Broadband Tech > Security > Security > Feds warn PC users to disable Java

reply to DownTheShore

Re: Feds warn PC users to disable Java

reply to DownTheShore
Hence the reason why I continue to keep it disabled. Doesn't seem needed anyway for me.

reply to Oleg
I wanted to make a reference to the thread over in the Mozilla forum that talks about Firefox automatically "disabling" older Java versions.

»All versions of the Java plugin are blocked

I did some testing of that feature, and documented my results in that thread.

However, either I'm not fully understanding what Mozilla says they are doing, or things are not working right (at least on my system).

In a nutshell, I removed Java (fully), Firefox, and Waterfox. I then installed Firefox 18.0, and Java 7 Update 7 (older version of Java, which is full of vulnerabilities).

Yet, when I go look at the plugins page, nothing to do with Java is disabled.

The way I read what Mozilla is doing is that when you install Firefox 17.x or Firefox 18.x, and you have an older version of Java installed, Firefox will disable the plug-ins by default (not have them enabled). My testing shows otherwise.

Again, making a cross-post here in the security forum, hoping to shed some light on my issue.

So, if anyone here can help explain things better to me, that would be great.

Thanks,

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail

It reports Java 7 Update 7 but if you look at the plug in results, it shows the current. I had the same process with an older plug in and Firefox did indeed disable it without action on my part.

reply to pandora
Well here is my take on that information from »security.stackexchange.com/quest···-icedtea

There is this statement "Java 7 and OpenJDK share a lot of common code, so, as a general rule, security issues in Java 7 also apply to OpenJDK. In that specific case, it seems that the vulnerability was reported in the Debian OpenJDK package, so yes, they are vulnerable."

Well first there is no specific case sited (it could be assuming VU#625617) and the reference (»askubuntu.com/questions/181884/s···-for-now) to the reported vulnerability in the Debian OpenJDK package refers to the second link in my post VU#636312 dated 27 Aug 2012 which was been patched.

While it is possible that the current vulnerability affects OpenJDK, it is not specifically listed as affected by the vulnerability alert for VU#625617 dated 10 Jan 2013.

VU#625617 has been patched by Oracle and as I have already mentioned. I am not all that concerned about this; and this has nothing to do with my preferred operating system being Linux. I do run Windows and have Java install their as well. I think there is a lot of over reaction to this.

--
Chris
Living in Paradise!!

reply to Mele20

reply to chrisretusn

Perhaps someone at DHS was sick and tired of Oracle never fully patching the thing and decided to use the power available to him or her in their position at DHS to give them a kick in the rear.

-------------------

La Luna, thanks for answering my question.

reply to goalieskates

reply to pandora
Not saying the open code doesn't have certain vulnerabilities. It is fairly unlikely it is the same vulnerabilities though. The open source people have to use different code to achieve their goal, or run a severe risk of being slapped with a nasty lawsuit by Oracle. Same has long applied for things like Linux graphics drivers, too(btw, the open source radeon driver kicks the snot out of proprietary fglrx on my laptop, in terms of OpenGL performance, with no worries that upgrading my X or my kernel will break it. DirectX support is limited but I really don't need it for what I do in Linux.). There has also been no security alerts on the Open Java. With the number of devs that have been working on that project, I am pretty sure somebody has checked this out. It is not Linux perse that would protect against this vulnerability. It is running different code altogether that would. Oracle Linux users would be just as vulnerable, unless of course, they manage to comprehensively sandbox the app in question(Java). I used to run Firefox sandboxed, due to all its vulnerabilities, but found another browser I liked(Chromium) that sandboxes 1 of the biggest security liabilities on its own(Adobe Flash).
--
A fool thinks they know everything.

A wise person knows enough to know they couldn't possibly know everything.

There are zealots for every OS, like every religion. They do not represent the majority of users for either.

reply to Oleg
While this is already old news, the following is something that I just read in today's Langalist. It includes just a small list of things that require Java in which to run correctly. I find the Secunia Online Inspector a most strange thing to be still running using Java.

GoToMyPC — works more easily with Java, though it's not required
GoToMeeting
GoToWebinar
Scottrade
The Wall Street Journal website, wsj.com, uses Java for dynamic charts
Secunia's Online Software Inspector
ThinkFree Office Online
FreeMind — mind-mapping software
France's online voting system
LuxSci webmail — Java used only for some advanced features
time.gov — the official U.S. time site (Java can be disabled)
Of those applications, I'm most concerned that Secunia's Online Software Inspector requires Java for its scanning processes. I recommend switching to Secunia Personal Software Inspector (site ) to scan your PC for needed updates.
--
JKK

Age is a very high price to pay for my maturity. If I can't stay young, I can at least stay immature!

»www.pbase.com/jaykaykay

It's settled. I blocked Java to protect all machines that may enter my network. It only broke 1 thing that I actually used-causes the Speedtest.net Android app to force close. No sites that I use or any other apps seem affected. I blocked it on a trial but keeping it blocked. Still allows my internal server to push Java applets to the browser plugins on my machines, without the plugin being an attack vector. Further, for the Debian laptop, I use NotScript for Chromium Browser(same function as NoScript for Firefox), which will only allow the plugin to run if I specifically allow it, covering me on outside networks and vpn. That is if the Openjdk is even vulnerable.
--
A fool thinks they know everything.

A wise person knows enough to know they couldn't possibly know everything.

There are zealots for every OS, like every religion. They do not represent the majority of users for either.

reply to Oleg
I'll ignore any advice coming from a government agency, whose government can't manage it's own spending and debt.

Now if it was from a private sector, ten I'd heed or at least research the warning. But a government agency? Please, that's like letting a three year old perform open heart surgery.

That said, I guess I'll have to go around the house and disable/uninstall java from the 6 PCs that have it.
Then again, seeing how this has been going on for years, kinda reminds me of a certain web site that stored users passwords in plain text. I won't mention the web sites name, but thankfully that has been fixed.
--
Is a person a failure for doing nothing? Or is he a failure for trying, and not succeeding at what he is attempting to do? What did you fail at today?.

reply to Snakeoil

In my case, it was safe to block the plugin. Only thing it was needed for was LAN resources. Fine, blocking it at network still lets you run and develop Java app and applets while eliminating the attack vector of the plugin. You could remove the plugin, chris, if you only need Java for local apps. No sites I visit actually need it. Only some of my programs and LAN applets I play with use Java. The LAN resources are the only reason I even kept the plugin installed. Otherwise, I could remove it and go without it completely. That being said, Notscript for Chrome/Chromium and Noscript for Firefox/Iceweasel are pretty easy to use, flexible, and close the attack vector to untrusted sources. My network block is to protect family's computers(their terrible computer skills of overriding something that will harm them until it works is terrible, so my gateway catches it instead) that join my network. Nobody has complained of their vital pages/services not working. I could override it just for me but haven't had to for anything. I know Runescape wouldn't, but oh well, one way to keep family off that awful game to have some actual family time when they visit(coming from an MMO fan, just hate Runescape).
--
A fool thinks they know everything.

A wise person knows enough to know they couldn't possibly know everything.

There are zealots for every OS, like every religion. They do not represent the majority of users for either.

I do have the plug-in disabled or not installed in some of my installations. Actually in a few instances Java is not installed either. If I don't need it, it's not installed. This computer I am using now is running Slackware64 with OpenJDK and the IcedTea-Web Plugin. (Not because I think it safer by the way, it's not.) I enable it when I need it; for example that Runescape site you like so much.

I don't really play it, just using that as an example. I did check it out just now, it fetching updates right now... oops..... just dumped me out and crashed Firefox. Oh well. Not a big deal, I'm more in to console games than PC ones. That and I don't care of on-line games.

I'm not all that concerned over this threat. It just like any other threat out there, except this one has taken on a life of it own as the threat to hate. Reminds me of Facebook, which I use on occasion and find it quite useful; like the Java programs I use.

I also have NoScript installed, I don't use Chrome. There are no Windows installation in my house, they are not allowed, with a few exceptions, my "work" laptop (dual boot, rarely to Windows, always to Slackware) or running in a VirtualBox VM on this machine. Only the laptop has Java installed because I need it for programs not browsing.
--
Chris
Living in Paradise!!

quote:

---

... 2012 can justifiably be described as the year of the Java vulnerability, with half of all detected exploit-based attacks targeting vulnerabilities in Oracle Java. Today, Java is installed on more than 3 billion devices running under various operating systems. ...

---