dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2627
share rss forum feed


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 recommendation

Java is still exploitable and is likely going to remain so.

quote:
We haven't had an unpatched Java vulnerability in a while (a month?). To make up for this lack of Java exploitability, the creators of the Blackhole and Nuclear exploit pack included an exploit for a new, unpatched, Java vulnerability in their latest release [1]. The exploit has been seen on various compromised sites serving up the exploit kit. The latest version of Java 7 is vulnerable [2].

»isc.sans.edu/diary/Java+is+still···o+/14899

Also

New Java 0-day exploited in the wild
--
Don't feed trolls--it only makes them grow!


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico

1 edit

Also cited:
• »malware.dontneedcoffee.com/2013/···ble.html
• »arstechnica.com/security/2013/01···he-wild/
Addendum:
• »www.securelist.com/en/blog/20819···ribution



newview
Ex .. Ex .. Exactly
Premium
join:2001-10-01
Parsonsburg, MD
kudos:1
reply to StuartMW

I can't even get Java 7u10 to work ...

»forums.oracle.com/forums/thread.···10777378

hmmm ... might be a GOOD thing.


garys_2k
Premium
join:2004-05-07
Farmington, MI

1 recommendation

reply to StuartMW

I remember when Java first came out and it was said to "incorporate security within its core design" or some-such nonsense. Yeah, that's worked out well...


redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable
reply to StuartMW

here is a related article:

»nakedsecurity.sophos.com/2013/01···vajar-b/

i wish the title of the thread was something like "Java Zero-Day" or "Oracle Java Zero-Day"..



rfhar
The World Sport, Played In Every Country
Premium
join:2001-03-26
Buicktown,Mi

1 recommendation

reply to StuartMW

I disabled Java when I first read of these problems some months ago and have not found a site that needs it yet.



rfhar
The World Sport, Played In Every Country
Premium
join:2001-03-26
Buicktown,Mi
Reviews:
·Power-Net Intern..
reply to StuartMW

US-CERT tells users to disable Java in browsers after exploit

»www.computerworld.com/s/article/···_exploit



Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
kudos:4

1 recommendation

said by rfhar:
US-CERT tells users to disable Java in browsers after exploit

Vulnerability Note VU#625617: »www.kb.cert.org/vuls/id/625617

said by VU#625617 :
Disable Java in web browsers

Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the Java documentation for more details.
Note: Due to what appears to potentially be a bug in the Java installer, the Java Control Panel applet may be missing on some Windows systems. In such cases, the Java Control Panel applet may be launched by finding and executing javacpl.exe manually. This file is likely to be found in C:\Program Files\Java\jre7\bin or C:\Program Files (x86)\Java\jre7\bin.
Also note that we have encountered situations where Java will crash if it has been disabled in the web browser as described above and then subsequently re-enabled. Reinstalling Java appears to correct this situation.
System administrators wishing to deploy Java 7 Update 10 or later with the "Enable Java content in the browser" feature disabled can invoke the Java installer with the WEB_JAVA=0 command-line option. More details are available in the Java documentation.
--
»bit.ly/gUqYaH - C. Brian Smith: Think of the exclamation point as a car horn: a little goes a long way. Lay on it too hard and everyone’s going to think you’re a moron.


DownTheShore
Mr. Putin, meet SEAL Team 6
Premium
join:2003-12-02
Beautiful NJ
kudos:13
reply to StuartMW

Pale Moon itself apparently disabled the Java platform during a recent update; it's showing an alert that Java SE 7 U4 is known to cause stability or security issues.



thinkpad

join:2000-07-26
Stamford, CT
reply to StuartMW

Does this only effect Java 7 and not Java 6?



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico

ESET's Robert Lipovsky wrote:

quote:
The infamous exploit packs Blackhole and Nuclear Pack now feature a new zero-day Java exploit that exploits the Java vulnerability CVE-2013-0422. The latest version of Java 7 Update 10 is affected.
Blog entry


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS
reply to StuartMW

Mozilla has blocked all versions of Java:

Mozilla Security Blog - Protecting Users Against Java Vulnerability
»blog.mozilla.org/security/2013/0···ability/


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

Mozilla has not blocked Java. I don't see any block when I go to, for instance, »web100.rit.edu:7123/ to do a speed test. Java itself first gives me a popup security warning and I have to tell Java that I wish to allow the applet at this site to load. Then and only then does it load. But that is not Mozilla's doing. That is because of how I set the security slider in the latest Java panel.

I had those Mozilla blocks on XP because I had an old version of Java there until recently and I don't get those on Win8 with the latest Java on Fx 10.0.10 ESR.

Maybe Mozilla has only blocked it for those who have not put the security slider high? Or those who have earlier versions of Java with no security slider?
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



therube

join:2004-11-11
Randallstown, MD

Check the file blocklist.xml (in your Profile directory) & see what that shows.

(SeaMonkey's version is NOT blocking Java, where FF's is.)



kickass69

join:2002-06-03
Lake Hopatcong, NJ
reply to chachazz

Better question is...is Firefox phoning home to Mozilla all the time like Chrome does with Google? I mean how else are they able to control the Click to Play feature and determine what's 'bad' for us to run and what's not.



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to StuartMW

Oracle Corp to fix Java security flaw "shortly"

quote:
(Reuters) - Oracle Corp said it is preparing an update to address a flaw in its widely used Java software after the U.S. Department of Homeland Security urged computer users to disable the program in web browsers because criminal hackers are exploiting a security bug to attack PCs.

"A fix will be available shortly," the company said in a statement released late on Friday.

Company officials could not be reached on Saturday to say how quickly the update would be available for the hundreds of millions of PCs that have Java installed.
Article

--
Another day, another Java 0-day exploit in the wild ...


La Luna
RIP Lisa
Premium
join:2001-07-12
Warwick, NY
kudos:3
reply to Mele20

said by Mele20:

Mozilla has not blocked Java.

They blocked it on the newest, current version of Fx. 18.0.



--
The Alien in the White House

20,196 DEADLY TERROR ATTACKS SINCE 9/11


La Luna
RIP Lisa
Premium
join:2001-07-12
Warwick, NY
kudos:3
reply to therube

said by therube:

Check the file blocklist.xml (in your Profile directory) & see what that shows.

(SeaMonkey's version is NOT blocking Java, where FF's is.)

I see a bunch of Java related items in that file.
--
The Alien in the White House

20,196 DEADLY TERROR ATTACKS SINCE 9/11

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to therube

What should I use to read that file? It's hard to read in Notepad or Wordpad. But I don't see anything in it about Java...but being so hard to read I could have a missed an entry.

What does this statement from Moziilla mean?

"Always activate Java for a site

If you have a trusted site that uses Java and you need to use that site often, you can make Java work normally on just that website.

Click the red plugin icon in the address bar and a message window will open.
At the bottom of the message window, click the Activate All Plugins dropdown menu and choose Always activate plugins for this site."

»support.mozilla.org/en-US/kb/how···r-a-site

I don't see a red plug in the address bar on a site that uses a Java applet. In fact, I usually see nothing but an address. I frequently don't get the site icons or even sometimes secure icons, etc. I haven't since Mozilla messed with all that quite awhile ago. And this is true on my NEW computer also. I usually just get a strange round gray ball instead of an icon. The install of Fx 10 is only two months old. Plus, I updated Fx yesterday to 10.0.12. I suppose the red plugin icon in the address bar must not apply to version 10.0.12 ESR.

I still think the way to go is to set the Java slider HIGH and I think because I did that is why Mozilla is not blocking my Java. The function is quite similar to what Mozilla describes for how to always activate a plugin on a trusted site. You can do that in Java itself now. Did Mozilla fail to notice these latest changes in Java?
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to La Luna

said by La Luna:

said by Mele20:

Mozilla has not blocked Java.

They blocked it on the newest, current version of Fx. 18.0.

[att=1]

That's an old version. Do you have the current version?
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


La Luna
RIP Lisa
Premium
join:2001-07-12
Warwick, NY
kudos:3

Not sure what you mean. 18.0 is the newest version of Firefox, which is what I have. Just updated to it on Friday.


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

I'm sorry....I wasn't clear at all. I meant your Java version. It's not the latest (judging from your screenshot...which could be an older screenshot and not reflective of your current Java version). Is that screenshot from your computer or a Mozilla webpage? Whatever, it is showing an older version of Java. (I had thought perhaps Java was blocked for you because the version in your screenshot is not the latest), but since then I read the Mozilla forum and learned Mozilla has been very inconsistent in that they are blocking on CURRENT versions of Fx but NOT blocking on 10.0.12 ESR which is a CURRENTLY SUPPORTED VERSION. It's supported until the middle of Feb and I am still using it because I had enough on my plate dealing with Win 8 and didn't need a major browser upgrade at the same time. So, now I realize that the reason it is not blocked for me is because of Mozilla's inconsistency.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



MarkAW
Barry White
Premium
join:2001-08-27
Canada
kudos:16
reply to Mele20

said by Mele20:

said by La Luna:

said by Mele20:

Mozilla has not blocked Java.

They blocked it on the newest, current version of Fx. 18.0.

That's an old version. Do you have the current version?

Current enough for you?


--
We never really grow up, we only learn how to act in public.
Do not argue with an idiot. He will drag you down to his level and beat you with experience. (Hmm)
I have enemies? Good. That means I've stood up for something, sometime in my life.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

Click for full size
Yeah...that's the version I have. But I don't have that warning. Mozilla forgot that 10.0.12 is still currently supported.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


La Luna
RIP Lisa
Premium
join:2001-07-12
Warwick, NY
kudos:3
reply to Mele20

Yes, that is from my computer. I didn't update that last Java update as it still wasn't secure. I just disabled it entirely. I find I so far don't need it anyway.

Sorry for the confusion on my end.



DrStrange
Technically feasible
Premium
join:2001-07-23
West Hartford, CT
kudos:1
reply to Mele20

The warning only appears in Firefox 17 and above.

Hopefully we'll see a new Java update soon. I thought it laughable when Oracle announced they were only going to release updates every three months. That was an open invitation to the black hat community:

"We're going to do updates on a pre-set schedule so we can reduce costs and make our CEO and shareholders more money, even at the expense of our product's security. Feel free to exploit our product in between our scheduled updates."

I expected something like this to happen.



La Luna
RIP Lisa
Premium
join:2001-07-12
Warwick, NY
kudos:3

1 recommendation

New update is out, v7u11.

»JAVA 7u11 now available for download


SafireDonkey
Premium
join:2006-10-29
89000

1 recommendation

Ah, even more wide open holes !



DrStrange
Technically feasible
Premium
join:2001-07-23
West Hartford, CT
kudos:1

1 recommendation

reply to La Luna

Thanks. Just installed that and made plans for emergency deployment at work tomorrow and for my private business customers this evening.



deke40
Premium
join:2003-01-23
Texas
reply to StuartMW

I disabled the Java on my system but tonight I noticed another
Java entry(JavaFX 2.1.1) in my my programs list. What is it and did it come in on a Java update?