| The Glade 4.0 https://gladerebooted.net/ |
|
| You might want to disable Java right now https://gladerebooted.net/viewtopic.php?f=2&t=9032 |
Page 1 of 1 |
| Author: | Stathol [ Tue Aug 28, 2012 4:20 pm ] |
| Post subject: | You might want to disable Java right now |
An extremely nasty zero-day exploit in Oracle's Java runtime was just discovered: http://secunia.com/advisories/50133 It allows for arbitrary execution of native (non-Java) code on the victim's machine. The user merely needs to visit a page, frame, etc. containing a hostile java applet in any browser that has the Oracle Java plugin enabled. This is a cross-browser, cross-platform vulnerability in the JRE itself. If you use Oracle's Java plugin, you are vulnerable regardless of browser or OS. That being said, most Mac users are probably using Apple's JRE, and most Linux users are probably using OpenJDK these days. You should verify this before assuming you are safe, of course. If Oracle's past behavior holds, it is unlikely that this bug will be patched until mid-October. For the time being, the only way to protect yourself is to either uninstall Oracle's JRE, or disable the browser plugin component. Chrome: Go to "chrome://plugins" in your browser IE: Click the gear icon, then "manage add-ons" Firefox: Main menu > Add-ons > Plugins Opera: Beats the hell out of me. I would strongly urge doing this unless you absolutely must have in-browser support for Java applets. Alternatively, if you say, use Chrome for browsing, you could disable it in Chrome and leave it enabled in Firefox. Use Firefox only for loading specific, known safe pages that require Java. Default NoScript behavior also blocks plugin content without user intervention, which mitigates the potential that you might run hostile Java code in the first place. |
|
| Author: | Elmarnieh [ Tue Aug 28, 2012 4:57 pm ] |
| Post subject: | |
Hooray for noscript and boobies. |
|
| Author: | Midgen [ Tue Aug 28, 2012 7:13 pm ] |
| Post subject: | |
Thanks Stath.. Here is U.S. CERT VU http://www.kb.cert.org/vuls/id/636312 Here is some potentially useful info from Computer World http://www.computerworld.com/s/article/ ... onomyId=86 |
|
| Author: | Aizle [ Wed Aug 29, 2012 8:36 am ] |
| Post subject: | |
Appreciate the heads up. |
|
| Author: | Noggel [ Wed Aug 29, 2012 11:54 am ] |
| Post subject: | Re: You might want to disable Java right now |
Yikes. These sort of exploits are always pretty scary. |
|
| Author: | NephyrS [ Wed Aug 29, 2012 1:37 pm ] |
| Post subject: | |
Anyone know offhand of how to disable/remove in Safari? |
|
| Author: | NephyrS [ Wed Aug 29, 2012 1:40 pm ] |
| Post subject: | |
Scratch that. I just checked into it some more, and apparently the bug is in Java 7, which you have to manually upgrade to on most macs. I checked, and I'm still on version 6, which isn't supposed to be vulnerable. |
|
| Author: | Midgen [ Wed Aug 29, 2012 1:45 pm ] |
| Post subject: | |
I'd make absolutely certain of that. I'm not sure anyone has tested earlier versions... Anyway, here is how to disable Java in Safari https://support.apple.com/kb/HT5241 I only had a Java plugin on one of my PC'c (work), and it was in Chrome. I only use Java for one function, which is a once-a-week thing. I have it disabled, and will re-enable it as needed until this gets patched. |
|
| Author: | NephyrS [ Wed Aug 29, 2012 2:01 pm ] |
| Post subject: | |
http://www.macrumors.com/2012/08/28/new ... s-to-macs/ The first quote there (seems to be 3 different researchers) says that it effects all versions of Java 7, but does not effect 6 and below. And thanks for the link- I've got it disabled there, but I wasn't sure if there was something else I needed to do. |
|
| Author: | Diamondeye [ Wed Aug 29, 2012 2:20 pm ] |
| Post subject: | Re: You might want to disable Java right now |
What's oracle, and how would I disable Java in Firefox? Is it only a problem if you have this Oracle thingy, or what? |
|
| Author: | Lenas [ Wed Aug 29, 2012 2:44 pm ] |
| Post subject: | Re: You might want to disable Java right now |
Oracle is the company that owns and maintains Java. |
|
| Author: | Mookhow [ Wed Aug 29, 2012 2:45 pm ] |
| Post subject: | Re: You might want to disable Java right now |
Oracle is a software company. They 'own' the Java programming language and release software so that Java can run on your PC. If you go to java.com, that's Oracle's java runtime software. The exploit discussed in this thread is for Oracle's implementation of the Java runtime software, which is what most people have. If you want to disable Java in Firefox, you can follow the instructions here: http://support.mozilla.org/en-US/kb/How ... %20applets |
|
| Author: | Midgen [ Wed Aug 29, 2012 3:42 pm ] |
| Post subject: | |
I see now that the US Cert, according to the link I provided above, is recommending a downgrade to Java 6, (for those who must use it) so apparently it is not affected. US Cert wrote: Downgrade to Java 6 After uninstalling Java 7, the Java 6 JRE can be obtained from the Oracle Java download page. The latest Java 6 version as of the publication of this document is Java SE 6 Update 34. FWIW, the one Java applet I use requires Java 7, so I just disabled mine, and will re-enable it as needed until it's patched. |
|
| Author: | Diamondeye [ Thu Aug 30, 2012 8:42 pm ] |
| Post subject: | Re: You might want to disable Java right now |
I evidently have Java 6, update 31, according to my uninstall programs window on my control panel. Does that mean I'm OK? |
|
| Author: | Stathol [ Thu Aug 30, 2012 9:28 pm ] |
| Post subject: | Re: You might want to disable Java right now |
Miracles never cease. Oracle actually broke from their rigid update cycle policy and released Java 7 Update 7 this evening, which fixes this vulnerability plus several other vulns. present in Java 6 Update 34 (which is why downgrading is not such a great idea, CERT!) I guess even Oracle realizes what a massive shitstorm this would be if they refused to patch for 6 weeks while the internet burns. |
|
| Author: | Stathol [ Fri Aug 31, 2012 8:01 am ] |
| Post subject: | Re: You might want to disable Java right now |
http://arstechnica.com/security/2012/08/oracle-patches-critical-java-bugs/ Quote: Oracle reportedly learned of the bugs more than four months ago, but didn't issue the fixes until Thursday, four days after researchers discovered they were being targeted. Quote: The vulnerabilities addressed in the update include those designated as CVE-2012-4681. Among those Oracle credited was Adam Gowdiak of Poland-based Security Explorations, who said he alerted Oracle engineers to the vulnerabilities in April. ****. |
|
| Author: | Stathol [ Wed Sep 26, 2012 8:16 am ] |
| Post subject: | Re: You might want to disable Java right now |
Here we go again: http://arstechnica.com/security/2012/09/yet-another-java-flaw-allows-complete-bypass-of-security-sandbox/ Total escape from the sandbox. This time the flaw exists in every version of Java released in the last 5 years. It gets better: Quote: Gowdiak and his team have found a total of 50 Java flaws. While this latest one apparently isn’t being exploited in the wild yet, another that was being exploited was patched by Oracle last month, reportedly four months after Oracle learned of the vulnerability. How's that Sun buyout looking now, Oracle? |
|
| Page 1 of 1 | All times are UTC - 6 hours [ DST ] |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|