[MarineBrat]

I uninstalled Java several months ago. I only had one program that needed it, and I figured out another program to use for that task.

Remember that Java and JavaScript are two different things from different companies.

These two podcasts will get anyone who wants it up to speed, even though they’re a few months old.

http://www.grc.com/sn/sn-367.htm
http://www.grc.com/sn/sn-368.htm

[ShadowAce]

[ShadowAce]

[TexasRepublic]

“machines running on Mac OS X, Linux or Windows all appear to be vulnerable to attack.”

Yikes! I wish the article was more specific about the kind of damage the “attacks” do. I am only speculating that more harm could be done to older versions of Windows in particular, such as hiding entries in the Windows Registry.

[steve86]

Nothing like throwing the baby out with the bathwater. The referenced problem is with Java browser plugins, not standalone Java. Yes, standalone Java probably has other security issues, but some of us need it and it is not nearly as exposed. In fact, I need the plugin, also, but haven’t yet decided what action to take if any.

[palmer]

Here's the source of the FUD: http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/ with this screen shot:

Does it make sense to request an exe with your browser? No. I suppose it could be an obfuscated link in a web page. But how does it involve java?

[Slainte]

Additional detail over at Ars-
http://arstechnica.com/security/2013/01/critical-java-zero-day-bug-is-being-massively-exploited-in-the-wild/

[Sergio]

Techie bookmark.

[brandon24]

I’ve been advising friends consider running their web browsers in a Sandbox via Sandboxie. http://www.sandboxie.com/

I run my browser in Sandboxie but, also on a non-persistent (load only) RAMdrive too (using Primo Ramdisk). It’s faster running from a ramdisk, and probably one of the most secure configs possible on Windows.

[The Cajun]

Bookmark.

[2 Kool 2 Be 4-Gotten]

This is a serious threat that probably all versions of java are susceptible to but since it is carried out via a web browswer plugin all you need to do is to disconnect your java plugin from your browser as detailed here - https://krebsonsecurity.com/how-to-unplug-java-from-the-browser/

In my case I do have a mission-critical app (java plugin based) that I need for my job but in my case I use firefox for that app and google chrome for everything else. The server for the app is behind a firewall so I’m going to bet that I’m OK there. So I’ll unplug java from google-chrome and leave it on on firefox and hopefully that’s ok. I’m also on linux which may have a measure of security through obscurity. (Or not).

I thought that maybe updating to java 1.7(10) might afford some protection but it most definitely does not. So far there is no known version of java that is without this security hole.

Unplug java from your browsers - it just takes a few seconds. I guess to be ultra safe one could uninstall java completely - I just cannot afford to do that unfortunately.

[The Mayor]

mark for home

[roamer_1]

meh. Add NoScript to any Mozilla browser... then only allow script from known good sites. No Problemo.

[phockthis]

sfl

[mrsmith]

Tells you if JAVA is installed/working and has a link to simple instructions on how to disable it in your browser:
http://www.java.com/en/download/testjava.jsp

[Revolting cat!]

THIS JUST IN:

PC Users Urge Humans to Disable Experts!

[MarineBrat]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Awareness System

US-CERT Alert TA13-010A
Oracle Java 7 Security Manager Bypass Vulnerability

Original release date: January 10, 2013
Last revised: --

Systems Affected

    Any system using Oracle Java 7 (1.7, 1.7.0) including

    * Java Platform Standard Edition 7 (Java SE 7)
    * Java SE Development Kit (JDK 7)
    * Java SE Runtime Environment (JRE 7)

    All versions of Java 7 through update 10 are affected.  Web
    browsers using the Java 7 plug-in are at high risk.


Overview

  A vulnerability in the way Java 7 restricts the permissions of Java
  applets could allow an attacker to execute arbitrary commands on a
  vulnerable system.


Description

  A vulnerability in the Java Security Manager allows a Java applet
  to grant itself permission to execute arbitrary code. An attacker
  could use social engineering techniques to entice a user to visit a
  link to a website hosting a malicious Java applet. An attacker
  could also compromise a legitimate web site and upload a malicious
  Java applet (a "drive-by download" attack).

  Any web browser using the Java 7 plug-in is affected. The Java
  Deployment Toolkit plug-in and Java Web Start can also be used as
  attack vectors.

  Reports indicate this vulnerability is being actively exploited,
  and exploit code is publicly available.

  Further technical details are available in Vulnerability Note
  VU#625617.


Impact

  By convincing a user to load a malicious Java applet or Java
  Network Launching Protocol (JNLP) file, an attacker could execute
  arbitrary code on a vulnerable system with the privileges of the
  Java plug-in process.


Solution

  Disable Java in web browsers

  This and previous Java vulnerabilities have been widely targeted by
  attackers, and new Java vulnerabilities are likely to be
  discovered. To defend against this and future Java vulnerabilities,
  disable Java in web browsers.

  Starting with Java 7 Update 10, it is possible to disable Java
  content in web browsers through the Java control panel applet. From
  Setting the Security Level of the Java Client:

  For installations where the highest level of security is required,
  it is possible to entirely prevent any Java apps (signed or
  unsigned) from running in a browser by de-selecting Enable Java
  content in the browser in the Java Control Panel under the Security
  tab.

  If you are unable to update to Java 7 Update 10 please see the
  solution section of Vulnerability Note VU#636312 for instructions
  on how to disable Java on a per browser basis.


References

* Vulnerability Note VU#625617
  <http://www.kb.cert.org/vuls/id/625617>

* Setting the Security Level of the Java Client
  <http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/client-security.html>

* The Security Manager
  <http://docs.oracle.com/javase/tutorial/essential/environment/security.html>

* How to disable the Java web plug-in in Safari
  <https://support.apple.com/kb/HT5241>

* How to turn off Java applets
  <https://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets>

* NoScript
  <http://noscript.net/>

* Securing Your Web Browser
  <https://www.us-cert.gov/reading_room/securing_browser/#Safari>

* Vulnerability Note VU#636312
  <http://www.kb.cert.org/vuls/id/636312#solution>


Revision History

 January 10, 2013: Initial release

____________________________________________________________________

  Feedback can be directed to US-CERT Technical Staff. Please send
  email to <cert@cert.org> with "TA13-010A Feedback VU#625617" in
  the subject.
____________________________________________________________________

  Produced by US-CERT, a government organization.
____________________________________________________________________

This product is provided subject to this Notification:
http://www.us-cert.gov/privacy/notification.html

Privacy & Use policy:
http://www.us-cert.gov/privacy/

This document can also be found at
http://www.us-cert.gov/cas/techalerts/TA13-010A.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit http://www.us-cert.gov/cas/signup.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBUO83IXdnhE8Qi3ZhAQLdxQf6A2LhLrArDieg41fxTuIViOXbgH6fZrDt
6bODaZIeTcvQfMMURbUb8MnTQEe7ogNbytb+XQaEzXE6A0YMdWp+93TxFy80wUI0
VpF0lBDwNyeAlwtzicLSQa5oa5Me0k5KPVUn9/mFJZh5Ff0cYjW1dt8dfXJUbH9/
OZ6ZJsnJchymJFlVax3Y87yZh9fPQC4n6dJ86CdLXqC9GaBihgBd1DUpborfWYoR
njvrtbcX+7iy+J8fS2C8/JtnQ5M+uilvqxrdU/Z9SdmebIF5HQjafLae9OmwH7Te
nxUcwwmuNqIA1Y9aN2DrStv+HnTi121DIxyaVgNOKjPnO/t5mDPKlw==
=xi3d
-----END PGP SIGNATURE-----

[bryan999]

No comment from Oracle anywhere.

http://www.kb.cert.org/vuls/id/625617

Why can’t the DHS go after the people who they KNOW are onto this...?? This is such nonsense.

It’s as if a rumor got around that a couple people figured out how to make a key that opens almost all doors. So instead of going after the few people who made the key, which is what they should be doing, the government tells us to lock ourselves behind our own doors - and then remove the lock.

Now everyone panics thinking they 1) have Java installed and 2) are first in line to be exploited. I’m an IT consultant and I work on quite a few networks with this stuff installed. I guess I’ll need to keep reading up on the severity of this before I start disabling everything and warning all my clients (before they all start hounding me about it), because the recommendation from DHS is not satisfactory enough for me. No comment from Oracle as far as I can tell...