dslreports logo
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
6417
share rss forum feed


rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA

1 edit
reply to Blackbird

Re: Feds warn PC users to disable Java

I have Java installed on five systems, and decided not to uninstall it. Instead, I used the java control panel security tab to disable it in all browsers. That way I did not have to individual disable the plugins.

Added: One thing I forgot to mention is that disabling the browsers in the Java control panel also requires a restart to take effect. That's a small pain in the behind.
--
It is easier for a camel to put on a bikini than an old man to thread a needle.


Jtmo
Premium
join:2001-05-20
Novato, CA
reply to 47717768
I installed update 11 on only the 32 bit browser, not the 64 bit I use most of the time. Even then, I have it disabled in the control panel.

Large scale attacks on banks from Iran, can they also target only USA computers??? Cyber attacks will increase going forward I believe.

Oh, and for anyone who has kids in school or University, ALEKS used for thier schoolwork requires Java and boy is it a pain.


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
said by Jtmo:

... I have it disabled in the control panel.

Large scale attacks on banks from Iran, can they also target only USA computers??? Cyber attacks will increase going forward I believe.

Oh, and for anyone who has kids in school or University, ALEKS used for thier schoolwork requires Java and boy is it a pain.

Virtually every nation-state has its enemies somewhere... and most exploits are equal-opportunity - they don't care whose computers they infect or where, if only to enlist them as part of global bot networks or to try to infect still other systems. I think the key safe-hex thing to do is employ a triage mindset:
1) if you don't actually need Java, get rid of it (including all its versions)
2) if you do truly need Java at times, keep it in chains (that is, disable it for browsing using the Java Control Panel, until it's specifically needed - then afterwards, disable it again... immediately)
3) make sure you only have the latest Java version installed (the rare exception should only be made when the user absolutely knows that an older version is required - which will exclude most Java users)
4) keep Java updated as soon as patches are released (given its favored-program status for hacking, it gets instant hacker attention when exploits are discovered)
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville


Selenia
Gentoo Convert
Premium
join:2006-09-22
Fort Smith, AR
kudos:2
Or block the plugin at a network level to protect users at your IP address. You can VPN past it yourself, but most friends aren't that savvy. If they were, I'd just block the port except for my status IPs or the destination of all known VPN hosts except mine(unless they get my permission, which granny is not getting with how much I have cleaned her computer, only to see her reinfected the next week due to weak security practices). She is a good lady, but treats a computer like a toaster in terms of security and updates. Installs a bunch of crap that has clean alternatives. In the insecure IE days, it only took me 3 years to get her to try Firefox or Chromium(now she is behind the times because Webkit has had better security of built-in sandboxing and better rendering), but she did pull away from IE. Progress, folks. Yes, I have a right to setup my network to be protective from my home so nothing bad is coming from my IP address. I feel it to be a responsibility to do that. They will do what they want at home lol
--
A fool thinks they know everything.

A wise person knows enough to know they couldn't possibly know everything.

There are zealots for every OS, like every religion. They do not represent the majority of users for either.


NOYB
St. John 3.16
Premium
join:2005-12-15
Forest Grove, OR
kudos:1

Have her use a VM for browsing. Blow it away and replace with fresh VM regularly.


rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA

1 edit
reply to Blackbird
There are only a couple of sites where I have used Java. One is here (dslreports.com) for the Java speed test. The other was secunia.com for their OSI (Online Software Inspector). However, the flash speed test works better for me now since I have a newer used computer and I use the PSI, which is installed locally and does not require Java. I could probably completely uninstall Java, for that matter. I will be thinking about that.

Added: I just uninstalled it from a Win 7 Pro 64-bit system. I had already disabled it for browsers, but had not restarted. I can't restart this system just any time, so I thought I'd just remove Java entirely. That worked fine and did not require a restart.

--
It is easier for a camel to put on a bikini than an old man to thread a needle.


therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL

4 edits
reply to Blackbird
Click for full size
Click for full size
Click for full size
Click for full size
Click for full size
said by Blackbird:

said by dandelion:

Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for this vulnerability," the warning adds.
I have read 2-3 posts all about java but this is the first time I have read about other applications also.

I think the reasoning is that certain Microsoft application software like Office have built-in 'features' that invoke IE to display certain web-residing information within the application software itself, so that a user who never ordinarily uses IE may still be exposed to the Java vulnerability if the exploits exist within pages that IE silently opens.

Exactly.
Take a look at Puran:
»www.puransoftware.com/screenshot ··· very.jpg
See that "Home" & "Like us on Facebook".
What do you think that is?

Well that is IE.
So when you run Puran, you are also running IE.

A little tab you say?
Well click into that little tab, then click Ctrl+N.
Woah Nelly, up pops, yes, IE in its full glory.

Looking to find duplicate files on your computer.
You guessed it, you are all running IE while you do.

1) clean looking app, no?

2) notice that "bar" that says "Home"?

3) when I right-click, it gives some odd context menu?

4) & if I do a Ctrl+N, up pops, IE, in all its glory!

in the first tiled window, I had IE blocked (in my firewall), & it was able to load the (locally stored) "home.html" page. once I unblocked IE (which would be the case for most everyone anyhow), the second tiled window, I was free to roam, anywhere, do anything IE can do, well, because I am running IE.

5) also note that because Puran needs to (perhaps better said, does) run with elevated permissions, so too does IE, running at a higher integrity level then it would otherwise.

(the sandboxed IE, running through Puran, the other instance run directly from desktop)

Frodo

join:2006-05-05
kudos:1

2 edits
reply to 47717768
Just came across this article regarding Java and Internet Explorer.

Essentially, the gist is that there are two ways for Java to execute in IE, one as an active X control, and the other way as an applet.

Since there are two ways to run Java, there should be two things done to shut it down (if needed). One would be to go to manage addons and disable the Java related addons. That takes care of the Active X.

Then, dealing with Java being called for as an applet would need to be dealt with. As the article explains, this can be dealt with in Group Policy. Since I have XP professional, that's how I dealt with it. You should be aware that if you want to shut Java down for a particular zone, that setting didn't show in my IE8. So, I backed up HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\JAVAPER and then ran the registry file indicated in the article and the Java setting for the individual internet zones now shows in the IE control panel for the individual IE zones.

So, just wanted to point out that in IE, Java can be invoked either by Active X, or by applet. Perhaps the setting in the Oracle Java control panel to not run Java in Internet Explorer is sufficient to shut Java down, but if one doesn't want to have a single point of failure, there are other things that can be done. Until I read that article, I thought disabling the Java addons was enough, but that apparently only shuts off the Active X invocation.

OS: XP professional
IE: IE8

Edit: I'm not vouching for that registry file. I installed it, and everything looked good. In the Internet Zone, my ability to change the Java setting was disabled since I had a setting in Group Policy. However, in the Restricted Zone, even though I also disabled Java in that Zone, in the browser control panel, the setting wasn't disabled.

Conclusion: This affirms my decision to buy professional products that can be administrated, as opposed to home user products.

2nd edit: I had previously disabled Java applets in Group Policy at the Computer configuration level. I went back in and disabled Java in the Internet and Restricted zones at the User Configuration level, and this time, the setting in the browser for the Restricted zone was disabled. So, if one wants to disable Java applets in IE for any of the zones, I recommend applying the settings at both the Computer configuration and User configuration levels.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:6

1 edit

1 recommendation

You might want to read Woody's article,

»www.infoworld.com/t/web-browsers ··· page=0,0

weep, and then use the CERT registry file.

From Woody's article:

"You can disable Java in all of your browsers, simultaneously. Disabling Java in Chrome and Firefox is easy, but as best I can tell there's no way on heaven or earth to reliably disable Java in Internet Explorer, short of a complex procedure documented by the CERT team working on the latest attacks. Even then, I couldn't find any security experts willing to bet that CERT caught all of the potential vulnerable spots.

It gets worse. According to CERT, Microsoft botched its instructions for blocking Java in IE:

'Disabling the Java plug-in for Internet Explorer is significantly more complicated than with other browsers. There are multiple ways for a web page to invoke a Java applet, and multiple ways to configure Java Plug-in support. Microsoft has released KB article 2751647, which describes how to disable the Java plug-in for Internet Explorer. However, we have found that due to the multitude of ways that Java can be invoked in Internet Explorer, their guidance (as well as our prior guidance) does not completely disable Java.'

The Microsoft instructions kill about 20 Java CLSIDs. The CERT method kills almost 800 of them".

I didn't know anything about the Next Generation Java Plugin in IE and I had no idea that Java can now be invoked outside IE:

"is a newer version of the Java plug-in that execute outside the process space of the web browser. Note that this means that when invoked via the next-generation Java plug-in, Java executes outside any restrictions of the browser, such as DEP,
Protected Mode, or other sandboxing." According to CERT, the only way to stop this newer version of the Java plug-in in IE is to remove the file. Then IE reverts to using the OLDER Java Plug-in which operates within the confounds of the browser.

I also did not realize I would need to prevent IE from automatically opening JNLP files. CERT has a registry fix for this.

"A registry file that Disables the element in the IE "Internet Zone", sets the kill bit for all of the Java CLSIDs through Java 7 update 6, the Java Web Start ActiveX control, the Java Deployment Toolkit ActiveX controls, as well as prevents IE from automatically opening JNLP files, as described above, is available for download here:

»www.kb.cert.org/CERT_WEB/service ··· P_IE.reg
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
kudos:14
reply to HA Nut

 

quote:
I find this warning strangely funny. I work in an industry that REQUIRES federal reporting and the only way to report is via an online Java application...
Yes and alot of ppl do!!!

Why is HOMELAND SECURITY telling ppl this INSTEAD OF SUN? (Oracle) -- I think there IS an agenda here!! (To get compromised versions of Java on ppls computer so they have a backdoor way in!!)

NO ONE SHOULD DO ANYTHING!!!!


cbrigante2
Cubs 20??
Premium
join:2002-11-22
North Aurora, IL
said by Dude111:

quote:
I find this warning strangely funny. I work in an industry that REQUIRES federal reporting and the only way to report is via an online Java application...
Yes and alot of ppl do!!!

Why is HOMELAND SECURITY telling ppl this INSTEAD OF SUN? (Oracle) -- I think there IS an agenda here!! (To get compromised versions of Java on ppls computer so they have a backdoor way in!!)

NO ONE SHOULD DO ANYTHING!!!!

Because Oracle (there is no more Sun..they were bought by Oracle) did NOTHING for months and months while a known exploit was out in the wild. Doing nothing is irresponsible advice. You ready to pay for all the damage that advice might cause? I didn't think so.