dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2678
share rss forum feed


La Luna
RIP Lisa
Premium
join:2001-07-12
Warwick, NY
kudos:3
reply to Mele20

Re: Java is still exploitable and is likely going to remain so.

Not sure what you mean. 18.0 is the newest version of Firefox, which is what I have. Just updated to it on Friday.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
I'm sorry....I wasn't clear at all. I meant your Java version. It's not the latest (judging from your screenshot...which could be an older screenshot and not reflective of your current Java version). Is that screenshot from your computer or a Mozilla webpage? Whatever, it is showing an older version of Java. (I had thought perhaps Java was blocked for you because the version in your screenshot is not the latest), but since then I read the Mozilla forum and learned Mozilla has been very inconsistent in that they are blocking on CURRENT versions of Fx but NOT blocking on 10.0.12 ESR which is a CURRENTLY SUPPORTED VERSION. It's supported until the middle of Feb and I am still using it because I had enough on my plate dealing with Win 8 and didn't need a major browser upgrade at the same time. So, now I realize that the reason it is not blocked for me is because of Mozilla's inconsistency.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


MarkAW
Barry White
Premium
join:2001-08-27
Canada
kudos:16
reply to Mele20
said by Mele20:

said by La Luna:

said by Mele20:

Mozilla has not blocked Java.

They blocked it on the newest, current version of Fx. 18.0.

That's an old version. Do you have the current version?

Current enough for you?


--
We never really grow up, we only learn how to act in public.
Do not argue with an idiot. He will drag you down to his level and beat you with experience. (Hmm)
I have enemies? Good. That means I've stood up for something, sometime in my life.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
Click for full size
Yeah...that's the version I have. But I don't have that warning. Mozilla forgot that 10.0.12 is still currently supported.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


La Luna
RIP Lisa
Premium
join:2001-07-12
Warwick, NY
kudos:3
reply to Mele20
Yes, that is from my computer. I didn't update that last Java update as it still wasn't secure. I just disabled it entirely. I find I so far don't need it anyway.

Sorry for the confusion on my end.


DrStrange
Technically feasible
Premium
join:2001-07-23
West Hartford, CT
kudos:1
reply to Mele20
The warning only appears in Firefox 17 and above.

Hopefully we'll see a new Java update soon. I thought it laughable when Oracle announced they were only going to release updates every three months. That was an open invitation to the black hat community:

"We're going to do updates on a pre-set schedule so we can reduce costs and make our CEO and shareholders more money, even at the expense of our product's security. Feel free to exploit our product in between our scheduled updates."

I expected something like this to happen.


La Luna
RIP Lisa
Premium
join:2001-07-12
Warwick, NY
kudos:3

1 recommendation

New update is out, v7u11.

»JAVA 7u11 now available for download

SafireDonkey
Premium
join:2006-10-29
89000

1 recommendation

Ah, even more wide open holes !


DrStrange
Technically feasible
Premium
join:2001-07-23
West Hartford, CT
kudos:1

1 recommendation

reply to La Luna
Thanks. Just installed that and made plans for emergency deployment at work tomorrow and for my private business customers this evening.


deke40
Premium
join:2003-01-23
Texas
reply to StuartMW
I disabled the Java on my system but tonight I noticed another
Java entry(JavaFX 2.1.1) in my my programs list. What is it and did it come in on a Java update?

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to StuartMW
Opera is handling this a bit better than Mozilla IMO. On Fx 10.0.12 ESR, I still get the slider warning popup that I have been getting since I installed ver 10. I still have ver 10. A few minutes ago, I went to do a Java speed test on Opera (which thinks I have dialup) and I got a different slider popup. I wonder why I don't get this new one on Fx? I wonder if I would get this newer popup on Fx if I had the latest Fx? I bet I would. Fx 10 ESR is still supported...but apparently not too well.

--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to StuartMW
New Java Exploit Fetches $5,000 Per Buyer
quote:
Less than 24 hours after Oracle patched a dangerous security hole in its Java software that was being used to seize control over Windows PCs, miscreants in the Underweb were already selling an exploit for a different and apparently still-unpatched zero-day vulnerability in Java, KrebsOnSecurity has learned.

On Sunday, Oracle rushed out a fix for a critical bug in Java that had been folded into exploit kits, crimeware made to automate the exploitation of computers via Web browser vulnerabilities. On Monday, an administrator of an exclusive cybercrime forum posted a message saying he was selling a new Java 0day to a lucky two buyers. The cost: starting at $5,000 each.

The hacker forum admin’s message, portions of which are excerpted below, promised weaponized and source code versions of the exploit. This seller also said his Java 0day — in the latest version of Java (Java 7 Update 11) — was not yet part of any exploit kits, including the Cool Exploit Kit I wrote about last week that rents for $10,000 per month.
Article


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

1 edit
said by siljaline:

New Java Exploit Fetches $5,000 Per Buyer

quote:
Less than 24 hours after Oracle patched a dangerous security hole in its Java software that was being used to seize control over Windows PCs, miscreants in the Underweb were already selling an exploit for a different and apparently still-unpatched zero-day vulnerability in Java, KrebsOnSecurity has learned....
Article

This is what the quoted experts were getting at, over in the other thread: »JAVA: Fixing zero-day exploit could take 'two years'

And I strongly doubt the trail will end with just this very latest exploit...
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Comments on the Krebs article and more:
»arstechnica.com/security/2013/01···ability/


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
reply to StuartMW
From the arstechnica article:
quote:
..."Based on our analysis, we have confirmed that the fix for CVE-2013-0422 is incomplete," Trend Vulnerability Research Manager Pawan Kinger wrote in a blog post. Kinger went on to explain that the vulnerability stemmed from flaws in two parts of the Java code base: one involving the findclass method and the other involving the invokeWithArguments() method. While Sunday's patch fixed the latter issue, the findclass method can still be used to get references to restricted classes, leaving a hole that attackers can exploit.

Kinger continued: "With this incident, the biggest question on everyone’s mind is “Are users safe after installing the patch?” or “Does the patch protect from recent attacks using CVE-2013-0422?” Yes, but only until someone finds another bug to couple with the first issue. findclass method still remains an open issue, but cannot be exploited on its own. However, the message is clear: Java remains a big risk."
...
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville


Unbundled
But When ? ?
Premium
join:2010-09-13
Irving, TX
reply to StuartMW
In my Mozilla Firefox 18.0, I disabled the Java 7 Plug-In.

But, under "Extensions" I have three Java "Console" 6.0.33 & 35 & 37

SHOULD THESE JAVA CONSOLE listings under Extensions also be DISABLED ? ? ? ?

Why are there three Java consoles anyway??


MarkAW
Barry White
Premium
join:2001-08-27
Canada
kudos:16
said by Unbundled:

In my Mozilla Firefox 18.0, I disabled the Java 7 Plug-In.

But, under "Extensions" I have three Java "Console" 6.0.33 & 35 & 37

SHOULD THESE JAVA CONSOLE listings under Extensions also be DISABLED ? ? ? ?

Why are there three Java consoles anyway??

When you installed the new java updates did you uninstall the old ones first? This could be the reason why you have three.
--
We never really grow up, we only learn how to act in public.
Do not argue with an idiot. He will drag you down to his level and beat you with experience. (Hmm)
I have enemies? Good. That means I've stood up for something, sometime in my life.


Jodiedunnit

@sbcglobal.net
reply to StuartMW
The new update is still broken.

»threatpost.com/en_us/blogs/lates···d-011813


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
reply to StuartMW
The shareholders and management of Sun in 2010 appear to have exercised unusual and brilliant foresight in allowing themselves to be acquired by a competitor, Oracle. They exited with $7.4 billion, and Oracle was left with a number of product lines and... Java. For Oracle, the Java agony just doesn't seem to end. I wonder how deeply committed to Java they'll prove to be as this continues unfolding - and it will continue to unfold, well into the future.
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville