http://www.pcmag.com/article2/0,2817,2414191,00.asp
I wish instead of just discovering these flaws they would discover who is using these flaws and punish them severely.
What does the developer of Java have to say about this?
Much more informative article.
Over here
http://support.mozilla.org/en-US/kb/how-to-use-java-if-its-been-blocked
In order to protect you, Firefox has stopped the Java plugin from running automatically because it has a security issue. However, you can still use Java on trusted sites if necessary. We’ll show you how.
U.S. Department of Homeland Security warning
Mozilla Security blog post on this issue
Table of Contents
Activate Java once
Always activate Java for a site
Warning: You should only attempt this on sites you trust.
Activate Java once
When you see the “Click here to activate” message, simply click it to load the Java content normally.
Activate Java
Note: The next time you visit the site or any other that uses Java you will see this message again.
OK. I’ve unplugged the coffee maker. Now what?
I use NoScript on Firefox so I have everything off from the get go and can selectively enable. What’s interesting is you then see the multitude of stuff running on some sites. One of the worst offenders of places I go to read stuff? The Blaze.
Click on the following link to see if you have java installed. If you do and you want to disable it, click the ‘Disable Java’ option on that web page and follow the instructions.
http://www.java.com/en/download/testjava.jsp
This is a little confusing. It isn’t Java that needs to be disabled; it’s support for running Java applets in the browser that needs to be disabled. Or, as one of the linked articles explains, you can raise the applet security level to “high,” which will warn you before running an unsigned applet.
The important thing to remember is that surfing to malicious sites is risky with or without Java enabled. Currently it is more risky with Java disabled, but that will change as it has before. The actual problem is VM's that download and run code. Flash does that and programs like Adobe reader (downloads and runs postscript). Certainly true with Javascript (no relation to Java). Running code in a flawed interpreter can lead to memory corruption and an exploit. Does anyone believe Java is the only VM/interpreter with flaws?
My neighbor had ransomware last week and neither malware bytes trend etc scans removed it all. I found it using process explorer and winpatrol (and prayer). Both should come with windows.
We noted yesterday that the two most popular Web threat tools used by hackers to distribute malware, the BlackHole Exploit Kit (BHEK) and the Cool Exploit Kit (CEK), already included the latest Java exploit. Before we dive in to how CEK is already being used to push ransomware, heres a bit of background information.
Created by the same guy, CEK is the high-end version of BHEK ($10,000 per month versus $1,500 per year). 0-day exploits are first incorporated into the former and only added into the latter once they have been disclosed.
For those who dont know, ransomware is a very profitable type of threat which restricts access to the computer it infects, spamming the user with prompts that demand a ransom paid for functionality to be reinstated. Access is limited either by encryption or locking the system.
CEK has been used to distribute ransomware before, but now its also using this latest Java vulnerability to do so. Trend Micro has detected the exploits in question as JAVA_EXPLOIT.RG and HTML_EXPLOIT.RG, as well as the ransomware payloads as Reveton (TROJ_REVETON.RG and TROJ_REVETON.RJ).
Reveton is one of the most common ransomware threats in existence today; these lock user systems and show spoofed notifications from local police agencies, Trend Micro says. These inform users that to unlock their system, they must pay a fine ranging from $200 to $300. -http://thenextweb.com/insider/2013/01/11/latest-java-vulnerability-possible-since-oracle-didnt-properly-fix-old-one-now-pushing-ransomware/
The second setting is to increase the security level of the Java runtime, which can also be done in the same Security section of the Java Control Panel. The default security level is Medium, but you can increase this to High or Very High. At the High level, Java will prompt you for approval before running any unsigned Java code, and at the Very High level all Java code will require such approval, regardless of whether or not it is signed.- http://reviews.cnet.com/8301-13727_7-57563567-263/new-malware-exploiting-java-7-in-windows-and-unix-systems/
I run both Firefox and Chrome. I went to the pcmag link and did as instructed but Java didn’t show up as an option on either my Firefox addons or my Chrome plugins.
Is there another name I should be looking for?
FYI
From Firefox/Mozilla:
“In order to protect you, Firefox has stopped the Java plugin from running automatically because it has a security issue. However, you can still use Java on trusted sites if necessary. We’ll show you how [via the link below]”:
https://support.mozilla.org/en-US/kb/how-to-use-java-if-its-been-blocked
Something smells. They want everyone to disable until they have a new update, which everyone will download? And we know the government wants control of the Internet.
Don’t surf porn they say?
Well, that’s just crazy talk there......