dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
10284
share rss forum feed

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to redwolfe_98

Re: Warning: 0-Day vulnerability in Java 7

said by redwolfe_98:

mele said that she needs "java" in order to be able run a particular "speed-test".. she doesn't want to compromise.. (there are lots of "speed-tests" that don't require "java" )..

personally, i try to lock down my computer, to make it secure, and part of doing that is not having "java" installed when i can live without it..

It is not because I am unwilling to "compromise". Flash speed tests are completely worthless. For one thing, they test capacity only...In other words...they test to see if your ISP has actually allocated the amount of speed that you pay for. But capacity has NOTHING to do with your actual speed or the quality of your speed. For instance, I am paying for 15mbps down. I got it about a month ago and it is a RIP OFF. I get EXACTLY the SAME speed, quality wise, on it that I was getting on Standard RR at 10 mbps down. Plus, on Standard RR, I got PowerBoost. Anyone with that on their line (and your ISP cannot remove it just for you) should never do a Flash speed test as it will be grossly inflated by PowerBoost ...less inflated by Java speed test and on the quality test I linked to earlier no inflation but that is the only test out there (except for Sam Knows for us FCC testers) that can do an accurate quality test on a line with PowerBoost. I don't get PowerBoost at all on 15mbps down. So, I could do a Flash capacity test (to avoid Java) but that would tell me my speed is 14.85 mbps. I do a quality test which REQUIRES JAVA and I see that my line quality is shit...the speed is extremely erratic and I see a lot of other problems ...nicely detailed for me with a lot of explanation and white papers I can read so I can be educated and force my ISP to fix things...until the next breakdown and those happen really frequently here.

Also, on the Quality test, to a fancy dedicated server in Los Angles, I get 7.25mbps down and, sometimes, a Quality of Service of 95% (other times as low as 2%). This test tells me what speed I have for NetFlix streaming, Hulu streaming, etc. This test tells me the truth. A Flash test to most locations in California would say (if I still had PowerBoost) that I have around 23mbps down. That is on 10mbps down. But if I did this Java Quality test, when I had 10mbps down, I would average 7.25mbps down and quality ranging from 95% to as low as 2%.

On 15mbps down, I still get 7.25mbps on the Quality Java test from the link I gave earlier. That means that paying $10 a month more for 15mbps down is not worth it. It is a ripoff. It APPEARS worth it if you do a crappy flash test which just tests to see the capacity of your line not the quality. Quality of your connection is the ONLY important thing as long as you have 3mbps down (or higher).

So, I choose to see the truth about my speed. Plus, I happen to own MySpeed (an older version and I want to upgrade to a newer version). I can start it and tell it to test to a particular server in the list, every 10 minutes, for as long as I want. I get great data to show my ISP and they have fixed my line several times based on the data. They use MySpeed test on their gateways so they know it is the best in the industry and they respect its results.

So, you think I should just forget the money I spent on MySpeed software because I am unwilling to "compromise"? It is a lot more than a minor compromise. I do wish that Oracle would take better care of Java but I can't force them to do that. I also suspect that if I could afford DOCSIS 3 speeds now offered by ISP that it might not matter about speed tests but I really had to think hard before adding just an additional $10 per month to my bill. No way I can afford now, or probably ever, the higher DOCSIS 3 speeds.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to nolz

Click for full size
said by nolz :

Curious as to how Chrome is vulnerable if it doesn't even allow java to run unless manually given permission

Exactly..

Test page to see if you are vulnerable..but even if it lists your version ..java will not run in chrome unless you give it specific permission.
»zulu.zscaler.com/research/java_version.html

By default java is a blocked plugin for Chrome.

Google Chrome now blocks plug-ins that are not widely used. When this happens, you will see a message such as the following:

"The Java plug-in needs your permission to run."

You should only run the plug-in if you trust the website you are visiting (for example, your banking website might legitimately use a Java applet).

To let the plug-in run on the site, follow these steps:

To run the plug-in just this once, click Run this time in the message. The plug-in will run, but if you re-visit the site, you'll be asked for permission to run the plug-in again.
To always allow the current site to run the plug-in, click Always run on this site. Subsequent visits to the site will run the plug-in without asking again.
To always allow this type of plug-in to run, go to chrome://plugins, find the plug-in and select the Always allowed checkbox.
»support.google.com/chrome/bin/an···d_plugin
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
reply to chachazz

Good thing I am still using v6. :P



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Mele20

Here is a java one I use while in Pennsylvania..how does it work for you ?

»ptd.net/tiki-index.php?page=PTD_Speedtest



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to antdude

said by antdude:

Good thing I am still using v6. :P

No it is not..all those versions are also vulnerable to other crap that is out there big time...just a different CVE from the past.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Name Game

typing with one hand...lot's of pain, stiffness suddenly in one hand around the thumb...typing aggravates greatly. icing now...

that test is abbreviated version of MySpeed. gave me 2.34mbps down. too far away...150ms round trip...too high for good speed.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


starfish8

join:2004-06-30
reply to chachazz

After uninstalling Java 7 Update 6 I still have an IE add-on from Oracle called Deployment Toolkit. What is it and why wasn't it uninstalled when I uninstalled Java? I don't have JavaFX either.



rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA
Reviews:
·Time Warner Cable

1 edit
reply to redwolfe_98

I have found that if Java is disabled by way of the Java console, then it does not work in Chrome. Chrome comes with its own version of Flash, but not Java, so far as I can see. If it did, then why would it not work when Java is disabled in the Java console? There are plugins for Java in Chrome, so it is possible to disable Java in Chrome without disabling Java completely or uninstalling Java. I did not want to uninstall Java so that is why I disabled it via the console as well as disabling the plugins.
--
It is easier for a camel to put on a bikini than an old man to thread a needle.



EmoHobo

join:2010-07-16
reply to chachazz

Seems Mozilla has added a warning on this page:

»www.mozilla.org/en-US/plugincheck/

"Missing JAVA?

For your safety, Firefox has disabled your outdated version of Java. Please upgrade to the latest version."

So hopefully this helps those who are uniformed avoid damage. I just uninstalled Java, better safe then sorry.



DrDrew
That others may surf
Premium
join:2009-01-28
SoCal
kudos:15
reply to Mele20

Mele20 have you ever tweaked (adjusted RWIN and other TCP settings) on your XP computer for new speeds you've been provisioned with over the years?

Check here:
»/tweaks


redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable
reply to rcdailey

said by rcdailey:

I have found that if Java is disabled by way of the Java console, then it does not work in Chrome. Chrome comes with its own version of Flash, but not Java, so far as I can see. If it did, then why would it not work when Java is disabled in the Java console? There are plugins for Java in Chrome, so it is possible to disable Java in Chrome without disabling Java completely or uninstalling Java. I did not want to uninstall Java so that is why I disabled it via the console as well as disabling the plugins.

OK, rcdailey.. i saw another article, somewhere, recently, where it was talking about disabling "java" because of another vulnerability that it had and the article said to use the "java" settings that can be accessed from windows "control panel" to disable it, and also to disable it in the chrome-browser's settings-options, so that was where i got the idea that chrome had its own version of "java" which could only be disabled from within chrome's settings-options.. i don't use "chrome" so i am not familiar with it..

i wish i could remember where i saw that article that talked about disabling "java", but i can't remember where i saw it..

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

3 edits
reply to DrDrew

said by DrDrew:

Mele20 have you ever tweaked the RWIN and other TCP settings on your XP computer

i was wondering the same thing.. i imagine that mele already considered tweaking the TCP/IP settings on her computer..

i tried using some utility, years ago, to tweak the TCP/IP settings on my computer and it make a pretty big difference.. i went from download-speeds of about 2.7 MBPS to about 8 MBPS.. (it was advertized as having a 3 MBPS download-speed).. that was years ago.. with my current connection, i would say i get 20 MBPS.. somtimes the speed-tests show that i am getting 30 MBPS, if i do the tests late at nite..

i use "roadrunner" and their system will throttle-back my connection speed when i am doing speed-tests.. it is advertised as having an 8 MBPS download-speed..

i was going to attach a reg-file that i use to tweak the TCP/IP settings on my computer but it might not be appropriate for other computers so i didn't attach it..


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Mele20

said by Mele20:

typing with one hand...lot's of pain, stiffness suddenly in one hand around the thumb...typing aggravates greatly. icing now...

that test is abbreviated version of MySpeed. gave me 2.34mbps down. too far away...150ms round trip...too high for good speed.

Bummer cause I tried your java speed test and I get the same as the one here in PA.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


planet

join:2001-11-05
Oz
kudos:1
Reviews:
·Cox HSI

1 edit

Round Two with this exploit:
Taken from here:
»krebsonsecurity.com/

"Researchers: Java Zero-Day Leveraged Two Flaws:
New analysis of a zero-day Java exploit that surfaced last week indicates that it takes advantage of not one but two previously unknown vulnerabilities in the widely-used software. The latest figures suggest that these vulnerabilities have exposed more than a billion users to attack."

I've now removed Java from all of my PCs. I've had it off my desktop and laptop for awhile. I'd left it on my daughter's laptop but when I uninstalled it recently, I didn't update...my daughter is using an ipad moreso nowadays anyway.



rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA
Reviews:
·Time Warner Cable
reply to redwolfe_98

Yeah, and it happens that I had looked quickly at IE8 and disabled the two loaded Java plugins, but initially missed the other two. I had to disable them as well, at least if I did not disable Java in the control panel. I also mistakenly referred to the Java console, but it is the Java panel in Windows settings where Java can be disabled. It's probably smarter, if you or I really don't intend to use Java, to simply uninstall it completely. That way it really would not be possible for it to be compromised. However, maybe Oracle will fix the vulnerability and I do like to use the Java speed test here.
--
It is easier for a camel to put on a bikini than an old man to thread a needle.



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico

1 recommendation

reply to antdude

Things are getting nasty !
Java zero-day exploit goes mainstream, 100+ sites serve malware

quote:
Attackers using two recently-uncovered Java unpatched vulnerabilities, or "zero-days," have quickly expanded their reach by going mainstream, security experts said today.

And on Tuesday, Mozilla, maker of Firefox, joined the chorus of advice that users should disable the current version of Oracle's Java. The company is also ready to automatically block the plug-in from running in its browser, although it has not yet pulled the trigger.

The exploit's breakout followed the addition of attack code to the notorious Blackhole exploit toolkit.
Oracle knew about zero-day Java vulnerabilities for months, researcher says
quote:
Oracle was notified in April about the zero-day vulnerabilities being exploited now by attackers, researcher says.

KoRnGtL15
Premium
join:2007-01-04
Grants Pass, OR

1 edit
reply to chachazz

Click for full size
Firefox is my main browser. What is it that I should be disabling and Mozilla most likely will be doing? Is it the 2 Java plugins? Using latest version of java. I don't use IE but obviously it is installed as well for that. That should be disabled as well? At this rate. Maybe it is best to just uninstall Java completely until this is fixed?

***EDIT***

Java(TM) Platform is the one to disable according to link.


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico

Just did.

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

2 recommendations

siljaline, your screenshot shows that you disabled "javascript", not "java".. they are two different things..

here is one webpage with some information about disabling "java":

»www.kb.cert.org/vuls/id/636312

here is another one:

»krebsonsecurity.com/how-to-unplu···browser/



rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA
Reviews:
·Time Warner Cable
reply to KoRnGtL15

said by KoRnGtL15:

Firefox is my main browser. What is it that I should be disabling and Mozilla most likely will be doing? Is it the 2 Java plugins? Using latest version of java. I don't use IE but obviously it is installed as well for that. That should be disabled as well? At this rate. Maybe it is best to just uninstall Java completely until this is fixed?

***EDIT***

Java(TM) Platform is the one to disable according to link.

Right, but look for the two plug-ins within Firefox, because if you disable those, then Java won't run in Firefox. For IE, you need to list all add-ons in the manage add-ons list and look for Oracle and disable everything shown. Google Chrome has settings, advanced settings, privacy, plug-ins, where you can disable selected plug-ins. Look for Java there.

Of course, you can go to the java panel in Windows itself and disable the JRE there, which makes it unusable for any of the browsers, try as they may to load applets.
--
It is easier for a camel to put on a bikini than an old man to thread a needle.


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to redwolfe_98

My bad redwolfe_98 See Profile

This should cover all the bases

Hat Tip to carpetshark3 See Profile for the link.

leaving screenshot - but ignore as it is erroneous



DrDrew
That others may surf
Premium
join:2009-01-28
SoCal
kudos:15
reply to rcdailey

said by rcdailey:

said by KoRnGtL15:

Firefox is my main browser. What is it that I should be disabling and Mozilla most likely will be doing? Is it the 2 Java plugins? Using latest version of java. I don't use IE but obviously it is installed as well for that. That should be disabled as well? At this rate. Maybe it is best to just uninstall Java completely until this is fixed?

***EDIT***

Java(TM) Platform is the one to disable according to link.

Right, but look for the two plug-ins within Firefox, because if you disable those, then Java won't run in Firefox.

These plug-ins:


--
If it's important, back it up... twice. Even 99.999% availability isn't enough sometimes.


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico

Click for full size
I would hate to see someone run a plug-in check on Mozilla and then download Java if it had not been installed


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to chachazz

Blackhole: Faster Than the Speed of Patch
Posted by Karmina @ 16:10 GMT

And before Oracle can release a patch for the new Java zero-day exploit that we wrote about earlier today, Blackhole waltzes onto the scene with an update of its own. So the exploit kit users can now avail of the latest BH, now with the new CVE-2012-4681 exploit.

We wonder if this will actually spike Blackhole sales.

The authors seem to be in such a hurry that they can't think of new names anymore (click the images for a larger view):

»www.f-secure.com/weblog/archives···414.html
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS
reply to siljaline

Mozilla Security - Protecting Users Against Java Security Vulnerability
Vulnerability Update – Aug 29, 2012:

quote:
We’ve been closely monitoring the recent Java security vulnerability and evaluating different options to best protect our users. Our goal is to provide protection to Firefox users against this actively exploited vulnerability in Java while also leaving the user in control so they can choose to allow Java on important sites that they trust.
We are still working out the implementation details, but our solution will accomplish two primary objectives:

By default, vulnerable versions of Java will be disabled for our Firefox users. Users will be provided the option to enable Java through a clear and visible message that will be displayed anytime the user views a page using Java.

We’ll provide additional updates when items are finalized. In the interim, we still advise users to disable the Java plugin as described below.

Lastly, starting this week in Aurora and Beta we’ll begin adding the components of click-to-play, a Firefox security control that helps protect users against outdated and vulnerable plugins. We anticipate this new security feature to be fully operational by Firefox 18.

Original Post Aug 28, 2012

Steps to disable the Java plugin can be found here:
»support.mozilla.org/kb/How+to+tu···+applets
--
Gladiator Security Forum: www.gladiator-antivirus.com/


rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA

If you see a plugin for the Java "Toolkit," you may as well disable that also.



jabarnut
Light Years Away
Premium,MVM
join:2005-01-22
Galaxy M31
kudos:2
reply to chachazz

Aw heck...it's always something. I just disabled it in Opera (For now, or unless I desperately need it for something).
--
I had a life once.....now I have a Computer and a Modem.


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to chachazz

So, is Mozilla now allowing use of version 6? I had TO STOP using Java on Fx because of them not allowing version 6.

Fx is not Chrome. Mozilla has no business telling me what I can and cannot use on my browser. They are much worse now than Microsoft. HYPOCRITES also since they caved to Melih but now try and say how much they protect their users. BS.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to jabarnut

Opera is as bad as Mozilla. I am not allowed to use version 6 on it.

No wonder I use IE8 more these days...I'm forced to as version 6 works fine on it.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



jabarnut
Light Years Away
Premium,MVM
join:2005-01-22
Galaxy M31
kudos:2

1 edit

Well, I've got Java 7 UD 6. Don't like disabling it, because unlike some others here, I do occasionally have use for it. (My ISP's speed test for one, which I like, uses Java...and a few other sites).
But in this case I'll do without for a while I suppose. Hope they don't take forever to release a patch.
--
I had a life once.....now I have a Computer and a Modem.