Java 0-day Exploit. All browsers(Chrome included) are vulnerable.

mobile4ever

hero member

Activity: 546

Merit: 500

Quote from: vuce on August 28, 2012, 02:08:33 PM

Java is not javascript. To disable Java click on Disable individual plug-ins... and disable Java there.

+1

Great post.

In Firefox, disable Java in the "Add-ons manager". Get there by the "Tools" drop down menu, go to "Add-ons" and the Java console will be there. Disable it.

rjk

sr. member

Activity: 448

Merit: 250

1ngldh

Quote from: unclemantis on August 28, 2012, 04:43:14 PM

How about I just uninstall all versions of Java and not install Java at all until the coast is clear?

Excellent choice.

doobadoo

sr. member

Activity: 364

Merit: 250

this is why i have disabled java, and haven't run it thru my browser in 10 years or so...

glub0x

legendary

Activity: 892

Merit: 1013

Quote from: acoindr on August 28, 2012, 02:21:58 PM

Another reason we should be working on hardware wallets for non-tech savvy mainstream users, i.e., the majority of users.

+1

unclemantis

member

Activity: 98

Merit: 10

(:firstbits => "1mantis")

How about I just uninstall all versions of Java and not install Java at all until the coast is clear?

markm

legendary

Activity: 2940

Merit: 1090

Doesn't java 6 also have vulnerabilities?

Most security sites seemed to be saying do NOT go back to older java...

-MarkM-

deepceleron

legendary

Activity: 1512

Merit: 1036

Quote from: unclemantis on August 28, 2012, 04:01:31 PM

I have the following installed

Java(TM) 7 Update 5 Installed On 7/3/2012
Java(TM) SE Development Kit 6 Update 24 Installed On 4/2/2011
Java(TM) SE Runtime Environment 6 Update 1 Installed On 8/4/2008
JavaFX 2.1.1 Installed On 7/3/2012

I am sure others have the above installed as well if they own an HP Desktop.

Is this above vulnerable? Should I uninstall all of the above, restart and install from current base as of today?

Uninstall these in order from newest to oldest. The older ones are from upgrades that didn't properly remove the previous version or uninstaller option. Then restart, verify there is no Java left, and download and install Java(TM) SE Runtime 6 Update 34 (developer kit only if you are a Java programmer) from the link I provided.

All versions of Java 7 are vulnerable - Java 7 Update 6 is the latest, so your computer also wasn't keeping things up to date - update 5 has many other disclosed vulnerabilites. It is a good idea to go into the control panel, Java, and change the update frequency from monthly to weekly or daily (and don't update again to a version 7 until this vulnerability has been corrected).

unclemantis

member

Activity: 98

Merit: 10

(:firstbits => "1mantis")

I have the following installed

Java(TM) 7 Update 5 Installed On 7/3/2012
Java(TM) SE Development Kit 6 Update 24 Installed On 4/2/2011
Java(TM) SE Runtime Environment 6 Update 1 Installed On 8/4/2008
JavaFX 2.1.1 Installed On 7/3/2012

I am sure others have the above installed as well if they own an HP Desktop.

Is this above vulnerable? Should I uninstall all of the above, restart and install from current base as of today?

deepceleron

legendary

Activity: 1512

Merit: 1036

This exploit is based on a vulnerability that appears introduced in Java 1.7 (Java 7). Java 6 is still maintained, and it's latest release is from August 14, 6u34.

I would recommend that until a patch or updated release for Java 7 is issued, that one completely uninstall Java 7 from your operating system (or uninstall any older unmaintained Java 6). Restart your operating system.

Then install the Java SE Runtime Environment 6 u34 release for your operating system from this page:

http://www.oracle.com/technetwork/java/javase/downloads/jre6-downloads-1637595.html

Quote from: ShireSilver on August 28, 2012, 02:26:18 PM

It took me a minute to find it. On my linux system the Java plugin is called iced tea. Hope that helps.

This is an interesting case - although no exploit site mentions IcedTea, it is based on the OpenJDK Java 7 source code, and it would also be suspect unless proven otherwise.

theymos

administrator

Activity: 5222

Merit: 13032

JRE sucks. Someone should make a better alternative. Flash, too.

kokojie

legendary

Activity: 1806

Merit: 1003

I think you are confusing java with javascript. Javascript is quite safe and there's almost no security reason to turn it off. Mostly it could do
XSS and that is only if the site programmer implemented security poorly.

Quote from: sadpandatech on August 28, 2012, 02:01:36 PM

good lookin' out. Will be curious to see if Oracle pushes a patch out any time soon. And even then I wonder how many machines exists that don't auto update java properly due to pre existing malware or other misoncfigurations.

as for me, I always drive with the java key in the off position and only allow individual modules to load on a case by case basis...

for anyone else;

Java permissions in IE
http://support.microsoft.com/kb/315674

In Chrome;
chrome://chrome/settings/content
and tick the box for 'do not allow any site to run javascript' To then enable it for a site you trust, you will see a small icon with a red x, at the far right side of the address bar. Just click it and select 'always allow javascript on this site'. Then refresh the page.

For firefox the addon 'NoScript' should do the trick. With it enabled all scripting is blocked in a site and you then enable the compenents you want to allow on a particular site by right clicking in the page or clicking the NoScript 'S' icon while on the page and allowing the site and or subsites you wish.

ShireSilver

sr. member

Activity: 382

Merit: 253

Quote from: vuce on August 28, 2012, 02:08:33 PM

Quote from: sadpandatech on August 28, 2012, 02:01:36 PM

In Chrome;
chrome://chrome/settings/content
and tick the box for 'do not allow any site to run javascript' To then enable it for a site you trust, you will see a small icon with a red x, at the far right side of the address bar. Just click it and select 'always allow javascript on this site'. Then refresh the page.

Java is not javascript. To disable Java click on Disable individual plug-ins... and disable Java there.

It took me a minute to find it. On my linux system the Java plugin is called iced tea. Hope that helps.

acoindr

legendary

Activity: 1050

Merit: 1002

Another reason we should be working on hardware wallets for non-tech savvy mainstream users, i.e., the majority of users.

vuce

sr. member

Activity: 476

Merit: 250

Quote from: sadpandatech on August 28, 2012, 02:01:36 PM

In Chrome;
chrome://chrome/settings/content
and tick the box for 'do not allow any site to run javascript' To then enable it for a site you trust, you will see a small icon with a red x, at the far right side of the address bar. Just click it and select 'always allow javascript on this site'. Then refresh the page.

Java is not javascript. To disable Java click on Disable individual plug-ins... and disable Java there.

Portnoy

legendary

Activity: 2030

Merit: 1000

My money; Our Bitcoin.

http://blog.markloiseau.com/2012/03/psa-disable-java-in-your-browser/

http://antivirus.about.com/od/securitytips/ht/How-To-Disable-Java-In-Internet-Explorer.htm

sadpandatech

hero member

Activity: 504

Merit: 500

good lookin' out. Will be curious to see if Oracle pushes a patch out any time soon. And even then I wonder how many machines exists that don't auto update java properly due to pre existing malware or other misoncfigurations.

as for me, I always drive with the java key in the off position and only allow individual modules to load on a case by case basis...

for anyone else;

Java permissions in IE
http://support.microsoft.com/kb/315674

In Chrome;
chrome://chrome/settings/content
and tick the box for 'do not allow any site to run javascript' To then enable it for a site you trust, you will see a small icon with a red x, at the far right side of the address bar. Just click it and select 'always allow javascript on this site'. Then refresh the page.

For firefox the addon 'NoScript' should do the trick. With it enabled all scripting is blocked in a site and you then enable the compenents you want to allow on a particular site by right clicking in the page or clicking the NoScript 'S' icon while on the page and allowing the site and or subsites you wish.

Gabi

legendary

Activity: 1148

Merit: 1008

If you want to walk on water, get out of the boat

Ouch...

Remember remember the 5th of November

legendary

Activity: 1862

Merit: 1011

Reverse engineer from time to time

Not that this exploit targets bitcoin, but it can very well be used to steal coins or cause other damages.

http://www.theregister.co.uk/2012/08/27/disable_java_to_block_exploit/

Topic: Java 0-day Exploit. All browsers(Chrome included) are vulnerable. (Read 2796 times)