those who are uniformed avoid damage. I just uninstalled Java, better safe then sorry.



DrDrew
That others may surf
Premium
join:2009-01-28
SoCal
kudos:15
reply to Mele20

Mele20 have you ever tweaked (adjusted RWIN and other TCP settings) on your XP computer for new speeds you've been provisioned with over the years?

Check here:
»/tweaks