dslreports logo
 
    All Forums Hot Topics Gallery
spc

spacer

Search Topic:
uniqs
6424
share rss forum feed


La Luna
RIP Lisa
Premium
join:2001-07-12
Warwick, NY
kudos:3

1 recommendation

reply to DownTheShore

Re: Feds warn PC users to disable Java

I think that is used by developers who develop Java apps.


La Luna
RIP Lisa
Premium
join:2001-07-12
Warwick, NY
kudos:3

1 recommendation

reply to DownTheShore
Hence the reason why I continue to keep it disabled. Doesn't seem needed anyway for me.


plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3
reply to 47717768
I wanted to make a reference to the thread over in the Mozilla forum that talks about Firefox automatically "disabling" older Java versions.

»All versions of the Java plugin are blocked

I did some testing of that feature, and documented my results in that thread.

However, either I'm not fully understanding what Mozilla says they are doing, or things are not working right (at least on my system).

In a nutshell, I removed Java (fully), Firefox, and Waterfox. I then installed Firefox 18.0, and Java 7 Update 7 (older version of Java, which is full of vulnerabilities).

Yet, when I go look at the plugins page, nothing to do with Java is disabled.

The way I read what Mozilla is doing is that when you install Firefox 17.x or Firefox 18.x, and you have an older version of Java installed, Firefox will disable the plug-ins by default (not have them enabled). My testing shows otherwise.

Again, making a cross-post here in the security forum, hoping to shed some light on my issue.

So, if anyone here can help explain things better to me, that would be great.

Thanks,

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


cbrigante2
Cubs 20??
Premium
join:2002-11-22
North Aurora, IL
It reports Java 7 Update 7 but if you look at the plug in results, it shows the current. I had the same process with an older plug in and Firefox did indeed disable it without action on my part.


chrisretusn
Retired
Premium
join:2007-08-13
Philippines
kudos:1
Reviews:
·PLDT
·Comcast

1 edit
reply to pandora
Well here is my take on that information from »security.stackexchange.com/quest ··· -icedtea

There is this statement "Java 7 and OpenJDK share a lot of common code, so, as a general rule, security issues in Java 7 also apply to OpenJDK. In that specific case, it seems that the vulnerability was reported in the Debian OpenJDK package, so yes, they are vulnerable."

Well first there is no specific case sited (it could be assuming VU#625617) and the reference (»askubuntu.com/questions/181884/s ··· -for-now) to the reported vulnerability in the Debian OpenJDK package refers to the second link in my post VU#636312 dated 27 Aug 2012 which was been patched.

While it is possible that the current vulnerability affects OpenJDK, it is not specifically listed as affected by the vulnerability alert for VU#625617 dated 10 Jan 2013.

VU#625617 has been patched by Oracle and as I have already mentioned. I am not all that concerned about this; and this has nothing to do with my preferred operating system being Linux. I do run Windows and have Java install their as well. I think there is a lot of over reaction to this.

--
Chris
Living in Paradise!!


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit
reply to Mele20
said by Mele20:

said by StuartMW:

said by Name Game:

Where did you get your info there is a newer version?

I wouldn't be surprised if the version number of Java for Apple machines is higher (or lower). That may, or may not, mean anything. After all Google (with Chrome) and Microsoft (with IE10) have different numbers for their embedded Adobe Flash Player.

There was a time when version numbers meant something. These days not so much. For example look at Mozilla Firefox. They bump a major version every month or so.

I read this in one of the security articles. I'll see if I can find it again. The article's author may have been misinformed but said that Apple, contrary to what was being bandied about the internet, was not disabling Java but instead requiring users to update Java to a brand new version not yet publicly available. I wasn't confused by the difference in numbering for Apple vs Windows but perhaps the author of the comment could have been.

Nevertheless your info was wrong. Period.

»www.applebitch.com/2013/01/12/ap ··· on-macs/
»www.applebitch.com/2013/01/14/ne ··· eleased/

--
Gladiator Security Forum
»www.gladiator-antivirus.com/


goalieskates
Premium
join:2004-09-12
land of big

1 recommendation

reply to chrisretusn
said by chrisretusn:

VU#625617 has been patched by Oracle and as I have already mentioned. I am not all that concerned about this; and this has nothing to do with my preferred operating system being Linux. I do run Windows and have Java install their as well. I think there is a lot of over reaction to this.

That overreaction may be due at least in part to the fact DHS is involved. We've seen a lot of vulnerabilities over the years, some of which went unpatched for years - but I don't recall DHS getting into the act before. The warnings came from software houses or researchers or independent testers. I don't want to minimize a danger, but the skeptic in me wonders if this isn't some sort of test - by DHS.

Federal government sites use java. So wtf?


DownTheShore
RIP tmpchaos
Premium
join:2003-12-02
Beautiful NJ
kudos:14
Reviews:
·Verizon Online DSL
Perhaps someone at DHS was sick and tired of Oracle never fully patching the thing and decided to use the power available to him or her in their position at DHS to give them a kick in the rear.

-------------------

La Luna, thanks for answering my question.

pandora
Premium
join:2001-06-01
Outland
kudos:2
Reviews:
·ooma
reply to goalieskates
said by goalieskates:

That overreaction may be due at least in part to the fact DHS is involved. We've seen a lot of vulnerabilities over the years, some of which went unpatched for years - but I don't recall DHS getting into the act before. The warnings came from software houses or researchers or independent testers. I don't want to minimize a danger, but the skeptic in me wonders if this isn't some sort of test - by DHS.

Federal government sites use java. So wtf?

I think it's nice DHS said something.

I'm still amazed some folks consider this a problem only with proprietary Java code, and conclude identical open source code is somehow invulnerable. This is a demonstration of faith not supported by any possible fact.

It appears both the open and proprietary Java versions should be considered vulnerable until someone demonstrates the open code isn't the same and is not vulnerable. Also waiting for Java proprietary to be patched, assuming the open source code is identical, sort of mitigates some of the claimed virtue of open source. Shouldn't the open source community have fixed this long ago?
--
"If you put the federal government in charge of the Sahara Desert, in 5 years there'd be a shortage of sand." - Milton Friedman"


chrisretusn
Retired
Premium
join:2007-08-13
Philippines
kudos:1
Reviews:
·PLDT
·Comcast
said by pandora:

I'm still amazed some folks consider this a problem only with proprietary Java code, and conclude identical open source code is somehow invulnerable. This is a demonstration of faith not supported by any possible fact.

I don't think anyone has said is a problem with only proprietary Java code. No one has said open source is invulnerable. Not sure were you got that from.

In fact the advisory has been updated and OpenJDK and IcedTea are both listed as affected.

Does that change anything as far as I am concerned? No it does not. I am not disabling or removing Java from my machines. When a patch is released for OpenJDK I will apply it.
--
Chris
Living in Paradise!!

pandora
Premium
join:2001-06-01
Outland
kudos:2
Reviews:
·ooma

1 edit
said by chrisretusn:

I don't think anyone has said is a problem with only proprietary Java code. No one has said open source is invulnerable.

The first post I replied to in this thread, indicated the solution (his solution iirc) was to disable Windows. As if this were a Windows problem. Upon follow up, I was assured the solution was open Java.

It doesn't appear either is a solution for this problem. Windows has earned a reputation for vulnerability on Internet over many years, and Linux a reputation for reliability. Windows has greatly improved it's security, while Linux when used as a desktop or desktop-like system (tablet, very smart phone) is almost always hackable (someone can find a way to get any phone or tablet rooted). Worse most customers are easily hacked by simple social engineering (almost any app will be installed regardless of what it does after installation).

The themes I was fascinated with were; 1) That Windows was the problem (in the case it isn't), and 2) Open source would save users from this hack (apparently not true in this case).

Sorry.
--
"If you put the federal government in charge of the Sahara Desert, in 5 years there'd be a shortage of sand." - Milton Friedman"


Selenia
Gentoo Convert
Premium
join:2006-09-22
Fort Smith, AR
kudos:2
reply to pandora
Not saying the open code doesn't have certain vulnerabilities. It is fairly unlikely it is the same vulnerabilities though. The open source people have to use different code to achieve their goal, or run a severe risk of being slapped with a nasty lawsuit by Oracle. Same has long applied for things like Linux graphics drivers, too(btw, the open source radeon driver kicks the snot out of proprietary fglrx on my laptop, in terms of OpenGL performance, with no worries that upgrading my X or my kernel will break it. DirectX support is limited but I really don't need it for what I do in Linux.). There has also been no security alerts on the Open Java. With the number of devs that have been working on that project, I am pretty sure somebody has checked this out. It is not Linux perse that would protect against this vulnerability. It is running different code altogether that would. Oracle Linux users would be just as vulnerable, unless of course, they manage to comprehensively sandbox the app in question(Java). I used to run Firefox sandboxed, due to all its vulnerabilities, but found another browser I liked(Chromium) that sandboxes 1 of the biggest security liabilities on its own(Adobe Flash).
--
A fool thinks they know everything.

A wise person knows enough to know they couldn't possibly know everything.

There are zealots for every OS, like every religion. They do not represent the majority of users for either.


jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24
Reviews:
·Cox HSI
·Speakeasy
reply to 47717768
While this is already old news, the following is something that I just read in today's Langalist. It includes just a small list of things that require Java in which to run correctly. I find the Secunia Online Inspector a most strange thing to be still running using Java.

GoToMyPC — works more easily with Java, though it's not required
GoToMeeting
GoToWebinar
Scottrade
The Wall Street Journal website, wsj.com, uses Java for dynamic charts
Secunia's Online Software Inspector
ThinkFree Office Online
FreeMind — mind-mapping software
France's online voting system
LuxSci webmail — Java used only for some advanced features
time.gov — the official U.S. time site (Java can be disabled)
Of those applications, I'm most concerned that Secunia's Online Software Inspector requires Java for its scanning processes. I recommend switching to Secunia Personal Software Inspector (site ) to scan your PC for needed updates.
--
JKK

Age is a very high price to pay for my maturity. If I can't stay young, I can at least stay immature!

»www.pbase.com/jaykaykay



Selenia
Gentoo Convert
Premium
join:2006-09-22
Fort Smith, AR
kudos:2
It's settled. I blocked Java to protect all machines that may enter my network. It only broke 1 thing that I actually used-causes the Speedtest.net Android app to force close. No sites that I use or any other apps seem affected. I blocked it on a trial but keeping it blocked. Still allows my internal server to push Java applets to the browser plugins on my machines, without the plugin being an attack vector. Further, for the Debian laptop, I use NotScript for Chromium Browser(same function as NoScript for Firefox), which will only allow the plugin to run if I specifically allow it, covering me on outside networks and vpn. That is if the Openjdk is even vulnerable.
--
A fool thinks they know everything.

A wise person knows enough to know they couldn't possibly know everything.

There are zealots for every OS, like every religion. They do not represent the majority of users for either.


Snakeoil
Ignore Button. The coward's feature.
Premium
join:2000-08-05
Mentor, OH
kudos:1
reply to 47717768
I'll ignore any advice coming from a government agency, whose government can't manage it's own spending and debt.

Now if it was from a private sector, ten I'd heed or at least research the warning. But a government agency? Please, that's like letting a three year old perform open heart surgery.

That said, I guess I'll have to go around the house and disable/uninstall java from the 6 PCs that have it.
Then again, seeing how this has been going on for years, kinda reminds me of a certain web site that stored users passwords in plain text. I won't mention the web sites name, but thankfully that has been fixed.
--
Is a person a failure for doing nothing? Or is he a failure for trying, and not succeeding at what he is attempting to do? What did you fail at today?.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:6
said by Snakeoil:

Then again, seeing how this has been going on for years, kinda reminds me of a certain web site that stored users passwords in plain text. I won't mention the web sites name, but thankfully that has been fixed.

It has? Or were you being facetious?
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


chrisretusn
Retired
Premium
join:2007-08-13
Philippines
kudos:1
Reviews:
·PLDT
·Comcast
reply to Snakeoil
said by Snakeoil:

I'll ignore any advice coming from a government agency, whose government can't manage it's own spending and debt.

Now if it was from a private sector, ten I'd heed or at least research the warning. But a government agency? Please, that's like letting a three year old perform open heart surgery.

LOL, Feel the same way. My first reaction Feds?, DHS? ha, so what.

I still have it installed on most of my systems, because I have Java programs the need it.
--
Chris
Living in Paradise!!


Selenia
Gentoo Convert
Premium
join:2006-09-22
Fort Smith, AR
kudos:2

1 edit
In my case, it was safe to block the plugin. Only thing it was needed for was LAN resources. Fine, blocking it at network still lets you run and develop Java app and applets while eliminating the attack vector of the plugin. You could remove the plugin, chris, if you only need Java for local apps. No sites I visit actually need it. Only some of my programs and LAN applets I play with use Java. The LAN resources are the only reason I even kept the plugin installed. Otherwise, I could remove it and go without it completely. That being said, Notscript for Chrome/Chromium and Noscript for Firefox/Iceweasel are pretty easy to use, flexible, and close the attack vector to untrusted sources. My network block is to protect family's computers(their terrible computer skills of overriding something that will harm them until it works is terrible, so my gateway catches it instead) that join my network. Nobody has complained of their vital pages/services not working. I could override it just for me but haven't had to for anything. I know Runescape wouldn't, but oh well, one way to keep family off that awful game to have some actual family time when they visit(coming from an MMO fan, just hate Runescape).
--
A fool thinks they know everything.

A wise person knows enough to know they couldn't possibly know everything.

There are zealots for every OS, like every religion. They do not represent the majority of users for either.


chrisretusn
Retired
Premium
join:2007-08-13
Philippines
kudos:1
Reviews:
·PLDT
·Comcast
I do have the plug-in disabled or not installed in some of my installations. Actually in a few instances Java is not installed either. If I don't need it, it's not installed. This computer I am using now is running Slackware64 with OpenJDK and the IcedTea-Web Plugin. (Not because I think it safer by the way, it's not.) I enable it when I need it; for example that Runescape site you like so much.

I don't really play it, just using that as an example. I did check it out just now, it fetching updates right now... oops..... just dumped me out and crashed Firefox. Oh well. Not a big deal, I'm more in to console games than PC ones. That and I don't care of on-line games.

I'm not all that concerned over this threat. It just like any other threat out there, except this one has taken on a life of it own as the threat to hate. Reminds me of Facebook, which I use on occasion and find it quite useful; like the Java programs I use.

I also have NoScript installed, I don't use Chrome. There are no Windows installation in my house, they are not allowed, with a few exceptions, my "work" laptop (dual boot, rarely to Windows, always to Slackware) or running in a VirtualBox VM on this machine. Only the laptop has Java installed because I need it for programs not browsing.
--
Chris
Living in Paradise!!


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
said by chrisretusn:

... I'm not all that concerned over this threat. It just like any other threat out there, except this one has taken on a life of it own as the threat to hate. Reminds me of Facebook, which I use on occasion and find it quite useful; like the Java programs I use. ...

According to Kaspersky Lab's 3rd-Quarter report, the concern is probably justified, especially given Java's prominence in current infections and the number of Java installations constituting potential targets. From IT Threat Evolution: Q3 2012:
quote:
... 2012 can justifiably be described as the year of the Java vulnerability, with half of all detected exploit-based attacks targeting vulnerabilities in Oracle Java. Today, Java is installed on more than 3 billion devices running under various operating systems. ...
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville


rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA

1 edit
I have Java installed on five systems, and decided not to uninstall it. Instead, I used the java control panel security tab to disable it in all browsers. That way I did not have to individual disable the plugins.

Added: One thing I forgot to mention is that disabling the browsers in the Java control panel also requires a restart to take effect. That's a small pain in the behind.
--
It is easier for a camel to put on a bikini than an old man to thread a needle.


Jtmo
Premium
join:2001-05-20
Novato, CA
reply to 47717768
I installed update 11 on only the 32 bit browser, not the 64 bit I use most of the time. Even then, I have it disabled in the control panel.

Large scale attacks on banks from Iran, can they also target only USA computers??? Cyber attacks will increase going forward I believe.

Oh, and for anyone who has kids in school or University, ALEKS used for thier schoolwork requires Java and boy is it a pain.


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
said by Jtmo:

... I have it disabled in the control panel.

Large scale attacks on banks from Iran, can they also target only USA computers??? Cyber attacks will increase going forward I believe.

Oh, and for anyone who has kids in school or University, ALEKS used for thier schoolwork requires Java and boy is it a pain.

Virtually every nation-state has its enemies somewhere... and most exploits are equal-opportunity - they don't care whose computers they infect or where, if only to enlist them as part of global bot networks or to try to infect still other systems. I think the key safe-hex thing to do is employ a triage mindset:
1) if you don't actually need Java, get rid of it (including all its versions)
2) if you do truly need Java at times, keep it in chains (that is, disable it for browsing using the Java Control Panel, until it's specifically needed - then afterwards, disable it again... immediately)
3) make sure you only have the latest Java version installed (the rare exception should only be made when the user absolutely knows that an older version is required - which will exclude most Java users)
4) keep Java updated as soon as patches are released (given its favored-program status for hacking, it gets instant hacker attention when exploits are discovered)
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville


Selenia
Gentoo Convert
Premium
join:2006-09-22
Fort Smith, AR
kudos:2
Or block the plugin at a network level to protect users at your IP address. You can VPN past it yourself, but most friends aren't that savvy. If they were, I'd just block the port except for my status IPs or the destination of all known VPN hosts except mine(unless they get my permission, which granny is not getting with how much I have cleaned her computer, only to see her reinfected the next week due to weak security practices). She is a good lady, but treats a computer like a toaster in terms of security and updates. Installs a bunch of crap that has clean alternatives. In the insecure IE days, it only took me 3 years to get her to try Firefox or Chromium(now she is behind the times because Webkit has had better security of built-in sandboxing and better rendering), but she did pull away from IE. Progress, folks. Yes, I have a right to setup my network to be protective from my home so nothing bad is coming from my IP address. I feel it to be a responsibility to do that. They will do what they want at home lol
--
A fool thinks they know everything.

A wise person knows enough to know they couldn't possibly know everything.

There are zealots for every OS, like every religion. They do not represent the majority of users for either.


NOYB
St. John 3.16
Premium
join:2005-12-15
Forest Grove, OR
kudos:1

Have her use a VM for browsing. Blow it away and replace with fresh VM regularly.


rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA

1 edit
reply to Blackbird
There are only a couple of sites where I have used Java. One is here (dslreports.com) for the Java speed test. The other was secunia.com for their OSI (Online Software Inspector). However, the flash speed test works better for me now since I have a newer used computer and I use the PSI, which is installed locally and does not require Java. I could probably completely uninstall Java, for that matter. I will be thinking about that.

Added: I just uninstalled it from a Win 7 Pro 64-bit system. I had already disabled it for browsers, but had not restarted. I can't restart this system just any time, so I thought I'd just remove Java entirely. That worked fine and did not require a restart.

--
It is easier for a camel to put on a bikini than an old man to thread a needle.


therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL

4 edits
reply to Blackbird
Click for full size
Click for full size
Click for full size
Click for full size
Click for full size
said by Blackbird:

said by dandelion:

Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for this vulnerability," the warning adds.
I have read 2-3 posts all about java but this is the first time I have read about other applications also.

I think the reasoning is that certain Microsoft application software like Office have built-in 'features' that invoke IE to display certain web-residing information within the application software itself, so that a user who never ordinarily uses IE may still be exposed to the Java vulnerability if the exploits exist within pages that IE silently opens.

Exactly.
Take a look at Puran:
»www.puransoftware.com/screenshot ··· very.jpg
See that "Home" & "Like us on Facebook".
What do you think that is?

Well that is IE.
So when you run Puran, you are also running IE.

A little tab you say?
Well click into that little tab, then click Ctrl+N.
Woah Nelly, up pops, yes, IE in its full glory.

Looking to find duplicate files on your computer.
You guessed it, you are all running IE while you do.

1) clean looking app, no?

2) notice that "bar" that says "Home"?

3) when I right-click, it gives some odd context menu?

4) & if I do a Ctrl+N, up pops, IE, in all its glory!

in the first tiled window, I had IE blocked (in my firewall), & it was able to load the (locally stored) "home.html" page. once I unblocked IE (which would be the case for most everyone anyhow), the second tiled window, I was free to roam, anywhere, do anything IE can do, well, because I am running IE.

5) also note that because Puran needs to (perhaps better said, does) run with elevated permissions, so too does IE, running at a higher integrity level then it would otherwise.

(the sandboxed IE, running through Puran, the other instance run directly from desktop)

Frodo

join:2006-05-05
kudos:1

2 edits
reply to 47717768
Just came across this article regarding Java and Internet Explorer.

Essentially, the gist is that there are two ways for Java to execute in IE, one as an active X control, and the other way as an applet.

Since there are two ways to run Java, there should be two things done to shut it down (if needed). One would be to go to manage addons and disable the Java related addons. That takes care of the Active X.

Then, dealing with Java being called for as an applet would need to be dealt with. As the article explains, this can be dealt with in Group Policy. Since I have XP professional, that's how I dealt with it. You should be aware that if you want to shut Java down for a particular zone, that setting didn't show in my IE8. So, I backed up HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\JAVAPER and then ran the registry file indicated in the article and the Java setting for the individual internet zones now shows in the IE control panel for the individual IE zones.

So, just wanted to point out that in IE, Java can be invoked either by Active X, or by applet. Perhaps the setting in the Oracle Java control panel to not run Java in Internet Explorer is sufficient to shut Java down, but if one doesn't want to have a single point of failure, there are other things that can be done. Until I read that article, I thought disabling the Java addons was enough, but that apparently only shuts off the Active X invocation.

OS: XP professional
IE: IE8

Edit: I'm not vouching for that registry file. I installed it, and everything looked good. In the Internet Zone, my ability to change the Java setting was disabled since I had a setting in Group Policy. However, in the Restricted Zone, even though I also disabled Java in that Zone, in the browser control panel, the setting wasn't disabled.

Conclusion: This affirms my decision to buy professional products that can be administrated, as opposed to home user products.

2nd edit: I had previously disabled Java applets in Group Policy at the Computer configuration level. I went back in and disabled Java in the Internet and Restricted zones at the User Configuration level, and this time, the setting in the browser for the Restricted zone was disabled. So, if one wants to disable Java applets in IE for any of the zones, I recommend applying the settings at both the Computer configuration and User configuration levels.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:6

1 edit

1 recommendation

You might want to read Woody's article,

»www.infoworld.com/t/web-browsers ··· page=0,0

weep, and then use the CERT registry file.

From Woody's article:

"You can disable Java in all of your browsers, simultaneously. Disabling Java in Chrome and Firefox is easy, but as best I can tell there's no way on heaven or earth to reliably disable Java in Internet Explorer, short of a complex procedure documented by the CERT team working on the latest attacks. Even then, I couldn't find any security experts willing to bet that CERT caught all of the potential vulnerable spots.

It gets worse. According to CERT, Microsoft botched its instructions for blocking Java in IE:

'Disabling the Java plug-in for Internet Explorer is significantly more complicated than with other browsers. There are multiple ways for a web page to invoke a Java applet, and multiple ways to configure Java Plug-in support. Microsoft has released KB article 2751647, which describes how to disable the Java plug-in for Internet Explorer. However, we have found that due to the multitude of ways that Java can be invoked in Internet Explorer, their guidance (as well as our prior guidance) does not completely disable Java.'

The Microsoft instructions kill about 20 Java CLSIDs. The CERT method kills almost 800 of them".

I didn't know anything about the Next Generation Java Plugin in IE and I had no idea that Java can now be invoked outside IE:

"is a newer version of the Java plug-in that execute outside the process space of the web browser. Note that this means that when invoked via the next-generation Java plug-in, Java executes outside any restrictions of the browser, such as DEP,
Protected Mode, or other sandboxing." According to CERT, the only way to stop this newer version of the Java plug-in in IE is to remove the file. Then IE reverts to using the OLDER Java Plug-in which operates within the confounds of the browser.

I also did not realize I would need to prevent IE from automatically opening JNLP files. CERT has a registry fix for this.

"A registry file that Disables the element in the IE "Internet Zone", sets the kill bit for all of the Java CLSIDs through Java 7 update 6, the Java Web Start ActiveX control, the Java Deployment Toolkit ActiveX controls, as well as prevents IE from automatically opening JNLP files, as described above, is available for download here:

»www.kb.cert.org/CERT_WEB/service ··· P_IE.reg
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
kudos:14
reply to HA Nut

 

quote:
I find this warning strangely funny. I work in an industry that REQUIRES federal reporting and the only way to report is via an online Java application...
Yes and alot of ppl do!!!

Why is HOMELAND SECURITY telling ppl this INSTEAD OF SUN? (Oracle) -- I think there IS an agenda here!! (To get compromised versions of Java on ppls computer so they have a backdoor way in!!)

NO ONE SHOULD DO ANYTHING!!!!