dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
10349
share rss forum feed


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to redwolfe_98

Re: Warning: 0-Day vulnerability in Java 7

My bad redwolfe_98 See Profile

This should cover all the bases

Hat Tip to carpetshark3 See Profile for the link.

leaving screenshot - but ignore as it is erroneous



DrDrew
That others may surf
Premium
join:2009-01-28
SoCal
kudos:15
reply to rcdailey

said by rcdailey:

said by KoRnGtL15:

Firefox is my main browser. What is it that I should be disabling and Mozilla most likely will be doing? Is it the 2 Java plugins? Using latest version of java. I don't use IE but obviously it is installed as well for that. That should be disabled as well? At this rate. Maybe it is best to just uninstall Java completely until this is fixed?

***EDIT***

Java(TM) Platform is the one to disable according to link.

Right, but look for the two plug-ins within Firefox, because if you disable those, then Java won't run in Firefox.

These plug-ins:


--
If it's important, back it up... twice. Even 99.999% availability isn't enough sometimes.


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico

Click for full size
I would hate to see someone run a plug-in check on Mozilla and then download Java if it had not been installed


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to chachazz

Blackhole: Faster Than the Speed of Patch
Posted by Karmina @ 16:10 GMT

And before Oracle can release a patch for the new Java zero-day exploit that we wrote about earlier today, Blackhole waltzes onto the scene with an update of its own. So the exploit kit users can now avail of the latest BH, now with the new CVE-2012-4681 exploit.

We wonder if this will actually spike Blackhole sales.

The authors seem to be in such a hurry that they can't think of new names anymore (click the images for a larger view):

»www.f-secure.com/weblog/archives···414.html
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS
reply to siljaline

Mozilla Security - Protecting Users Against Java Security Vulnerability
Vulnerability Update – Aug 29, 2012:

quote:
We’ve been closely monitoring the recent Java security vulnerability and evaluating different options to best protect our users. Our goal is to provide protection to Firefox users against this actively exploited vulnerability in Java while also leaving the user in control so they can choose to allow Java on important sites that they trust.
We are still working out the implementation details, but our solution will accomplish two primary objectives:

By default, vulnerable versions of Java will be disabled for our Firefox users. Users will be provided the option to enable Java through a clear and visible message that will be displayed anytime the user views a page using Java.

We’ll provide additional updates when items are finalized. In the interim, we still advise users to disable the Java plugin as described below.

Lastly, starting this week in Aurora and Beta we’ll begin adding the components of click-to-play, a Firefox security control that helps protect users against outdated and vulnerable plugins. We anticipate this new security feature to be fully operational by Firefox 18.

Original Post Aug 28, 2012

Steps to disable the Java plugin can be found here:
»support.mozilla.org/kb/How+to+tu···+applets
--
Gladiator Security Forum: www.gladiator-antivirus.com/


rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA

If you see a plugin for the Java "Toolkit," you may as well disable that also.



jabarnut
Light Years Away
Premium,MVM
join:2005-01-22
Galaxy M31
kudos:2
reply to chachazz

Aw heck...it's always something. I just disabled it in Opera (For now, or unless I desperately need it for something).
--
I had a life once.....now I have a Computer and a Modem.


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to chachazz

So, is Mozilla now allowing use of version 6? I had TO STOP using Java on Fx because of them not allowing version 6.

Fx is not Chrome. Mozilla has no business telling me what I can and cannot use on my browser. They are much worse now than Microsoft. HYPOCRITES also since they caved to Melih but now try and say how much they protect their users. BS.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to jabarnut

Opera is as bad as Mozilla. I am not allowed to use version 6 on it.

No wonder I use IE8 more these days...I'm forced to as version 6 works fine on it.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



jabarnut
Light Years Away
Premium,MVM
join:2005-01-22
Galaxy M31
kudos:2

1 edit

Well, I've got Java 7 UD 6. Don't like disabling it, because unlike some others here, I do occasionally have use for it. (My ISP's speed test for one, which I like, uses Java...and a few other sites).
But in this case I'll do without for a while I suppose. Hope they don't take forever to release a patch.
--
I had a life once.....now I have a Computer and a Modem.


starfish8

join:2004-06-30
reply to chachazz

Why isn't the IE Oracle add-on called Deployment Toolkit uninstalled when Java 7 Update 6 is unstalled? You need to display all add-ons to see it.



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Mele20

said by Mele20:

Opera is as bad as Mozilla. I am not allowed to use version 6 on it.

No wonder I use IE8 more these days...I'm forced to as version 6 works fine on it.

I think the exploiters would be happy you have gone back to version 6..they might be counting on it since...

This means that there might be, for example, more computers on the Internet that run outdated installations of Java 6 that are vulnerable to older Blackhole exploits, than computers running Java 7.

»www.pcworld.com/businesscenter/a···cks.html
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


jap
Premium
join:2003-08-10
038xx
reply to starfish8

said by starfish8:

Why isn't the IE Oracle add-on called Deployment Toolkit uninstalled when Java 7 Update 6 is unstalled? You need to display all add-ons to see it.

If you mean there is no Java installation remaining on your system then it's probably because the uninstaller left behind a .dll file which IE is still seeing. In versions 6.xx the file npdeploytk.dll was left lying around and confused some apps but I don't know if that's the one IE looks at.

You can go in and manually delete any and all Java program directories then clean the registry if you feel comfortable performing such tasks. Again, assuming you've done away with all Java installs, not just the mentioned v7,u6.

Related note: the Java Toolkit add-on is a forced component of Java starting with v6,u10 and is turned on by default. Does not get disabled when you disable the Java Console or Platform and cannot be removed. All you can do is disable it in browser.

Cheers!


coldmoon
Premium
join:2002-02-04
Broadway, NC

1 recommendation

reply to chachazz

New update - J7 U7:

»java.com/en/download/manual.jsp

FYI



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 edit


Java 7 Update 7
Thanks muchly Downloading now.


sbconslt

join:2009-07-28
Los Angeles, CA
reply to coldmoon

Of interest, they also released JRE 6u35, bumped the security baseline to 6u35, and called it a security fix release for CVE-2012-4681, the vulnerability in question. So, either the engineering staff that produces the JRE believes the security risk extended to JRE 6, contrary to the original report from the discoverer, or they fixed a form of the vulnerability that was not exploited with the original attack but existed anyway.
--
Scott Brown Consulting



DrDrew
That others may surf
Premium
join:2009-01-28
SoCal
kudos:15

4 edits
reply to Mele20

said by Mele20:

I have Java 6 update 7 (still says "Sun" on the about tab).

said by Mele20:

So, is Mozilla now allowing use of version 6? I had TO STOP using Java on Fx because of them not allowing version 6.

Java version 6 can be used above update 30:
»blog.mozilla.org/addons/2012/04/···ng-java/
said by Mozilla blog April 2012 :
This vulnerability present in the older versions of the JDK and JRE is actively being exploited, and is a potential risk to users. To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox's blocklist. A blocklist entry for the Java plugin on OS X may be added at a future date.

Mozilla strongly encourages anyone who requires the JDK and JRE to update to the current version as soon as possible on all platforms.

Affected versions of the Java plugin will be disabled unless a user makes an explicit choice to keep it enabled at the time they are notified of the block being applied.

The Java website also has a different, much older, notice. The Java interface used by versions earlier then Java 6 update 10 aren't compatible with Firefox 3.6 and later (and probably Opera 10.2 and later for the same reason):
»java.com/en/download/faq/firefox···ugin.xml
said by Java website, posted around December 2009 :
Starting in Firefox 3.6, Mozilla foundation will drop support on OJI (Open Java Virtual Machine Integration) and will only support the standard NPAPI and NPRuntime interfaces. The Java Plug-in which is in Java version 6 update 10 or newer versions supports the NPAPI and NPRuntime interfaces. Therefore, starting with Firefox 3.6, Java-based applets will NOT work unless you are running Java version 6 Update 10 or newer.
So Mozilla has always allowed Java 6 to run on Firefox version 3.6 or newer as long as it's been above Java 6 update 10 (I was running Java 6 up until last week). In February 2012 Java blocking was started to a minimum Java 6 update 31. Good reason to update your Java 6 update 7 (released in 2008), since it shouldn't have worked since Firefox 3.6.
--
If it's important, back it up... twice. Even 99.999% availability isn't enough sometimes.


jabarnut
Light Years Away
Premium,MVM
join:2005-01-22
Galaxy M31
kudos:2
reply to coldmoon

said by coldmoon:

New update - J7 U7:

»java.com/en/download/manual.jsp

FYI

Thanks, coldmoon See Profile. But am I missing the release notes? Does this indeed address the 0-Day vulnerability in Java 7?
I mean, I'm all over it if it does. (Don't mind me, it's been a long day and I may have missed something simple somewhere).

If this "fixes" everything, that was pretty darn fast.
--
I had a life once.....now I have a Computer and a Modem.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 recommendation

said by jabarnut:

But am I missing the release notes?

»www.oracle.com/technetwork/java/···228.html

quote:
This releases address security concerns.

Alert for CVE-2012-4681
--
Don't feed trolls--it only makes them grow!


jabarnut
Light Years Away
Premium,MVM
join:2005-01-22
Galaxy M31
kudos:2

Ah, thanks, Stuart.
Like I said, it's been a long day. (Not really myself). Well, I'm never really myself.
--
I had a life once.....now I have a Computer and a Modem.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

Yes well you're "Light Years Away"
--
Don't feed trolls--it only makes them grow!



jabarnut
Light Years Away
Premium,MVM
join:2005-01-22
Galaxy M31
kudos:2

Correct.



trparky
Apple... YUM
Premium,MVM
join:2000-05-24
Cleveland, OH
kudos:2

Guess that the guys behind Java had an "Oh shit!" moment and thought that maybe, just maybe, this deserved an out-of-band update contrary to their normal standard operating procedures.



jabarnut
Light Years Away
Premium,MVM
join:2005-01-22
Galaxy M31
kudos:2

1 edit

I hear you...and their "standard operating procedures" were not too often for sure.
Glad they were on top of this one.
--
I had a life once.....now I have a Computer and a Modem.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

said by jabarnut:

Glad they were on top of this one.

Hopefully someone here will "take one for the team" and will visit a known exploit site. Then we'll know for sure if Oracle "did good".
--
Don't feed trolls--it only makes them grow!


jabarnut
Light Years Away
Premium,MVM
join:2005-01-22
Galaxy M31
kudos:2

Excellent suggestion! And since you're the one who suggested it, you're elected.
--
I had a life once.....now I have a Computer and a Modem.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

said by jabarnut:

...you're elected.

Thank you for your kind offer but I respectfully decline

For whatever reason there have been a ton of software/firmware updates (for software I use) today. It's been non-stop.
--
Don't feed trolls--it only makes them grow!


jabarnut
Light Years Away
Premium,MVM
join:2005-01-22
Galaxy M31
kudos:2

Lol..no problem, Stuart. Hell, I don't want to test it either.
I'll do what I usually do. Just sit around and observe, and see if anyone else has problems in the near future.
--
I had a life once.....now I have a Computer and a Modem.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 recommendation

Well this old Lemming has seen others (and even tried when younger) "jump" but now prefers to watch the less wise do so
--
Don't feed trolls--it only makes them grow!



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
reply to chachazz

ACK