dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
7185
47717768 (banned)
join:2003-12-08
Birmingham, AL

47717768 (banned)

Member

Feds warn PC users to disable Java

The Department of Homeland Security is urging computer users to disable or uninstall the Java programming language because of a serious security vulnerability.
»www.ksdk.com/news/local/ ··· d=356669

This is why i do not have Sun Java installed on my system.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

»Java is still exploitable and is likely going to remain so..

dandelion
MVM
join:2003-04-29
Germantown, TN

dandelion to 47717768

MVM

to 47717768
Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for this vulnerability," the warning adds.
I have read 2-3 posts all about java but this is the first time I have read about other applications also.

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

1 recommendation

Blackbird

Premium Member

said by dandelion:

Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for this vulnerability," the warning adds.
I have read 2-3 posts all about java but this is the first time I have read about other applications also.

I think the reasoning is that certain Microsoft application software like Office have built-in 'features' that invoke IE to display certain web-residing information within the application software itself, so that a user who never ordinarily uses IE may still be exposed to the Java vulnerability if the exploits exist within pages that IE silently opens.

I did a couple of hours of researching this before finally uninstalling Java last night from the last of my systems that still had it. In the course of doing the research, I read a great number of reports about this and earlier Java exploits. Somewhere in all of that (unfortunately, I lost the reference, though I did write down the details) was information that shutting off Java from within IE's 'Add-on' control panel, etc. was only sufficient to block IE from employing Java's ActiveX in a normal IE user browsing session. It was not sufficient to block IE's invoking of Java's ActiveX software when IE was being used in the background by an external program like Office. To block that path, the report indicated that either/both jp2iexp.dll and/or npjpi170_06.dll files also needed to be directly disabled in the c:\program files\java\jdk7\bin folder. Whether all such pathways could be totally blocked by using the Java Control Panel browsing-block setting was never addressed. Rather than mess around any further with Java uncertainties, workarounds, patches, and perpetually-recurring security nightmares, I elected to simply uninstall Java on the remaining system and see if anyone here actually notices its absence. If they do and resulting complaints are loud, I'll cross that bridge when I come to it...

Cartel
Intel inside Your sensitive data outside
Premium Member
join:2006-09-13
Chilliwack, BC

1 edit

Cartel to 47717768

Premium Member

to 47717768
Click for full size
Click for full size
This is probably good for 300-400 million computers that wouldn't otherwise be vulnerable.


Upgrade link takes you to the install java page.
60-70% users are clicking that up guaranteed.

onDvine
Grown up Flower Child
Premium Member
join:2005-01-29
So. CA, USA

2 edits

onDvine

Premium Member

I ran into that page yesterday along with a list of plugins that weren't up to date.

Felt forced to update Java so I did but used WinPatrol to disable/remove everything possible afterwards. Am not sure the out of date plugins are worth messing with. I don't use IE and never accepted the EULA for applications in Windows Live Essentials 2011.

Edit: I just disabled the two plugins with "Java" in their names.

2nd Edit: Didn't have Java before Oracle took advantage of my ignorance and tricked me into that download. Nothing I do needs it. Uninstalled using Add/Remove Programs and searched for/deleted everything Java created when it installed. Sneaky!

Cartel
Intel inside Your sensitive data outside
Premium Member
join:2006-09-13
Chilliwack, BC

1 recommendation

Cartel

Premium Member

said by onDvine:

I ran into that page yesterday along with a list of plugins that weren't up to date.

Felt forced to update Java so I did but used WinPatrol to disable/remove everything possible afterwards. Am not sure the out of date plugins are worth messing with. I don't use IE and never accepted the EULA for applications in Windows Live Essentials 2011.

I rest my case.

Phoenix22
Death From Above
Premium Member
join:2001-12-11
SOG C&C Nrth

Phoenix22 to Name Game

Premium Member

to Name Game
good point ..

no__1__here
Premium Member
join:2003-10-13
Tomball, TX

1 recommendation

no__1__here to Cartel

Premium Member

to Cartel
Click for full size
Wrong!
That Mozilla "Check Your Plugins" page is misleading. I do not have Java installed at all, and yet I get the same "we've disabled it, please update" message.

HA Nut
Premium Member
join:2004-05-13
USA

HA Nut to 47717768

Premium Member

to 47717768
I find this warning strangely funny. I work in an industry that REQUIRES federal reporting and the only way to report is via an online Java application...

goalieskates
Premium Member
join:2004-09-12
land of big

2 recommendations

goalieskates to no__1__here

Premium Member

to no__1__here
said by no__1__here:

That Mozilla "Check Your Plugins" page is misleading. I do not have Java installed at all, and yet I get the same "we've disabled it, please update" message.

I'd be distinctly unamused if Mozilla took it upon itself to disable Java or anything else. It's their right to warn me, it's not their right to reach out and do it for me.

kickass69
join:2002-06-03
Lake Hopatcong, NJ

1 recommendation

kickass69

Member

Better question is...is Firefox phoning home to Mozilla all the time like Chrome does with Google? I mean how else are they able to control the Click to Play feature and determine what's 'bad' for us to run.
scottp99
join:2010-12-11

scottp99

Member

I have Java 7 u10 for IE 8 and Firefox 10ESR.
How do I disable them in the browser only?

I still need Java for OFFLINE programs though.

chrisretusn
Retired
Premium Member
join:2007-08-13
Philippines

1 recommendation

chrisretusn to 47717768

Premium Member

to 47717768
How many times have a seen this phrase in a security advisory?
quote:
can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system,
Insert your favorite program before the phrase. Me? I've decided to disable Windows, that will teach em.
slajoh01
join:2005-04-23

slajoh01

Member

This java exploit affects linux, OSX,Unix as well. Not just Windows based OS.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

Yeah...well Apple must have juice with Oracle because they have access to a newer version of Java that doesn't have the vulnerability and they are having all their users install it.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

said by Mele20:

Yeah...well Apple must have juice with Oracle because they have access to a newer version of Java that doesn't have the vulnerability and they are having all their users install it.

They are disabling it..»www.macrumors.com/2013/0 ··· -threat/

Where did you get your info there is a newer version?

DataDoc
My avatar looks like me, if I was 2D.
Premium Member
join:2000-05-14
Hedgesville, WV

DataDoc to scottp99

Premium Member

to scottp99
This, and the links shown, might help:
»nakedsecurity.sophos.com ··· browser/
pandora
Premium Member
join:2001-06-01
Outland

pandora to chrisretusn

Premium Member

to chrisretusn
said by chrisretusn:

How many times have a seen this phrase in a security advisory?

quote:
can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system,
Insert your favorite program before the phrase. Me? I've decided to disable Windows, that will teach em.

How does not using Windows secure you from this problem?

therube
join:2004-11-11
Randallstown, MD

therube to kickass69

Member

to kickass69
quote:
is Firefox phoning home to Mozilla all the time like Chrome does with Google? I mean how else are they able to control the Click to Play feature and determine what's 'bad' for us to run.
blocklist.xml contains a list of add-ons that Mozilla considers to be harmful to the user (contains security vulnerabilities, adversely affects browsing experience, etc.). Any installed add-on on the block list will be disabled and any attempt to install an add-on on the block list will result in an error.

(Additionally, there has to be more to it then just that, some interaction with C2P, in this case, but I'm not sure what.)

StuartMW
Premium Member
join:2000-08-06

StuartMW to Name Game

Premium Member

to Name Game
said by Name Game:

Where did you get your info there is a newer version?

I wouldn't be surprised if the version number of Java for Apple machines is higher (or lower). That may, or may not, mean anything. After all Google (with Chrome) and Microsoft (with IE10) have different numbers for their embedded Adobe Flash Player.

There was a time when version numbers meant something. These days not so much. For example look at Mozilla Firefox. They bump a major version every month or so.

deke40
deke40
Premium Member
join:2003-01-23
Texas

deke40 to scottp99

Premium Member

to scottp99
said by scottp99:

I have Java 7 u10 for IE 8 and Firefox 10ESR.
How do I disable them in the browser only?

I still need Java for OFFLINE programs though.

Don't know if you got this answered or not.

Go to the Control Panel and click on the Java icon and then Security.
slajoh01
join:2005-04-23

slajoh01

Member

Scottp99 - Just go to the US Cert site.

»www.kb.cert.org/vuls/id/625617
»www.java.com/en/download ··· wser.xml
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to StuartMW

Premium Member

to StuartMW
said by StuartMW:

said by Name Game:

Where did you get your info there is a newer version?

I wouldn't be surprised if the version number of Java for Apple machines is higher (or lower). That may, or may not, mean anything. After all Google (with Chrome) and Microsoft (with IE10) have different numbers for their embedded Adobe Flash Player.

There was a time when version numbers meant something. These days not so much. For example look at Mozilla Firefox. They bump a major version every month or so.

I read this in one of the security articles. I'll see if I can find it again. The article's author may have been misinformed but said that Apple, contrary to what was being bandied about the internet, was not disabling Java but instead requiring users to update Java to a brand new version not yet publicly available. I wasn't confused by the difference in numbering for Apple vs Windows but perhaps the author of the comment could have been.

StuartMW
Premium Member
join:2000-08-06

StuartMW

Premium Member

said by Mele20:

I wasn't confused by the difference in numbering for Apple vs Windows but perhaps the author of the comment could have been.

FYI I was saying it is possible. I don't know for sure.

Besides

»JAVA 7u11 now available for download
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

Yeah... I see it is out so makes this all sort of moot.

Not sure I will install it though with all the reports of the Java registry key missing in the new version and thus Java won't work in Fx.

Jan Janowski
Premium Member
join:2000-06-18
Waynesville, NC

Jan Janowski to 47717768

Premium Member

to 47717768
I just got prompted that Java needed an update...

(build 1.7.0_11-b21)

La Luna
Fly With The Angels My Beloved Son Chris
Premium Member
join:2001-07-12
New Port Richey, FL

1 edit

La Luna

Premium Member

NM, my mistake.
La Luna

1 edit

La Luna to Jan Janowski

Premium Member

to Jan Janowski
NM, my mistake.
baess
join:2011-01-28

baess

Member

4 hours ago or so

»JAVA 7u11 now available for download