dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
17

Packeteers
Premium Member
join:2005-06-18
Forest Hills, NY
Asus RT-AC3100
(Software) Asuswrt-Merlin

Packeteers to chachazz

Premium Member

to chachazz

Re: Warning: 0-Day vulnerability in Java 7

OK thanks guys for helping me see that distinction. so i went into the java control panel from my desktop and disabled v1.7 of java, and enabled javascript in chrome so i am now back to spending money on items i can live without

so back to my original question...

what link can i watch to see when the fix is out from oracle on v1.7 of java?
redwolfe_98
Premium Member
join:2001-06-11

4 edits

1 recommendation

redwolfe_98

Premium Member

said by Packeteers:

OK thanks guys for helping me see that distinction. so i went into the java control panel from my desktop and disabled v1.7 of java, and enabled javascript in chrome so i am now back to spending money on items i can live without

i just want to mention that you should disable JAVA (not "javascript" ) within chrome's settings-options.. chrome comes with its own version of "java" and you have to disable it from within chrome's settings-options, at least that is my understanding..

to answer your question about how to know when an update for "java" is available, you are joking, right? you know the answer.. visit the DSLReports forum

p.s. if you don't need "java" you could just uninstall it and forget about it.. i don't have it installed on my computer.. yea, there are some compromises.. if something requires java, you can't run it, not without "java" installed..

mele said that she needs "java" in order to be able run a particular "speed-test".. she doesn't want to compromise.. (there are lots of "speed-tests" that don't require "java" )..

personally, i try to lock down my computer, to make it secure, and part of doing that is not having "java" installed when i can live without it..

if you think that you have to have "java", i would suggest that you keep it disabled except for when it is needed, which probably would be very very very rarely..

there might be some websites that prompt you to install "java", but that doesn't mean that it has to be installed in order to be able to use the websites.. i just go ahead and use the websites without installing "java"..

if someone plays games at the "pogo" website, they would need "java" for that.. personally, i don't care for the "pogo" website and i don't mind compromising and not playing games there.. actually, i think the "pogo" website was responsible for a lot of malware-infections, in the past, because it required people to install "java" which then was exploited, where many people were getting infected with "coolwebsearch".. the version of "java" that was being distributed by the "pogo" website was outdated and vulnerable, which led to the "coolwebsearch" infections..

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

1 edit

Name Game

Premium Member

I run it on win7 with chrome...and I doubt they can whacked it in XP on chrome sandbox no matter what is claimed they can do.

News of the vulnerability (CVE-2012-4681) surfaced late last week in a somewhat sparse blog post by FireEye, which said the exploit seemed to work against the latest version of Java 7, which is version 1.7, Update 6. This morning, researchers Andre’ M. DiMino & Mila Parkour published additional details on the targeted attacks seen so far, confirming that the zero-day affects Java 7 Update 0 through 6, but does not appear to impact Java 6 and below.

Initial reports indicated that the exploit code worked against all versions of Internet Explorer, Firefox and Opera, but did not work against Google Chrome. But according to Rapid 7, there is a Metasploit module in development that successfully deploys this exploit against Chrome (on at least Windows XP).

»krebsonsecurity.com/tag/ ··· 12-4681/

CNET noted earlier today that most Mac users are not currently susceptible to the issue, as Java 7 is not installed by default on Macs. The current version of Java installed on Mac remains Java 6 for the time being, so users would have to have manually updated to Java 7 in order for their systems to be vulnerable.
Reimer
join:2006-08-14
Toronto, ON

Reimer

Member

Chromes sandbox doesn't protect against plugins though. Except, of course, for its built-in PDF and flash.

However, Chrome does block java applets by default. The question is whether or how the exploit seems to bypass that.
redwolfe_98
Premium Member
join:2001-06-11

2 edits

redwolfe_98 to Name Game

Premium Member

to Name Game
said by Name Game:

I doubt they can whacked it in XP on chrome sandbox no matter what is claimed they can do

this vulnerability seems different from what is normally seem..

thinking about it, from what i read, the vulnerability functions in a way that is similar to what was done when "chrome" was "pwned" by "vupen", not too long ago, where they were able to run code in a place where it wasn't suppose to be able to run..

from what i read about the vulnerability, i got the impression that someone just overlooked something, in the coding, making "java" vulnerable to being exploited..

in the past, google has been pretty quick to respond to problems with chrome.. (incidentally, it seems like there have been a whole hell of a lot of patches for chrome, lately).. if google is serious about having a secure browser, i think they should promptly "kick out" a java-free version of chrome.. or, using their "cloud" remote-control, nuke "java", instead..one or the other, if they are serious about having a secure browser..
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to redwolfe_98

Premium Member

to redwolfe_98
said by redwolfe_98:

mele said that she needs "java" in order to be able run a particular "speed-test".. she doesn't want to compromise.. (there are lots of "speed-tests" that don't require "java" )..

personally, i try to lock down my computer, to make it secure, and part of doing that is not having "java" installed when i can live without it..

It is not because I am unwilling to "compromise". Flash speed tests are completely worthless. For one thing, they test capacity only...In other words...they test to see if your ISP has actually allocated the amount of speed that you pay for. But capacity has NOTHING to do with your actual speed or the quality of your speed. For instance, I am paying for 15mbps down. I got it about a month ago and it is a RIP OFF. I get EXACTLY the SAME speed, quality wise, on it that I was getting on Standard RR at 10 mbps down. Plus, on Standard RR, I got PowerBoost. Anyone with that on their line (and your ISP cannot remove it just for you) should never do a Flash speed test as it will be grossly inflated by PowerBoost ...less inflated by Java speed test and on the quality test I linked to earlier no inflation but that is the only test out there (except for Sam Knows for us FCC testers) that can do an accurate quality test on a line with PowerBoost. I don't get PowerBoost at all on 15mbps down. So, I could do a Flash capacity test (to avoid Java) but that would tell me my speed is 14.85 mbps. I do a quality test which REQUIRES JAVA and I see that my line quality is shit...the speed is extremely erratic and I see a lot of other problems ...nicely detailed for me with a lot of explanation and white papers I can read so I can be educated and force my ISP to fix things...until the next breakdown and those happen really frequently here.

Also, on the Quality test, to a fancy dedicated server in Los Angles, I get 7.25mbps down and, sometimes, a Quality of Service of 95% (other times as low as 2%). This test tells me what speed I have for NetFlix streaming, Hulu streaming, etc. This test tells me the truth. A Flash test to most locations in California would say (if I still had PowerBoost) that I have around 23mbps down. That is on 10mbps down. But if I did this Java Quality test, when I had 10mbps down, I would average 7.25mbps down and quality ranging from 95% to as low as 2%.

On 15mbps down, I still get 7.25mbps on the Quality Java test from the link I gave earlier. That means that paying $10 a month more for 15mbps down is not worth it. It is a ripoff. It APPEARS worth it if you do a crappy flash test which just tests to see the capacity of your line not the quality. Quality of your connection is the ONLY important thing as long as you have 3mbps down (or higher).

So, I choose to see the truth about my speed. Plus, I happen to own MySpeed (an older version and I want to upgrade to a newer version). I can start it and tell it to test to a particular server in the list, every 10 minutes, for as long as I want. I get great data to show my ISP and they have fixed my line several times based on the data. They use MySpeed test on their gateways so they know it is the best in the industry and they respect its results.

So, you think I should just forget the money I spent on MySpeed software because I am unwilling to "compromise"? It is a lot more than a minor compromise. I do wish that Oracle would take better care of Java but I can't force them to do that. I also suspect that if I could afford DOCSIS 3 speeds now offered by ISP that it might not matter about speed tests but I really had to think hard before adding just an additional $10 per month to my bill. No way I can afford now, or probably ever, the higher DOCSIS 3 speeds.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

Here is a java one I use while in Pennsylvania..how does it work for you ?

»ptd.net/tiki-index.php?p ··· peedtest
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

typing with one hand...lot's of pain, stiffness suddenly in one hand around the thumb...typing aggravates greatly. icing now...

that test is abbreviated version of MySpeed. gave me 2.34mbps down. too far away...150ms round trip...too high for good speed.

rcdailey
Dragoonfly
Premium Member
join:2005-03-29
Rialto, CA

1 edit

rcdailey to redwolfe_98

Premium Member

to redwolfe_98
I have found that if Java is disabled by way of the Java console, then it does not work in Chrome. Chrome comes with its own version of Flash, but not Java, so far as I can see. If it did, then why would it not work when Java is disabled in the Java console? There are plugins for Java in Chrome, so it is possible to disable Java in Chrome without disabling Java completely or uninstalling Java. I did not want to uninstall Java so that is why I disabled it via the console as well as disabling the plugins.

DocDrew
How can I help?
Premium Member
join:2009-01-28
SoCal

DocDrew to Mele20

Premium Member

to Mele20
Mele20 have you ever tweaked (adjusted RWIN and other TCP settings) on your XP computer for new speeds you've been provisioned with over the years?

Check here:
»/tweaks
redwolfe_98
Premium Member
join:2001-06-11

redwolfe_98 to rcdailey

Premium Member

to rcdailey
said by rcdailey:

I have found that if Java is disabled by way of the Java console, then it does not work in Chrome. Chrome comes with its own version of Flash, but not Java, so far as I can see. If it did, then why would it not work when Java is disabled in the Java console? There are plugins for Java in Chrome, so it is possible to disable Java in Chrome without disabling Java completely or uninstalling Java. I did not want to uninstall Java so that is why I disabled it via the console as well as disabling the plugins.

OK, rcdailey.. i saw another article, somewhere, recently, where it was talking about disabling "java" because of another vulnerability that it had and the article said to use the "java" settings that can be accessed from windows "control panel" to disable it, and also to disable it in the chrome-browser's settings-options, so that was where i got the idea that chrome had its own version of "java" which could only be disabled from within chrome's settings-options.. i don't use "chrome" so i am not familiar with it..

i wish i could remember where i saw that article that talked about disabling "java", but i can't remember where i saw it..
redwolfe_98

3 edits

redwolfe_98 to DocDrew

Premium Member

to DocDrew
said by DocDrew:

Mele20 have you ever tweaked the RWIN and other TCP settings on your XP computer

i was wondering the same thing.. i imagine that mele already considered tweaking the TCP/IP settings on her computer..

i tried using some utility, years ago, to tweak the TCP/IP settings on my computer and it make a pretty big difference.. i went from download-speeds of about 2.7 MBPS to about 8 MBPS.. (it was advertized as having a 3 MBPS download-speed).. that was years ago.. with my current connection, i would say i get 20 MBPS.. somtimes the speed-tests show that i am getting 30 MBPS, if i do the tests late at nite..

i use "roadrunner" and their system will throttle-back my connection speed when i am doing speed-tests.. it is advertised as having an 8 MBPS download-speed..

i was going to attach a reg-file that i use to tweak the TCP/IP settings on my computer but it might not be appropriate for other computers so i didn't attach it..

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game to Mele20

Premium Member

to Mele20
said by Mele20:

typing with one hand...lot's of pain, stiffness suddenly in one hand around the thumb...typing aggravates greatly. icing now...

that test is abbreviated version of MySpeed. gave me 2.34mbps down. too far away...150ms round trip...too high for good speed.

Bummer cause I tried your java speed test and I get the same as the one here in PA.

planet
join:2001-11-05
Oz

1 edit

planet

Member

Round Two with this exploit:
Taken from here:
»krebsonsecurity.com/

"Researchers: Java Zero-Day Leveraged Two Flaws:
New analysis of a zero-day Java exploit that surfaced last week indicates that it takes advantage of not one but two previously unknown vulnerabilities in the widely-used software. The latest figures suggest that these vulnerabilities have exposed more than a billion users to attack."

I've now removed Java from all of my PCs. I've had it off my desktop and laptop for awhile. I'd left it on my daughter's laptop but when I uninstalled it recently, I didn't update...my daughter is using an ipad moreso nowadays anyway.

rcdailey
Dragoonfly
Premium Member
join:2005-03-29
Rialto, CA

rcdailey to redwolfe_98

Premium Member

to redwolfe_98
Yeah, and it happens that I had looked quickly at IE8 and disabled the two loaded Java plugins, but initially missed the other two. I had to disable them as well, at least if I did not disable Java in the control panel. I also mistakenly referred to the Java console, but it is the Java panel in Windows settings where Java can be disabled. It's probably smarter, if you or I really don't intend to use Java, to simply uninstall it completely. That way it really would not be possible for it to be compromised. However, maybe Oracle will fix the vulnerability and I do like to use the Java speed test here.
19579823 (banned)
An Awesome Dude
join:2003-08-04

1 edit

19579823 (banned) to Name Game

Member

to Name Game

 

Thats a good test!!!

Thank you... I find JAVA works better than flash! (Not as CPU intensive,etc)



EDIT:

It says my DL speed is 1.98Megs which i think is way off!!



I think the results from this one are more accurate

»www.computers4sure.com/speed.asp

Says my DL is 2386k

StuartMW
Premium Member
join:2000-08-06

StuartMW

Premium Member

said by 19579823:

I think the results from this one are more accurate

Not for me. It told me 2740.1 Kbps which is way low.

I typically get 10.3Mbps from this site.

»www.speedtest.net




Even C/Net's test gave me 7,333Kbps.

»webservices.cnet.com/bandwidth/