dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2899

StuartMW
Premium Member
join:2000-08-06

1 recommendation

StuartMW

Premium Member

Java is still exploitable and is likely going to remain so.

quote:
We haven't had an unpatched Java vulnerability in a while (a month?). To make up for this lack of Java exploitability, the creators of the Blackhole and Nuclear exploit pack included an exploit for a new, unpatched, Java vulnerability in their latest release [1]. The exploit has been seen on various compromised sites serving up the exploit kit. The latest version of Java 7 is vulnerable [2].

»isc.sans.edu/diary/Java+ ··· o+/14899

Also

New Java 0-day exploited in the wild

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

1 edit

siljaline

Premium Member

Also cited:
• »malware.dontneedcoffee.c ··· ble.html
• »arstechnica.com/security ··· he-wild/
Addendum:
• »www.securelist.com/en/bl ··· ribution

newview
Ex .. Ex .. Exactly
Premium Member
join:2001-10-01
Parsonsburg, MD

newview to StuartMW

Premium Member

to StuartMW
I can't even get Java 7u10 to work ...

»forums.oracle.com/forums ··· 10777378

hmmm ... might be a GOOD thing.

garys_2k
Premium Member
join:2004-05-07
Farmington, MI

1 recommendation

garys_2k to StuartMW

Premium Member

to StuartMW
I remember when Java first came out and it was said to "incorporate security within its core design" or some-such nonsense. Yeah, that's worked out well...
redwolfe_98
Premium Member
join:2001-06-11

redwolfe_98 to StuartMW

Premium Member

to StuartMW
here is a related article:

»nakedsecurity.sophos.com ··· vajar-b/

i wish the title of the thread was something like "Java Zero-Day" or "Oracle Java Zero-Day"..

rfhar
The World Sport, Played In Every Country
Premium Member
join:2001-03-26
Buicktown,Mi

1 recommendation

rfhar to StuartMW

Premium Member

to StuartMW
I disabled Java when I first read of these problems some months ago and have not found a site that needs it yet.
rfhar

rfhar to StuartMW

Premium Member

to StuartMW
US-CERT tells users to disable Java in browsers after exploit

»www.computerworld.com/s/ ··· _exploit

Smokey Bear
veritas odium parit
Premium Member
join:2008-03-15
Annie's Pub

1 recommendation

Smokey Bear

Premium Member

said by rfhar:
US-CERT tells users to disable Java in browsers after exploit

Vulnerability Note VU#625617: »www.kb.cert.org/vuls/id/625617
said by VU#625617 :
Disable Java in web browsers

Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the Java documentation for more details.
Note: Due to what appears to potentially be a bug in the Java installer, the Java Control Panel applet may be missing on some Windows systems. In such cases, the Java Control Panel applet may be launched by finding and executing javacpl.exe manually. This file is likely to be found in C:\Program Files\Java\jre7\bin or C:\Program Files (x86)\Java\jre7\bin.
Also note that we have encountered situations where Java will crash if it has been disabled in the web browser as described above and then subsequently re-enabled. Reinstalling Java appears to correct this situation.
System administrators wishing to deploy Java 7 Update 10 or later with the "Enable Java content in the browser" feature disabled can invoke the Java installer with the WEB_JAVA=0 command-line option. More details are available in the Java documentation.

DownTheShore
Pray for Ukraine
Premium Member
join:2003-12-02
Beautiful NJ

DownTheShore to StuartMW

Premium Member

to StuartMW
Pale Moon itself apparently disabled the Java platform during a recent update; it's showing an alert that Java SE 7 U4 is known to cause stability or security issues.

thinkpad
join:2000-07-26
Stamford, CT

thinkpad to StuartMW

Member

to StuartMW
Does this only effect Java 7 and not Java 6?

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline

Premium Member

ESET's Robert Lipovsky wrote:
quote:
The infamous exploit packs Blackhole and Nuclear Pack now feature a new zero-day Java exploit that exploits the Java vulnerability CVE-2013-0422. The latest version of Java 7 Update 10 is affected.
Blog entry

chachazz
Premium Member
join:2003-12-14

chachazz to StuartMW

Premium Member

to StuartMW
Mozilla has blocked all versions of Java:

Mozilla Security Blog - Protecting Users Against Java Vulnerability
»blog.mozilla.org/securit ··· ability/
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

Mozilla has not blocked Java. I don't see any block when I go to, for instance, »web100.rit.edu:7123/ to do a speed test. Java itself first gives me a popup security warning and I have to tell Java that I wish to allow the applet at this site to load. Then and only then does it load. But that is not Mozilla's doing. That is because of how I set the security slider in the latest Java panel.

I had those Mozilla blocks on XP because I had an old version of Java there until recently and I don't get those on Win8 with the latest Java on Fx 10.0.10 ESR.

Maybe Mozilla has only blocked it for those who have not put the security slider high? Or those who have earlier versions of Java with no security slider?

therube
join:2004-11-11
Randallstown, MD

therube

Member

Check the file blocklist.xml (in your Profile directory) & see what that shows.

(SeaMonkey's version is NOT blocking Java, where FF's is.)

kickass69
join:2002-06-03
Lake Hopatcong, NJ

kickass69 to chachazz

Member

to chachazz
Better question is...is Firefox phoning home to Mozilla all the time like Chrome does with Google? I mean how else are they able to control the Click to Play feature and determine what's 'bad' for us to run and what's not.

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline to StuartMW

Premium Member

to StuartMW
Oracle Corp to fix Java security flaw "shortly"
quote:
(Reuters) - Oracle Corp said it is preparing an update to address a flaw in its widely used Java software after the U.S. Department of Homeland Security urged computer users to disable the program in web browsers because criminal hackers are exploiting a security bug to attack PCs.

"A fix will be available shortly," the company said in a statement released late on Friday.

Company officials could not be reached on Saturday to say how quickly the update would be available for the hundreds of millions of PCs that have Java installed.
Article

La Luna
Fly With The Angels My Beloved Son Chris
Premium Member
join:2001-07-12
New Port Richey, FL

La Luna to Mele20

Premium Member

to Mele20
said by Mele20:

Mozilla has not blocked Java.

They blocked it on the newest, current version of Fx. 18.0.


La Luna

La Luna to therube

Premium Member

to therube
said by therube:

Check the file blocklist.xml (in your Profile directory) & see what that shows.

(SeaMonkey's version is NOT blocking Java, where FF's is.)

I see a bunch of Java related items in that file.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to therube

Premium Member

to therube
What should I use to read that file? It's hard to read in Notepad or Wordpad. But I don't see anything in it about Java...but being so hard to read I could have a missed an entry.

What does this statement from Moziilla mean?

"Always activate Java for a site

If you have a trusted site that uses Java and you need to use that site often, you can make Java work normally on just that website.

Click the red plugin icon in the address bar and a message window will open.
At the bottom of the message window, click the Activate All Plugins dropdown menu and choose Always activate plugins for this site."

»support.mozilla.org/en-U ··· r-a-site

I don't see a red plug in the address bar on a site that uses a Java applet. In fact, I usually see nothing but an address. I frequently don't get the site icons or even sometimes secure icons, etc. I haven't since Mozilla messed with all that quite awhile ago. And this is true on my NEW computer also. I usually just get a strange round gray ball instead of an icon. The install of Fx 10 is only two months old. Plus, I updated Fx yesterday to 10.0.12. I suppose the red plugin icon in the address bar must not apply to version 10.0.12 ESR.

I still think the way to go is to set the Java slider HIGH and I think because I did that is why Mozilla is not blocking my Java. The function is quite similar to what Mozilla describes for how to always activate a plugin on a trusted site. You can do that in Java itself now. Did Mozilla fail to notice these latest changes in Java?
Mele20

Mele20 to La Luna

Premium Member

to La Luna
said by La Luna:

said by Mele20:

Mozilla has not blocked Java.

They blocked it on the newest, current version of Fx. 18.0.

[att=1]

That's an old version. Do you have the current version?

La Luna
Fly With The Angels My Beloved Son Chris
Premium Member
join:2001-07-12
New Port Richey, FL

La Luna

Premium Member

Not sure what you mean. 18.0 is the newest version of Firefox, which is what I have. Just updated to it on Friday.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

I'm sorry....I wasn't clear at all. I meant your Java version. It's not the latest (judging from your screenshot...which could be an older screenshot and not reflective of your current Java version). Is that screenshot from your computer or a Mozilla webpage? Whatever, it is showing an older version of Java. (I had thought perhaps Java was blocked for you because the version in your screenshot is not the latest), but since then I read the Mozilla forum and learned Mozilla has been very inconsistent in that they are blocking on CURRENT versions of Fx but NOT blocking on 10.0.12 ESR which is a CURRENTLY SUPPORTED VERSION. It's supported until the middle of Feb and I am still using it because I had enough on my plate dealing with Win 8 and didn't need a major browser upgrade at the same time. So, now I realize that the reason it is not blocked for me is because of Mozilla's inconsistency.

MarkAW
Barry White
Premium Member
join:2001-08-27
Canada

MarkAW to Mele20

Premium Member

to Mele20
said by Mele20:

said by La Luna:

said by Mele20:

Mozilla has not blocked Java.

They blocked it on the newest, current version of Fx. 18.0.

That's an old version. Do you have the current version?

Current enough for you?

Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

Click for full size
Yeah...that's the version I have. But I don't have that warning. Mozilla forgot that 10.0.12 is still currently supported.

La Luna
Fly With The Angels My Beloved Son Chris
Premium Member
join:2001-07-12
New Port Richey, FL

La Luna to Mele20

Premium Member

to Mele20
Yes, that is from my computer. I didn't update that last Java update as it still wasn't secure. I just disabled it entirely. I find I so far don't need it anyway.

Sorry for the confusion on my end.

DrStrange
Technically feasible
Premium Member
join:2001-07-23
Bristol, CT

DrStrange to Mele20

Premium Member

to Mele20
The warning only appears in Firefox 17 and above.

Hopefully we'll see a new Java update soon. I thought it laughable when Oracle announced they were only going to release updates every three months. That was an open invitation to the black hat community:

"We're going to do updates on a pre-set schedule so we can reduce costs and make our CEO and shareholders more money, even at the expense of our product's security. Feel free to exploit our product in between our scheduled updates."

I expected something like this to happen.

La Luna
Fly With The Angels My Beloved Son Chris
Premium Member
join:2001-07-12
New Port Richey, FL

1 recommendation

La Luna

Premium Member

New update is out, v7u11.

»JAVA 7u11 now available for download
SafireDonkey
Premium Member
join:2006-10-29
89000

1 recommendation

SafireDonkey

Premium Member

Ah, even more wide open holes !

DrStrange
Technically feasible
Premium Member
join:2001-07-23
Bristol, CT

1 recommendation

DrStrange to La Luna

Premium Member

to La Luna
Thanks. Just installed that and made plans for emergency deployment at work tomorrow and for my private business customers this evening.

deke40
deke40
Premium Member
join:2003-01-23
Texas

deke40 to StuartMW

Premium Member

to StuartMW
I disabled the Java on my system but tonight I noticed another
Java entry(JavaFX 2.1.1) in my my programs list. What is it and did it come in on a Java update?