| Java flaw allows complete bypass of security sandbox Another day, another Java vulnerability.
Researchers have discovered a Java flaw that would let hackers bypass critical security measures in all recent versions of the software. The flaw was announced today by Security Explorations, the same team that recently found a security flaw in Java SE 7 letting attackers take complete control of PCs.
»arstechnica.com/security/2012/09···sandbox/
If you haven't yet uninstalled Java completely from your systems, now is a good time. You won't miss out on anything as 99% of web sites don't require Java. If you leave Java installed, you are at risk of getting owned. Java is a security disaster and you're much better without it.
--
Mischel Internet Security - Developer of TrojanHunter |
|
 BlackbirdBuilt for SpeedPremium
join:2005-01-14
Fort Wayne, IN
kudos:3
 ·Frontier Communi..
| Someday we'll look back on these days and software like this (as well as Flash, Adobe Reader, etc) and slowly shake our heads in wonderment...
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775 |
|
|
|
 Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | reply to MagnusM
We hope that a news about one billion users of Oracle Java SE software being vulnerable to yet another security flaw is not gonna spoil the taste of Larry Ellison's morning...Java.
Thank you.
Best Regards,
Adam Gowdiak
1.1 billion desktops run Java
930 million Java Runtime Environment downloads each year
3 billion mobile phones run Java
31 times more Java phones ship every year than Apple and Android combined
100% of all Blu-ray players run Java
1.4 billion Java Cards are manufactured each year
Java powers set-top boxes, printers, Web cams, games, car navigation systems, lottery terminals, medical devices, parking payment stations, and more.
»www.java.com/en/about/
--
Gladiator Security Forum
»www.gladiator-antivirus.com/
|
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | reply to MagnusM
You disclosed that the bug allows attackers to violate a fundamental security constraint of a Java Virtual Machine (type safety). What could an attacker do by exploiting newest Java vulnerability?
Gowdiak: A malicious Java applet or application exploiting this new issue could run unrestricted in the context of a target Java process such as a web browser application. An attacker could then install programs, view, change, or delete data with the privileges of a logged-on user.
What security advice do you have for the one billion Java users at risk?
Gowdiak: Taking into account the risk posed by the bug uncovered, it is the best to disable Java Plugin in the web browser and wait for the patches from Oracle. There are still 3 weeks till the scheduled Java Oct CPU [Critical Patch Update], so it might be possible that the bug will be addressed by the company on 16 Oct 2012.
To recap, this Java bug is even worse than the last critical Java vulnerability. It puts one billion users of Oracle’s Java SE, Java 5, 6 and 7, at risk. It could be exploited using these browsers: Chrome, Firefox, Internet Explorer, Opera and Safari. If you visit a maliciously crafted website, attackers could gain total control of your PC. Wow, thanks a lot Oracle.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/
|
|
| reply to Name Game
said by Name Game:We hope that a news about one billion users of Oracle Java SE software being vulnerable to yet another security flaw is not gonna spoil the taste of Larry Ellison's morning...Java.
Thank you.
Best Regards,
Adam Gowdiak
Java technology's versatility, efficiency, platform portability, and security make it the ideal technology for hackers to exploit and pwn you. From laptops to datacenters, game consoles to scientific supercomputers, cell phones to the Internet, Java is everywhere, and hackers rejoice! 1.1 billion desktops run Java 930 million Java Runtime Environment downloads each year 3 billion mobile phones run Java 31 times more Java phones ship every year than Apple and Android combined 100% of all Blu-ray players run Java 1.4 billion Java Cards are manufactured each year Java powers set-top boxes, printers, Web cams, games, car navigation systems, lottery terminals, medical devices, parking payment stations, and more. » www.java.com/en/about/ Fixed it for you. |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to MagnusM
I am getting really tired of being "authoritatively" told (not just by you either) to uninstall Java. I have to have Java for an important application I own and for Visualware and Web100 speed tests. I don't use joke Flash speed tests.
The more sensible answer would be to suggest that users keep Java unchecked in the Control Panel for both IE and nonActiveX browsers until they must use Java, and they are sure the website has not been compromised, or that their application that requires Java is also clean, and then they should enable Java only on one type of browser and only for as long as needed and then disable it again.
Another suggestion would be that knowledgeable users consider using a virtual machine for risky things like Java.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7
1 edit | reply to MagnusM
Chrome might be vulnerable..but only of you give java permission to run in Chrome..don't disable it..just use common sense and a browser that alerts you.
»www.java.com/en/download/testjava.jsp
»www.isjavaexploitable.com/ |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | Or you can use the Proxomitron which also does not let it run until you click the toggle switch. Proxo works with ALL browsers so you don't have to use Chrome unless want to use it for other reasons (you like it better than any other browser).
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | Sound a little better than your other last thoughts.
»www.proxomitron.info/tests/index.html
So just how do you do that toggle switch for Java ? I know how proxomitron toggles for flash and how you can control javascript..but tell me more about java.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/
|
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | Well, I have to admit just now it did not toggle on IE 8 where I was starting several tabs to see if IE 8 has sandboxed tabs as ChaChaz says it does. It doesn't but one of the tabs I opened was to a site that uses Java and it started Java right up. I can't see if the same thing would happen on another browser and Proxo because I don't have the latest version of Java and Fx, Sea Monkey and Opera won't allow Java if not a very recent version. Until recently, those browsers allowed older versions of Java and I didn't use Java on IE so I guess I got the toggle switch on the other browsers.
Jasons Toolbox...what was it that I had from there that I loved? That link is dead and I can't remember what tool was so great and we all (this forum's members) had it....Ahhhhh! Script Sentry that I still have and use.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
| reply to Name Game
Does Chrome use that setting by default or do you have to enable it through config:
--
GuruGuy |
|
4 edits | reply to Mele20
said by Mele20:The more sensible answer would be to suggest that users keep Java unchecked in the Control Panel for both IE and nonActiveX browsers until they must use Java one of the tabs I opened was to a site that uses Java and it started Java right up
FYI, short of uninstalling "java", "USCert" recommends using "firefox" with the "noscript" addon:
»www.kb.cert.org/vuls/id/636312
"Use NoScript.. Using the Mozilla Firefox NoScript extension to whitelist web sites that can run scripts and access installed plugins will mitigate this vulnerability. See the NoScript FAQ for more information"..
similar to using "noscript", you could follow microsoft's recommendation to use high security-settings in IE and, then, "whitelist" some websites, as necessary, by adding them to IE's "trusted sites" zone.. |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to Name Game
Here's what I should see with Proxo and a site with a Java Applet. This is a screenshot from Opera 10 that has Java built in. (I get that error about "Please enable Java" because of the Proxo toggle button and also because I have to bypass Proxo there if I want to do the test because Proxo is blocking his ads. He is a really nice guy (member here) and so I don't mind seeing his ads in exchange for letting me do a Quality test there at his Los Angeles server (not the test in the screenshot...it is a capacity test and at Atlanta). I left Proxo enabled there to do a screen shot so you could see the toggle button.
I thought something was wrong with his California server for his Visualware outstanding Quality test because for a couple of weeks now IE 8 will no longer do the test there. I have the same version of Java on IE 8 that this old version of Opera uses so he is not blocking older versions of Java. I guess I will have to start up this old Opera version to do his test now (until I get a new computer and have the latest Java on it).
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
rdhw
join:2002-09-21
Cambridge UK | reply to MagnusM
Microsoft have published »support.microsoft.com/kb/2751647
"How to disable the Java web plug-in in Internet Explorer"
--
Robin Walker |
|
| i am not an expert, but it seems to me that, unfortunately, the activex-killbits that MS posted are only for disabling "old" versions of "java 7", not for disabling the latest version of "java 7" or any of the versions of "java 6"..
it doesn't make much difference to me since i don't have "java" installed on my computer, but, still, i would like to kill "java" every way possible.. i have every link for downloading "java", that i know of, blocked..
it is unfortunate that "oracle" doesn't seem to care if their "java" program is vulnerable to exploits.. in my opinion, the US government should step in and hold them accountable, forcing them to either shut down "java" or patch it.. |
|
| reply to MagnusM
You can use the free JavaRa tool to remove Java from your systems:
»singularlabs.com/software/javara/
--
Mischel Internet Security - Developer of TrojanHunter |
|
 EUSKill cancerPremium
join:2002-09-10
canada | reply to MagnusM
A fair number of dslr members crunch, what do you propose to them for replacement software once they uninstall java?
--
~ Project Hope ~ |
|
| reply to MagnusM
If you absolutely need Java installed then use Google Chrome which will prompt for confirmation before executing Java applets on pages.
--
Mischel Internet Security - Developer of TrojanHunter |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to redwolfe_98
That should work for all versions of Java seems to me. Why do you think those killbits are only for certain versions of Java 7? I have them in my registry and I have Java 6.
But I think it is a lot easier to just disable Java in the Control Panel and then when you need it enable it and then disable it again.
I would NEVER install that awful Chrome browser that wants to profile me, and take away my privacy, just to have it warn me about Java. I did have Iron installed for awhile but I'd rather either do what I said above or use an old version of Opera where Java is built in and Proxo actually gives me a toggle switch on Opera but doesn't on IE.
I really don't understand why everyone is so worried. I used Microsoft's Java Virtual Machine WAY BEYOND when it was being serviced for security holes and never had any attempted infections. Then I have used old versions of Sun Java for years and nary a problem. It still comes down to practicing safe hex...don't go to dicey sites and use a classic HIPS and if you are really worried a virtual machine for when you need Java.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7
1 edit | reply to GuruGuy
It does it by default in google chrome |
|
