1 posted on
01/10/2013 2:51:52 PM PST by
alancarp
To: alancarp
I uninstalled Java several months ago. I only had one program that needed it, and I figured out another program to use for that task.
Remember that Java and JavaScript are two different things from different companies.
These two podcasts will get anyone who wants it up to speed, even though they’re a few months old.
http://www.grc.com/sn/sn-367.htm
http://www.grc.com/sn/sn-368.htm
2 posted on
01/10/2013 3:00:32 PM PST by
MarineBrat
(Better dead than red!)
To: rdb3; Calvinist_Dark_Lord; Salo; JosephW; Only1choice____Freedom; amigatec; stylin_geek; ...
3 posted on
01/10/2013 3:03:20 PM PST by
ShadowAce
(Linux -- The Ultimate Windows Service Pack)
To: AdmSmith; Big Giant Head; grey_whiskers; Brandybux; dfwright; Bikkuri; Dacula; BuddaBudd; mbj; ...
4 posted on
01/10/2013 3:03:44 PM PST by
ShadowAce
(Linux -- The Ultimate Windows Service Pack)
To: alancarp
“machines running on Mac OS X, Linux or Windows all appear to be vulnerable to attack.”
Yikes! I wish the article was more specific about the kind of damage the “attacks” do. I am only speculating that more harm could be done to older versions of Windows in particular, such as hiding entries in the Windows Registry.
5 posted on
01/10/2013 3:07:40 PM PST by
TexasRepublic
(Socialism is the gospel of envy and the religion of thieves)
To: alancarp
Nothing like throwing the baby out with the bathwater. The referenced problem is with Java browser plugins, not standalone Java. Yes, standalone Java probably has other security issues, but some of us need it and it is not nearly as exposed. In fact, I need the plugin, also, but haven’t yet decided what action to take if any.
11 posted on
01/10/2013 3:33:44 PM PST by
steve86
(Acerbic by Nature, not Nurture™)
To: alancarp
12 posted on
01/10/2013 3:38:51 PM PST by
palmer
(Obama = Carter + affirmative action)
To: alancarp
16 posted on
01/10/2013 3:49:54 PM PST by
Slainte
To: alancarp
17 posted on
01/10/2013 3:59:28 PM PST by
Sergio
(An object at rest cannot be stopped! - The Evil Midnight Bomber What Bombs at Midnight)
To: alancarp
I’ve been advising friends consider running their web browsers in a Sandbox via Sandboxie. http://www.sandboxie.com/
I run my browser in Sandboxie but, also on a non-persistent (load only) RAMdrive too (using Primo Ramdisk). It’s faster running from a ramdisk, and probably one of the most secure configs possible on Windows.
To: alancarp
21 posted on
01/10/2013 4:12:55 PM PST by
The Cajun
(Sarah Palin, Mark Levin......Nuff said.)
To: alancarp
This is a serious threat that probably all versions of java are susceptible to but since it is carried out via a web browswer plugin all you need to do is to disconnect your java plugin from your browser as detailed here - https://krebsonsecurity.com/how-to-unplug-java-from-the-browser/
In my case I do have a mission-critical app (java plugin based) that I need for my job but in my case I use firefox for that app and google chrome for everything else. The server for the app is behind a firewall so I’m going to bet that I’m OK there. So I’ll unplug java from google-chrome and leave it on on firefox and hopefully that’s ok. I’m also on linux which may have a measure of security through obscurity. (Or not).
I thought that maybe updating to java 1.7(10) might afford some protection but it most definitely does not. So far there is no known version of java that is without this security hole.
Unplug java from your browsers - it just takes a few seconds. I guess to be ultra safe one could uninstall java completely - I just cannot afford to do that unfortunately.
To: alancarp
26 posted on
01/10/2013 4:40:53 PM PST by
The Mayor
("If you can't make them see the light, let them feel the heat" — Ronald Reagan)
To: alancarp
meh. Add
NoScript to any Mozilla browser... then only allow script from known good sites. No Problemo.
27 posted on
01/10/2013 4:41:05 PM PST by
roamer_1
(Globalism is just socialism in a business suit.)
30 posted on
01/10/2013 6:40:02 PM PST by
phockthis
(http://www.supremelaw.org/fedzone11/index.htm ...)
31 posted on
01/10/2013 7:04:15 PM PST by
mrsmith
(Dumb sluts: Lifeblood of the Media, Backbone of the Democrat Party!)
To: alancarp; a fool in paradise; Slings and Arrows
THIS JUST IN:
PC Users Urge Humans to Disable Experts!
33 posted on
01/10/2013 8:09:42 PM PST by
Revolting cat!
(Bad things are wrong! Ice cream is delicious!)
To: alancarp
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Awareness System
US-CERT Alert TA13-010A
Oracle Java 7 Security Manager Bypass Vulnerability
Original release date: January 10, 2013
Last revised: --
Systems Affected
Any system using Oracle Java 7 (1.7, 1.7.0) including
* Java Platform Standard Edition 7 (Java SE 7)
* Java SE Development Kit (JDK 7)
* Java SE Runtime Environment (JRE 7)
All versions of Java 7 through update 10 are affected. Web
browsers using the Java 7 plug-in are at high risk.
Overview
A vulnerability in the way Java 7 restricts the permissions of Java
applets could allow an attacker to execute arbitrary commands on a
vulnerable system.
Description
A vulnerability in the Java Security Manager allows a Java applet
to grant itself permission to execute arbitrary code. An attacker
could use social engineering techniques to entice a user to visit a
link to a website hosting a malicious Java applet. An attacker
could also compromise a legitimate web site and upload a malicious
Java applet (a "drive-by download" attack).
Any web browser using the Java 7 plug-in is affected. The Java
Deployment Toolkit plug-in and Java Web Start can also be used as
attack vectors.
Reports indicate this vulnerability is being actively exploited,
and exploit code is publicly available.
Further technical details are available in Vulnerability Note
VU#625617.
Impact
By convincing a user to load a malicious Java applet or Java
Network Launching Protocol (JNLP) file, an attacker could execute
arbitrary code on a vulnerable system with the privileges of the
Java plug-in process.
Solution
Disable Java in web browsers
This and previous Java vulnerabilities have been widely targeted by
attackers, and new Java vulnerabilities are likely to be
discovered. To defend against this and future Java vulnerabilities,
disable Java in web browsers.
Starting with Java 7 Update 10, it is possible to disable Java
content in web browsers through the Java control panel applet. From
Setting the Security Level of the Java Client:
For installations where the highest level of security is required,
it is possible to entirely prevent any Java apps (signed or
unsigned) from running in a browser by de-selecting Enable Java
content in the browser in the Java Control Panel under the Security
tab.
If you are unable to update to Java 7 Update 10 please see the
solution section of Vulnerability Note VU#636312 for instructions
on how to disable Java on a per browser basis.
References
* Vulnerability Note VU#625617
<http://www.kb.cert.org/vuls/id/625617>
* Setting the Security Level of the Java Client
<http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html>
* The Security Manager
<http://docs.oracle.com/javase/tutorial/essential/environment/security.html>
* How to disable the Java web plug-in in Safari
<https://support.apple.com/kb/HT5241>
* How to turn off Java applets
<https://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets>
* NoScript
<http://noscript.net/>
* Securing Your Web Browser
<https://www.us-cert.gov/reading_room/securing_browser/#Safari>
* Vulnerability Note VU#636312
<http://www.kb.cert.org/vuls/id/636312#solution>
Revision History
January 10, 2013: Initial release
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA13-010A Feedback VU#625617" in
the subject.
____________________________________________________________________
Produced by US-CERT, a government organization.
____________________________________________________________________
This product is provided subject to this Notification:
http://www.us-cert.gov/privacy/notification.html
Privacy & Use policy:
http://www.us-cert.gov/privacy/
This document can also be found at
http://www.us-cert.gov/cas/techalerts/TA13-010A.html
For instructions on subscribing to or unsubscribing from this
mailing list, visit http://www.us-cert.gov/cas/signup.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBUO83IXdnhE8Qi3ZhAQLdxQf6A2LhLrArDieg41fxTuIViOXbgH6fZrDt
6bODaZIeTcvQfMMURbUb8MnTQEe7ogNbytb+XQaEzXE6A0YMdWp+93TxFy80wUI0
VpF0lBDwNyeAlwtzicLSQa5oa5Me0k5KPVUn9/mFJZh5Ff0cYjW1dt8dfXJUbH9/
OZ6ZJsnJchymJFlVax3Y87yZh9fPQC4n6dJ86CdLXqC9GaBihgBd1DUpborfWYoR
njvrtbcX+7iy+J8fS2C8/JtnQ5M+uilvqxrdU/Z9SdmebIF5HQjafLae9OmwH7Te
nxUcwwmuNqIA1Y9aN2DrStv+HnTi121DIxyaVgNOKjPnO/t5mDPKlw==
=xi3d
-----END PGP SIGNATURE-----
34 posted on
01/10/2013 9:55:26 PM PST by
MarineBrat
(Better dead than red!)
To: alancarp
No comment from Oracle anywhere.
http://www.kb.cert.org/vuls/id/625617
Why can’t the DHS go after the people who they KNOW are onto this...?? This is such nonsense.
It’s as if a rumor got around that a couple people figured out how to make a key that opens almost all doors. So instead of going after the few people who made the key, which is what they should be doing, the government tells us to lock ourselves behind our own doors - and then remove the lock.
Now everyone panics thinking they 1) have Java installed and 2) are first in line to be exploited. I’m an IT consultant and I work on quite a few networks with this stuff installed. I guess I’ll need to keep reading up on the severity of this before I start disabling everything and warning all my clients (before they all start hounding me about it), because the recommendation from DHS is not satisfactory enough for me. No comment from Oracle as far as I can tell...
39 posted on
01/12/2013 6:33:14 AM PST by
bryan999
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson