Author

Topic: Java 0-day Exploit. All browsers(Chrome included) are vulnerable. (Read 2802 times)

hero member
Activity: 546
Merit: 500

Java is not javascript. To disable Java click on Disable individual plug-ins... and disable Java there.

+1

Great post.

In Firefox, disable Java in the "Add-ons manager". Get there by the "Tools" drop down menu, go to "Add-ons" and the Java console will be there. Disable it.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
How about I just uninstall all versions of Java and not install Java at all until the coast is clear?
Excellent choice.
sr. member
Activity: 364
Merit: 250
this is why i have disabled java, and haven't run it thru my browser in 10 years or so...
legendary
Activity: 892
Merit: 1013
Another reason we should be working on hardware wallets for non-tech savvy mainstream users, i.e., the majority of users.
+1
member
Activity: 98
Merit: 10
(:firstbits => "1mantis")
How about I just uninstall all versions of Java and not install Java at all until the coast is clear?
legendary
Activity: 2940
Merit: 1090
Doesn't java 6 also have vulnerabilities?

Most security sites seemed to be saying do NOT go back to older java...

-MarkM-
legendary
Activity: 1512
Merit: 1036
I have the following installed

Java(TM) 7 Update 5 Installed On 7/3/2012
Java(TM) SE Development Kit 6 Update 24 Installed On 4/2/2011
Java(TM) SE Runtime Environment 6 Update 1 Installed On 8/4/2008
JavaFX 2.1.1 Installed On 7/3/2012

I am sure others have the above installed as well if they own an HP Desktop.

Is this above vulnerable? Should I uninstall all of the above, restart and install from current base as of today?

Uninstall these in order from newest to oldest. The older ones are from upgrades that didn't properly remove the previous version or uninstaller option. Then restart, verify there is no Java left, and download and install Java(TM) SE Runtime 6 Update 34 (developer kit only if you are a Java programmer) from the link I provided.

All versions of Java 7 are vulnerable - Java 7 Update 6 is the latest, so your computer also wasn't keeping things up to date - update 5 has many other disclosed vulnerabilites. It is a good idea to go into the control panel, Java, and change the update frequency from monthly to weekly or daily (and don't update again to a version 7 until this vulnerability has been corrected).
member
Activity: 98
Merit: 10
(:firstbits => "1mantis")
I have the following installed

Java(TM) 7 Update 5 Installed On 7/3/2012
Java(TM) SE Development Kit 6 Update 24 Installed On 4/2/2011
Java(TM) SE Runtime Environment 6 Update 1 Installed On 8/4/2008
JavaFX 2.1.1 Installed On 7/3/2012

I am sure others have the above installed as well if they own an HP Desktop.

Is this above vulnerable? Should I uninstall all of the above, restart and install from current base as of today?
legendary
Activity: 1512
Merit: 1036
This exploit is based on a vulnerability that appears introduced in Java 1.7 (Java 7). Java 6 is still maintained, and it's latest release is from August 14, 6u34.

I would recommend that until a patch or updated release for Java 7 is issued, that one completely uninstall Java 7 from your operating system (or uninstall any older unmaintained Java 6). Restart your operating system.

Then install the Java SE Runtime Environment 6 u34 release for your operating system from this page:

http://www.oracle.com/technetwork/java/javase/downloads/jre6-downloads-1637595.html

It took me a minute to find it. On my linux system the Java plugin is called iced tea. Hope that helps.

This is an interesting case - although no exploit site mentions IcedTea, it is based on the OpenJDK Java 7 source code, and it would also be suspect unless proven otherwise.
administrator
Activity: 5222
Merit: 13032
JRE sucks. Someone should make a better alternative. Flash, too.
legendary
Activity: 1806
Merit: 1003
I think you are confusing java with javascript. Javascript is quite safe and there's almost no security reason to turn it off. Mostly it could do
XSS and that is only if the site programmer implemented security poorly.

good lookin' out.  Will be curious to see if Oracle pushes a patch out any time soon. And even then I wonder how many machines exists that don't auto update java properly due to pre existing malware or other misoncfigurations.

as for me, I always drive with the java key in the off position and only allow individual modules to load on a case by case basis...

for anyone else;

Java permissions in IE
http://support.microsoft.com/kb/315674

In Chrome;
chrome://chrome/settings/content
and tick the box for 'do not allow any site to run javascript'   To then enable it for a site you trust, you will see a small icon with a red x, at the far right side of the address bar. Just click it and select 'always allow javascript on this site'. Then refresh the page.

For firefox the addon 'NoScript' should do the trick. With it enabled all scripting is blocked in a site and you then enable the compenents you want to allow on a particular site by right clicking in the page or clicking the NoScript 'S' icon while on the page and allowing the site and or subsites you wish.
sr. member
Activity: 382
Merit: 253
In Chrome;
chrome://chrome/settings/content
and tick the box for 'do not allow any site to run javascript'   To then enable it for a site you trust, you will see a small icon with a red x, at the far right side of the address bar. Just click it and select 'always allow javascript on this site'. Then refresh the page.

Java is not javascript. To disable Java click on Disable individual plug-ins... and disable Java there.

It took me a minute to find it. On my linux system the Java plugin is called iced tea. Hope that helps.
legendary
Activity: 1050
Merit: 1002
Another reason we should be working on hardware wallets for non-tech savvy mainstream users, i.e., the majority of users.
sr. member
Activity: 476
Merit: 250
In Chrome;
chrome://chrome/settings/content
and tick the box for 'do not allow any site to run javascript'   To then enable it for a site you trust, you will see a small icon with a red x, at the far right side of the address bar. Just click it and select 'always allow javascript on this site'. Then refresh the page.

Java is not javascript. To disable Java click on Disable individual plug-ins... and disable Java there.
hero member
Activity: 504
Merit: 500
good lookin' out.  Will be curious to see if Oracle pushes a patch out any time soon. And even then I wonder how many machines exists that don't auto update java properly due to pre existing malware or other misoncfigurations.

as for me, I always drive with the java key in the off position and only allow individual modules to load on a case by case basis...

for anyone else;

Java permissions in IE
http://support.microsoft.com/kb/315674

In Chrome;
chrome://chrome/settings/content
and tick the box for 'do not allow any site to run javascript'   To then enable it for a site you trust, you will see a small icon with a red x, at the far right side of the address bar. Just click it and select 'always allow javascript on this site'. Then refresh the page.

For firefox the addon 'NoScript' should do the trick. With it enabled all scripting is blocked in a site and you then enable the compenents you want to allow on a particular site by right clicking in the page or clicking the NoScript 'S' icon while on the page and allowing the site and or subsites you wish.
legendary
Activity: 1148
Merit: 1008
If you want to walk on water, get out of the boat
legendary
Activity: 1862
Merit: 1011
Reverse engineer from time to time
Not that this exploit targets bitcoin, but it can very well be used to steal coins or cause other damages.

http://www.theregister.co.uk/2012/08/27/disable_java_to_block_exploit/
Jump to: