1 recommendation |
StuartMW
Premium Member
2013-Jan-10 11:18 am
Java is still exploitable and is likely going to remain so.quote: We haven't had an unpatched Java vulnerability in a while (a month?). To make up for this lack of Java exploitability, the creators of the Blackhole and Nuclear exploit pack included an exploit for a new, unpatched, Java vulnerability in their latest release [1]. The exploit has been seen on various compromised sites serving up the exploit kit. The latest version of Java 7 is vulnerable [2].
» isc.sans.edu/diary/Java+ ··· o+/14899Also New Java 0-day exploited in the wild |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC 1 edit |
|
|
newviewEx .. Ex .. Exactly Premium Member join:2001-10-01 Parsonsburg, MD |
to StuartMW
I can't even get Java 7u10 to work ... » forums.oracle.com/forums ··· 10777378hmmm ... might be a GOOD thing. |
|
garys_2k Premium Member join:2004-05-07 Farmington, MI
1 recommendation |
to StuartMW
I remember when Java first came out and it was said to "incorporate security within its core design" or some-such nonsense. Yeah, that's worked out well... |
|
|
to StuartMW
here is a related article: » nakedsecurity.sophos.com ··· vajar-b/i wish the title of the thread was something like "Java Zero-Day" or "Oracle Java Zero-Day".. |
|
rfharThe World Sport, Played In Every Country Premium Member join:2001-03-26 Buicktown,Mi
1 recommendation |
to StuartMW
I disabled Java when I first read of these problems some months ago and have not found a site that needs it yet. |
|
rfhar |
to StuartMW
US-CERT tells users to disable Java in browsers after exploit » www.computerworld.com/s/ ··· _exploit |
|
Smokey Bearveritas odium parit Premium Member join:2008-03-15 Annie's Pub
1 recommendation |
said by rfhar: US-CERT tells users to disable Java in browsers after exploit
Vulnerability Note VU#625617: » www.kb.cert.org/vuls/id/625617said by VU#625617 : Disable Java in web browsers
Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the Java documentation for more details. Note: Due to what appears to potentially be a bug in the Java installer, the Java Control Panel applet may be missing on some Windows systems. In such cases, the Java Control Panel applet may be launched by finding and executing javacpl.exe manually. This file is likely to be found in C:\Program Files\Java\jre7\bin or C:\Program Files (x86)\Java\jre7\bin. Also note that we have encountered situations where Java will crash if it has been disabled in the web browser as described above and then subsequently re-enabled. Reinstalling Java appears to correct this situation. System administrators wishing to deploy Java 7 Update 10 or later with the "Enable Java content in the browser" feature disabled can invoke the Java installer with the WEB_JAVA=0 command-line option. More details are available in the Java documentation.
|
|
DownTheShorePray for Ukraine Premium Member join:2003-12-02 Beautiful NJ |
to StuartMW
Pale Moon itself apparently disabled the Java platform during a recent update; it's showing an alert that Java SE 7 U4 is known to cause stability or security issues. |
|
|
to StuartMW
Does this only effect Java 7 and not Java 6? |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC |
siljaline
Premium Member
2013-Jan-11 11:51 pm
ESET's Robert Lipovsky wrote: quote: The infamous exploit packs Blackhole and Nuclear Pack now feature a new zero-day Java exploit that exploits the Java vulnerability CVE-2013-0422. The latest version of Java 7 Update 10 is affected.
• Blog entry |
|
|
to StuartMW
|
|
Mele20 Premium Member join:2001-06-05 Hilo, HI |
Mele20
Premium Member
2013-Jan-12 4:30 am
Mozilla has not blocked Java. I don't see any block when I go to, for instance, » web100.rit.edu:7123/ to do a speed test. Java itself first gives me a popup security warning and I have to tell Java that I wish to allow the applet at this site to load. Then and only then does it load. But that is not Mozilla's doing. That is because of how I set the security slider in the latest Java panel. I had those Mozilla blocks on XP because I had an old version of Java there until recently and I don't get those on Win8 with the latest Java on Fx 10.0.10 ESR. Maybe Mozilla has only blocked it for those who have not put the security slider high? Or those who have earlier versions of Java with no security slider? |
|
therube join:2004-11-11 Randallstown, MD |
therube
Member
2013-Jan-12 11:29 am
Check the file blocklist.xml (in your Profile directory) & see what that shows.
(SeaMonkey's version is NOT blocking Java, where FF's is.) |
|
|
to chachazz
Better question is...is Firefox phoning home to Mozilla all the time like Chrome does with Google? I mean how else are they able to control the Click to Play feature and determine what's 'bad' for us to run and what's not. |
|
siljalineI'm lovin' that double wide Premium Member join:2002-10-12 Montreal, QC |
to StuartMW
Oracle Corp to fix Java security flaw "shortly"quote: (Reuters) - Oracle Corp said it is preparing an update to address a flaw in its widely used Java software after the U.S. Department of Homeland Security urged computer users to disable the program in web browsers because criminal hackers are exploiting a security bug to attack PCs.
"A fix will be available shortly," the company said in a statement released late on Friday.
Company officials could not be reached on Saturday to say how quickly the update would be available for the hundreds of millions of PCs that have Java installed.
• Article |
|
La LunaFly With The Angels My Beloved Son Chris Premium Member join:2001-07-12 New Port Richey, FL |
to Mele20
said by Mele20:Mozilla has not blocked Java. They blocked it on the newest, current version of Fx. 18.0.
|
|
La Luna |
to therube
said by therube:Check the file blocklist.xml (in your Profile directory) & see what that shows.
(SeaMonkey's version is NOT blocking Java, where FF's is.) I see a bunch of Java related items in that file. |
|
Mele20 Premium Member join:2001-06-05 Hilo, HI |
to therube
What should I use to read that file? It's hard to read in Notepad or Wordpad. But I don't see anything in it about Java...but being so hard to read I could have a missed an entry. What does this statement from Moziilla mean? "Always activate Java for a site If you have a trusted site that uses Java and you need to use that site often, you can make Java work normally on just that website. Click the red plugin icon in the address bar and a message window will open. At the bottom of the message window, click the Activate All Plugins dropdown menu and choose Always activate plugins for this site." » support.mozilla.org/en-U ··· r-a-siteI don't see a red plug in the address bar on a site that uses a Java applet. In fact, I usually see nothing but an address. I frequently don't get the site icons or even sometimes secure icons, etc. I haven't since Mozilla messed with all that quite awhile ago. And this is true on my NEW computer also. I usually just get a strange round gray ball instead of an icon. The install of Fx 10 is only two months old. Plus, I updated Fx yesterday to 10.0.12. I suppose the red plugin icon in the address bar must not apply to version 10.0.12 ESR. I still think the way to go is to set the Java slider HIGH and I think because I did that is why Mozilla is not blocking my Java. The function is quite similar to what Mozilla describes for how to always activate a plugin on a trusted site. You can do that in Java itself now. Did Mozilla fail to notice these latest changes in Java? |
|
Mele20 |
to La Luna
said by La Luna:said by Mele20:Mozilla has not blocked Java. They blocked it on the newest, current version of Fx. 18.0. [att=1] That's an old version. Do you have the current version? |
|
La LunaFly With The Angels My Beloved Son Chris Premium Member join:2001-07-12 New Port Richey, FL |
La Luna
Premium Member
2013-Jan-13 1:04 am
Not sure what you mean. 18.0 is the newest version of Firefox, which is what I have. Just updated to it on Friday. |
|
Mele20 Premium Member join:2001-06-05 Hilo, HI |
Mele20
Premium Member
2013-Jan-13 1:25 am
I'm sorry....I wasn't clear at all. I meant your Java version. It's not the latest (judging from your screenshot...which could be an older screenshot and not reflective of your current Java version). Is that screenshot from your computer or a Mozilla webpage? Whatever, it is showing an older version of Java. (I had thought perhaps Java was blocked for you because the version in your screenshot is not the latest), but since then I read the Mozilla forum and learned Mozilla has been very inconsistent in that they are blocking on CURRENT versions of Fx but NOT blocking on 10.0.12 ESR which is a CURRENTLY SUPPORTED VERSION. It's supported until the middle of Feb and I am still using it because I had enough on my plate dealing with Win 8 and didn't need a major browser upgrade at the same time. So, now I realize that the reason it is not blocked for me is because of Mozilla's inconsistency. |
|
MarkAWBarry White Premium Member join:2001-08-27 Canada |
to Mele20
said by Mele20:said by La Luna:said by Mele20:Mozilla has not blocked Java. They blocked it on the newest, current version of Fx. 18.0. That's an old version. Do you have the current version? Current enough for you?
|
|
Mele20 Premium Member join:2001-06-05 Hilo, HI |
Mele20
Premium Member
2013-Jan-13 1:48 am
Yeah...that's the version I have. But I don't have that warning. Mozilla forgot that 10.0.12 is still currently supported. |
|
La LunaFly With The Angels My Beloved Son Chris Premium Member join:2001-07-12 New Port Richey, FL |
to Mele20
Yes, that is from my computer. I didn't update that last Java update as it still wasn't secure. I just disabled it entirely. I find I so far don't need it anyway.
Sorry for the confusion on my end. |
|
DrStrangeTechnically feasible Premium Member join:2001-07-23 Bristol, CT |
to Mele20
The warning only appears in Firefox 17 and above.
Hopefully we'll see a new Java update soon. I thought it laughable when Oracle announced they were only going to release updates every three months. That was an open invitation to the black hat community:
"We're going to do updates on a pre-set schedule so we can reduce costs and make our CEO and shareholders more money, even at the expense of our product's security. Feel free to exploit our product in between our scheduled updates."
I expected something like this to happen. |
|
La LunaFly With The Angels My Beloved Son Chris Premium Member join:2001-07-12 New Port Richey, FL
1 recommendation |
La Luna
Premium Member
2013-Jan-13 4:25 pm
|
|
1 recommendation |
Ah, even more wide open holes ! |
|
DrStrangeTechnically feasible Premium Member join:2001-07-23 Bristol, CT
1 recommendation |
to La Luna
Thanks. Just installed that and made plans for emergency deployment at work tomorrow and for my private business customers this evening. |
|
deke40deke40 Premium Member join:2003-01-23 Texas |
to StuartMW
I disabled the Java on my system but tonight I noticed another Java entry(JavaFX 2.1.1) in my my programs list. What is it and did it come in on a Java update? |
|