dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3570
share rss forum feed


MagnusM
Premium
join:2001-07-07

2 recommendations

Java flaw allows complete bypass of security sandbox

Another day, another Java vulnerability.

Researchers have discovered a Java flaw that would let hackers bypass critical security measures in all recent versions of the software. The flaw was announced today by Security Explorations, the same team that recently found a security flaw in Java SE 7 letting attackers take complete control of PCs.

»arstechnica.com/security/2012/09···sandbox/

If you haven't yet uninstalled Java completely from your systems, now is a good time. You won't miss out on anything as 99% of web sites don't require Java. If you leave Java installed, you are at risk of getting owned. Java is a security disaster and you're much better without it.
--
Mischel Internet Security - Developer of TrojanHunter



Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

Someday we'll look back on these days and software like this (as well as Flash, Adobe Reader, etc) and slowly shake our heads in wonderment...
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to MagnusM

We hope that a news about one billion users of Oracle Java SE software being vulnerable to yet another security flaw is not gonna spoil the taste of Larry Ellison's morning...Java.
Thank you.

Best Regards,
Adam Gowdiak

Java technology's versatility, efficiency, platform portability, and security make it the ideal technology for network computing. From laptops to datacenters, game consoles to scientific supercomputers, cell phones to the Internet, Java is everywhere!

1.1 billion desktops run Java
930 million Java Runtime Environment downloads each year
3 billion mobile phones run Java
31 times more Java phones ship every year than Apple and Android combined
100% of all Blu-ray players run Java
1.4 billion Java Cards are manufactured each year
Java powers set-top boxes, printers, Web cams, games, car navigation systems, lottery terminals, medical devices, parking payment stations, and more.

»www.java.com/en/about/
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to MagnusM

You disclosed that the bug allows attackers to violate a fundamental security constraint of a Java Virtual Machine (type safety). What could an attacker do by exploiting newest Java vulnerability?

Gowdiak: A malicious Java applet or application exploiting this new issue could run unrestricted in the context of a target Java process such as a web browser application. An attacker could then install programs, view, change, or delete data with the privileges of a logged-on user.

What security advice do you have for the one billion Java users at risk?

Gowdiak: Taking into account the risk posed by the bug uncovered, it is the best to disable Java Plugin in the web browser and wait for the patches from Oracle. There are still 3 weeks till the scheduled Java Oct CPU [Critical Patch Update], so it might be possible that the bug will be addressed by the company on 16 Oct 2012.

To recap, this Java bug is even worse than the last critical Java vulnerability. It puts one billion users of Oracle’s Java SE, Java 5, 6 and 7, at risk. It could be exploited using these browsers: Chrome, Firefox, Internet Explorer, Opera and Safari. If you visit a maliciously crafted website, attackers could gain total control of your PC. Wow, thanks a lot Oracle.

»blogs.computerworld.com/malware-···ers-risk
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

lorennerol
Premium
join:2003-10-29
Seattle, WA

1 recommendation

reply to Name Game

said by Name Game:

We hope that a news about one billion users of Oracle Java SE software being vulnerable to yet another security flaw is not gonna spoil the taste of Larry Ellison's morning...Java.
Thank you.

Best Regards,
Adam Gowdiak

Java technology's versatility, efficiency, platform portability, and security make it the ideal technology for hackers to exploit and pwn you. From laptops to datacenters, game consoles to scientific supercomputers, cell phones to the Internet, Java is everywhere, and hackers rejoice!

1.1 billion desktops run Java
930 million Java Runtime Environment downloads each year
3 billion mobile phones run Java
31 times more Java phones ship every year than Apple and Android combined
100% of all Blu-ray players run Java
1.4 billion Java Cards are manufactured each year
Java powers set-top boxes, printers, Web cams, games, car navigation systems, lottery terminals, medical devices, parking payment stations, and more.

»www.java.com/en/about/

Fixed it for you.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to MagnusM

I am getting really tired of being "authoritatively" told (not just by you either) to uninstall Java. I have to have Java for an important application I own and for Visualware and Web100 speed tests. I don't use joke Flash speed tests.

The more sensible answer would be to suggest that users keep Java unchecked in the Control Panel for both IE and nonActiveX browsers until they must use Java, and they are sure the website has not been compromised, or that their application that requires Java is also clean, and then they should enable Java only on one type of browser and only for as long as needed and then disable it again.

Another suggestion would be that knowledgeable users consider using a virtual machine for risky things like Java.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit
reply to MagnusM

Click for full size
Chrome might be vulnerable..but only of you give java permission to run in Chrome..don't disable it..just use common sense and a browser that alerts you.
»www.java.com/en/download/testjava.jsp

»www.isjavaexploitable.com/

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

Or you can use the Proxomitron which also does not let it run until you click the toggle switch. Proxo works with ALL browsers so you don't have to use Chrome unless want to use it for other reasons (you like it better than any other browser).
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

Sound a little better than your other last thoughts.

»www.proxomitron.info/tests/index.html

So just how do you do that toggle switch for Java ? I know how proxomitron toggles for flash and how you can control javascript..but tell me more about java.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

Well, I have to admit just now it did not toggle on IE 8 where I was starting several tabs to see if IE 8 has sandboxed tabs as ChaChaz says it does. It doesn't but one of the tabs I opened was to a site that uses Java and it started Java right up. I can't see if the same thing would happen on another browser and Proxo because I don't have the latest version of Java and Fx, Sea Monkey and Opera won't allow Java if not a very recent version. Until recently, those browsers allowed older versions of Java and I didn't use Java on IE so I guess I got the toggle switch on the other browsers.

Jasons Toolbox...what was it that I had from there that I loved? That link is dead and I can't remember what tool was so great and we all (this forum's members) had it....Ahhhhh! Script Sentry that I still have and use.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


GuruGuy

join:2002-12-16
Atlanta, GA
reply to Name Game

said by Name Game:

Chrome might be vulnerable..but only of you give java permission to run in Chrome..don't disable it..just use common sense and a browser that alerts you.
»www.java.com/en/download/testjava.jsp

»www.isjavaexploitable.com/

Does Chrome use that setting by default or do you have to enable it through config:
--
GuruGuy

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

4 edits
reply to Mele20

said by Mele20:

The more sensible answer would be to suggest that users keep Java unchecked in the Control Panel for both IE and nonActiveX browsers until they must use Java

one of the tabs I opened was to a site that uses Java and it started Java right up

maybe you need to disable "java"?

FYI, short of uninstalling "java", "USCert" recommends using "firefox" with the "noscript" addon:

»www.kb.cert.org/vuls/id/636312

"Use NoScript.. Using the Mozilla Firefox NoScript extension to whitelist web sites that can run scripts and access installed plugins will mitigate this vulnerability. See the NoScript FAQ for more information"..

similar to using "noscript", you could follow microsoft's recommendation to use high security-settings in IE and, then, "whitelist" some websites, as necessary, by adding them to IE's "trusted sites" zone..

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Name Game

Click for full size
Here's what I should see with Proxo and a site with a Java Applet. This is a screenshot from Opera 10 that has Java built in. (I get that error about "Please enable Java" because of the Proxo toggle button and also because I have to bypass Proxo there if I want to do the test because Proxo is blocking his ads. He is a really nice guy (member here) and so I don't mind seeing his ads in exchange for letting me do a Quality test there at his Los Angeles server (not the test in the screenshot...it is a capacity test and at Atlanta). I left Proxo enabled there to do a screen shot so you could see the toggle button.

I thought something was wrong with his California server for his Visualware outstanding Quality test because for a couple of weeks now IE 8 will no longer do the test there. I have the same version of Java on IE 8 that this old version of Opera uses so he is not blocking older versions of Java. I guess I will have to start up this old Opera version to do his test now (until I get a new computer and have the latest Java on it).
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

rdhw

join:2002-09-21
Cambridge UK
reply to MagnusM

Microsoft have published »support.microsoft.com/kb/2751647
"How to disable the Java web plug-in in Internet Explorer"
--
Robin Walker


redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

said by rdhw:

Microsoft have published »support.microsoft.com/kb/2751647
"How to disable the Java web plug-in in Internet Explorer"

i am not an expert, but it seems to me that, unfortunately, the activex-killbits that MS posted are only for disabling "old" versions of "java 7", not for disabling the latest version of "java 7" or any of the versions of "java 6"..

it doesn't make much difference to me since i don't have "java" installed on my computer, but, still, i would like to kill "java" every way possible.. i have every link for downloading "java", that i know of, blocked..

it is unfortunate that "oracle" doesn't seem to care if their "java" program is vulnerable to exploits.. in my opinion, the US government should step in and hold them accountable, forcing them to either shut down "java" or patch it..


MagnusM
Premium
join:2001-07-07
reply to MagnusM

You can use the free JavaRa tool to remove Java from your systems:

»singularlabs.com/software/javara/
--
Mischel Internet Security - Developer of TrojanHunter



EUS
Kill cancer
Premium
join:2002-09-10
canada
reply to MagnusM

A fair number of dslr members crunch, what do you propose to them for replacement software once they uninstall java?
--
~ Project Hope ~



MagnusM
Premium
join:2001-07-07
reply to MagnusM

If you absolutely need Java installed then use Google Chrome which will prompt for confirmation before executing Java applets on pages.
--
Mischel Internet Security - Developer of TrojanHunter


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to redwolfe_98

That should work for all versions of Java seems to me. Why do you think those killbits are only for certain versions of Java 7? I have them in my registry and I have Java 6.

But I think it is a lot easier to just disable Java in the Control Panel and then when you need it enable it and then disable it again.

I would NEVER install that awful Chrome browser that wants to profile me, and take away my privacy, just to have it warn me about Java. I did have Iron installed for awhile but I'd rather either do what I said above or use an old version of Opera where Java is built in and Proxo actually gives me a toggle switch on Opera but doesn't on IE.

I really don't understand why everyone is so worried. I used Microsoft's Java Virtual Machine WAY BEYOND when it was being serviced for security holes and never had any attempted infections. Then I have used old versions of Sun Java for years and nary a problem. It still comes down to practicing safe hex...don't go to dicey sites and use a classic HIPS and if you are really worried a virtual machine for when you need Java.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit
reply to GuruGuy

It does it by default in google chrome



bluepoint

join:2001-03-24
reply to MagnusM

said by MagnusM:

If you absolutely need Java installed then use Google Chrome which will prompt for confirmation before executing Java applets on pages.

Or IE 9/10 using active-X filtering.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit
reply to EUS

said by EUS:

A fair number of dslr members crunch, what do you propose to them for replacement software once they uninstall java?

I too have seen other Security people suggest to uninstall Java lately not just Magnus. It is an easy target..too easy infact.

even back in 2011..Java was consider Harmful

»www.f-secure.com/weblog/archives···285.html


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Mele20

The reason I asked about this Java Toggle or Switch is Proxomitron is because I started researching it. It seems you were the only one who posted in various forum about toggle for flash and Java with this product and no one else..I did see where there was a development switch thing that did not seem to work very well and never seemed to be adopted..so do you have a link that explains/ shows how it works for that filter ?
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


rdhw

join:2002-09-21
Cambridge UK
reply to Mele20

said by Mele20:

I think it is a lot easier to just disable Java in the Control Panel and then when you need it enable it and then disable it again.

Which control panel setting is it that you think disables Java?

Have you checked that it does in fact disable all of Java?
--
Robin Walker


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

That would have been my next question..you can disable if you do some registry hacks..but never seen it done in the control panel of the OS..not even in the advanced- security area. But always willing to learn.



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to MagnusM

The version of Chrome that was called out to be vulnerable is
Google Chrome 21.0.1180.89 if one bypasses the warning.

»seclists.org/fulldisclosure/2012/Sep/170

the other day Chrome updated to Version 22.0.1229.79 m on the stable channel.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 recommendation

reply to Mele20

BTW ever try this ...Need to see the HTML source of a website you don't want to browse to but only have a PC with no tools? Run Notepad and File/Open the URL.



EUS
Kill cancer
Premium
join:2002-09-10
canada

1 edit
reply to MagnusM

Does this affect Open Office users, or is the exploit strictly browser based?
Eek, Libre Office uses java as well, what is an open source guy to do?
--
~ Project Hope ~



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

4 edits

What version of Open Office are you concerned about ? BTW..they are way behind the power curve on Java.

Based upon this old vulnerabilty back in 2006 I would say yes..they are vulnerable.
»www.openoffice.org/security/cves···199.html

But there are bigger issued with Open Office. Even lately OpenOffice doesn't yet play well with Java 7. Many wound up switching their system JRE back to 6 and default Eclipse JRE to Java 7

»www.selikoff.net/2012/07/01/java···-office/

The authors of Java 7 changed some of the entry points, with the result that some Java 6 applications fail. One of these happens to be OpenOffice. Under Windows one must install a 32 bit Java (because OpenOffice is a 32 bit application) and because of the changes in Java 7, this must be Java 6. A 32 bit Java 6 can be downloaded from the second link in this posting
»user.services.openoffice.org/en/···#p240389



rcdailey
Dragoonfly
Premium
join:2005-03-29
Rialto, CA
reply to Name Game

Neat trick. Safe, too.