Broadband Tech > Security > Security > Java is still exploitable and is likely going to remain so.

Java is still exploitable and is likely going to remain so.

quote:

---

We haven't had an unpatched Java vulnerability in a while (a month?). To make up for this lack of Java exploitability, the creators of the Blackhole and Nuclear exploit pack included an exploit for a new, unpatched, Java vulnerability in their latest release [1]. The exploit has been seen on various compromised sites serving up the exploit kit. The latest version of Java 7 is vulnerable [2].

---

Also cited:
• »malware.dontneedcoffee.com/2013/···ble.html
• »arstechnica.com/security/2013/01···he-wild/
Addendum:
• »www.securelist.com/en/blog/20819···ribution

reply to StuartMW
I can't even get Java 7u10 to work ...

»forums.oracle.com/forums/thread.···10777378

hmmm ... might be a GOOD thing.

reply to StuartMW
I remember when Java first came out and it was said to "incorporate security within its core design" or some-such nonsense. Yeah, that's worked out well...

reply to StuartMW
here is a related article:

»nakedsecurity.sophos.com/2013/01···vajar-b/

i wish the title of the thread was something like "Java Zero-Day" or "Oracle Java Zero-Day"..

reply to StuartMW
I disabled Java when I first read of these problems some months ago and have not found a site that needs it yet.

reply to StuartMW
US-CERT tells users to disable Java in browsers after exploit

»www.computerworld.com/s/article/···_exploit

said by rfhar:

---

US-CERT tells users to disable Java in browsers after exploit

---

said by VU#625617 :

---

Disable Java in web browsers

Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the Java documentation for more details.
Note: Due to what appears to potentially be a bug in the Java installer, the Java Control Panel applet may be missing on some Windows systems. In such cases, the Java Control Panel applet may be launched by finding and executing javacpl.exe manually. This file is likely to be found in C:\Program Files\Java\jre7\bin or C:\Program Files (x86)\Java\jre7\bin.
Also note that we have encountered situations where Java will crash if it has been disabled in the web browser as described above and then subsequently re-enabled. Reinstalling Java appears to correct this situation.
System administrators wishing to deploy Java 7 Update 10 or later with the "Enable Java content in the browser" feature disabled can invoke the Java installer with the WEB_JAVA=0 command-line option. More details are available in the Java documentation.

---

reply to StuartMW
Pale Moon itself apparently disabled the Java platform during a recent update; it's showing an alert that Java SE 7 U4 is known to cause stability or security issues.

reply to StuartMW
Does this only effect Java 7 and not Java 6?

ESET's Robert Lipovsky wrote:

quote:

---

The infamous exploit packs Blackhole and Nuclear Pack now feature a new zero-day Java exploit that exploits the Java vulnerability CVE-2013-0422. The latest version of Java 7 Update 10 is affected.

---

reply to StuartMW
Mozilla has blocked all versions of Java:

Mozilla Security Blog - Protecting Users Against Java Vulnerability
»blog.mozilla.org/security/2013/0···ability/

Mozilla has not blocked Java. I don't see any block when I go to, for instance, »web100.rit.edu:7123/ to do a speed test. Java itself first gives me a popup security warning and I have to tell Java that I wish to allow the applet at this site to load. Then and only then does it load. But that is not Mozilla's doing. That is because of how I set the security slider in the latest Java panel.

I had those Mozilla blocks on XP because I had an old version of Java there until recently and I don't get those on Win8 with the latest Java on Fx 10.0.10 ESR.

Maybe Mozilla has only blocked it for those who have not put the security slider high? Or those who have earlier versions of Java with no security slider?
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Check the file blocklist.xml (in your Profile directory) & see what that shows.

(SeaMonkey's version is NOT blocking Java, where FF's is.)

reply to chachazz
Better question is...is Firefox phoning home to Mozilla all the time like Chrome does with Google? I mean how else are they able to control the Click to Play feature and determine what's 'bad' for us to run and what's not.

reply to StuartMW
Oracle Corp to fix Java security flaw "shortly"

quote:

---

(Reuters) - Oracle Corp said it is preparing an update to address a flaw in its widely used Java software after the U.S. Department of Homeland Security urged computer users to disable the program in web browsers because criminal hackers are exploiting a security bug to attack PCs.

"A fix will be available shortly," the company said in a statement released late on Friday.

Company officials could not be reached on Saturday to say how quickly the update would be available for the hundreds of millions of PCs that have Java installed.

---

reply to Mele20

reply to therube

reply to therube
What should I use to read that file? It's hard to read in Notepad or Wordpad. But I don't see anything in it about Java...but being so hard to read I could have a missed an entry.

What does this statement from Moziilla mean?

"Always activate Java for a site

If you have a trusted site that uses Java and you need to use that site often, you can make Java work normally on just that website.

Click the red plugin icon in the address bar and a message window will open.
At the bottom of the message window, click the Activate All Plugins dropdown menu and choose Always activate plugins for this site."

»support.mozilla.org/en-US/kb/how···r-a-site

I don't see a red plug in the address bar on a site that uses a Java applet. In fact, I usually see nothing but an address. I frequently don't get the site icons or even sometimes secure icons, etc. I haven't since Mozilla messed with all that quite awhile ago. And this is true on my NEW computer also. I usually just get a strange round gray ball instead of an icon. The install of Fx 10 is only two months old. Plus, I updated Fx yesterday to 10.0.12. I suppose the red plugin icon in the address bar must not apply to version 10.0.12 ESR.

I still think the way to go is to set the Java slider HIGH and I think because I did that is why Mozilla is not blocking my Java. The function is quite similar to what Mozilla describes for how to always activate a plugin on a trusted site. You can do that in Java itself now. Did Mozilla fail to notice these latest changes in Java?
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

reply to La Luna