Skip to comments.US government tells computer users to disable Java
Posted on 01/11/2013 6:44:04 PM PST by LouAvulEdited on 01/11/2013 7:18:00 PM PST by Admin Moderator. [history]
WASHINGTON (AP) The U.S. Department of Homeland Security is advising people to temporarily disable the Java software on their computers to avoid potential hacking attacks.
The recommendation came in an advisory issued late Thursday, following up on concerns raised by computer security experts.
Experts believe hackers have found a flaw in Java's coding that creates an opening for criminal activity and other high-tech mischief.
Excerpt, read more at Windstream
...A new Trojan horse called Mal/JavaJar-B has been found that exploits a vulnerability in Oracle’s Java 7 and affects even the latest version of the runtime (7u10).
The exploit has been described by Sophos as a zero-day attack since it has been found being actively used in malware before developers have had a chance to investigate and patch it. The exploit is currently under review at the National Vulnerability Database and has been given an ID number CVE-2013-0422, where it is still described as relatively unknown...
...uckily with the latest versions of Java, users who need to keep it active can change a couple of settings to help secure their systems. Go to the Java Control Panel that is installed along with the runtime, and in the Security section uncheck the option to “Enable Java content in the browser,” which will disable the browser plug-in. This will prevent the inadvertent execution of exploits that may be stumbled upon when browsing the Web, and is a recommended setting for most people to do. If you need to see a Java applet on the Web, then you can always temporarily re-enable the plug-in.
The second setting is to increase the security level of the Java runtime, which can also be done in the same Security section of the Java Control Panel. The default security level is Medium, but you can increase this to High or Very High. At the High level, Java will prompt you for approval before running any unsigned Java code, and at the Very High level all Java code will require such approval, regardless of whether or not it is signed.
Since this threat is Java-based, it will only affect systems that have Java installed. Most platforms do not come with Java, but if you have installed it and do not need or regularly use it, you might consider removing it from your system...
There was a different article about a Java threat posted here earlier.
This new article should stay, but Freepers may also want to consult the other one:
I disabled it and had to re-enable it or a program I need won’t load. Oh well.
"Mein Fuhrer, das Russkies sind auf das outskirts ov Berlin!"
Yeah disable Java...wouldn’t we all love to do that in a perfect world. Good luck doing that in an enterprise that uses ADP products, Kronos etc...
I’m sure the U.S. govt. has no applications that use java. They are smarter than that.
Uhhhh this alert is real and not fluff. Google it.
Tick, tick, tick...waiting for my 90 year old mother who reads all the junk advice emails to ask if she needs to disable something called java on her computer.
is it 3 o’clock in the morning?
is it 3 o’clock in the morning?
No one’s home at The White Hut/Crib.
“Leave a message and we’ll get back to you, sometime...”
The government wants me to turn off my own paid-for software!
The government wants me to eat what i cannot!
The government wants me to jump their hoops!
Typical AP. So up Obama’s ass that they are to busy to tell people how to disable it!
Disabled in your browser? The only threat is from visiting malicious web sites so keep it enabled on the system.
When people surf random websites they can expect to get pwned. They should not expect any AV software, or any amount of turning off or any government advice to save them. Java will be safe if downloaded from any reasonable site, obviously not porn or russian sites with miracle cures, or making $200 an hour surfing or anything else like that.
HUH? Seriously, you didn't read the alert or you don't understand it.
Don't care what YOU do, but the alert is real, dangerous and is a serious exploit of Java. Others should take heed. Or not.
If all you go by is these alerts then you may else well unplug from the internet. They will not keep you safe. OTOH, disabling java will mostly lose animated ads which are worthless anyway. Where this alert utterly fails is that it does not mention that the problem is malicious websites, not java. You must click on (or be redirected to) a malicious web site (and if you are redirected, it means the one you were at was malicious). Going to malicious websites has always been risky and always will be.
Are you retarded?
This is an exploit of the official Java. It has nothing to do with downloading it. You still haven’t read the alert have you?
It’s definitely not fluff. Our faculty member who is the security guy and I were talking about the threat this morning. I’ve been seeing bits and pieces for a while in the various online software blogs. Unfortunately, I’m teaching an intro Java course right now and I can’t disable it and still work. I’m also teaching a DB course that uses Oracle. This is nothing new, these little bugs have been around for a number of years, they’re just getting more serious of late.
Hopefully that line is satirical. The U.S. Gov like so many others bought into the Java is a more secure language myth years ago.
As you suggest, exploits have been around a long time. In the past, the security firms send out an alert, a patch is made, (essentially an upgrade to the program) and the cat ‘n mouse game goes on.
We don’t see a lot of alerts telling end consumers to not use the feature (Java in this case). That said an upgrade (patch) will be out soon, (a few days?) and life will go on.
Next the code exploits some vulnerability in the VM or interpreter, usually some kind of memory error. The memory error causes memory corruption which causes the VM or whatever to execute improper instructions which cause the actual damage (in the current case allowing the java VM to download and execute arbitrary binary code).
Nobody uses Java to make animated ads. It's too slow and clunky and too much of a pain to write. Plus, lots of folks have it disabled.
Animated ads are almost always Flash. Although, you can probably expect to see more and more HTML5-based ads.
DHS is just pissed that they can’t spy on programs running in the Java Runtime Engine(JRE) and they want us all to exit Java so we can be spyed on. I mean the JRE was created largely for its security. The code runs in a virtual environment that has no way for attackers to use their usual hacking tools and methods. I doubt this info very much and I have received no alerts from Kaspersky.
What Apple wants, Obama gives.
I disabled 2 Java add-ons a day or so ago, after reading another thread about it. After reading this thread I went back to the add on page to see what version it was. Now it’s highlighted in red with a warning about it being known to be vulnerable, and to use with caution. That wasn’t there before when I disabled it. I’m not even sure why I have to have Java anyways, unless it’s for those video games I like to play sometimes. Thanks again for the heads-up.
obammy says you can also disable Java by turning in your guns.
Somehow or another, Java must be f'ing with some nefarious .gov scheme.