JAVA Attack

[Amskeptic]

Not looking good. Malicious computer hijacking possible through infected website secret code dump.Recommended to shut off JAVA, (browser applets) no known fix at this time EVEN THOUGH JAVA claims that 7.11 is good. Some sites have even suggested that repair may take up to two years.
What have you heard?
Colin

http://bits.blogs.nytimes.com/2013/01/1 ... necessary/

[Westy78]

Looks like Oracle has addressed the problem with an update available today. I use Firefox as my default browser and have Java disabled.

http://www.npr.org/blogs/thetwo-way/201 ... sabling-it

[Amskeptic]

Looks like Oracle has addressed the problem with an update available today.

http://www.npr.org/blogs/thetwo-way/201 ... sabling-it

That's what I thought too,

Oracle addressed the security threat by releasing Java SE 7 update 11. The company provides instructions on how to update the software patch on its website.

Although it appears that the software vulnerability has been fixed, there may still be bugs in the software.

Reuters reports that Adam Gowdiak, Java security expert at Security Explorations, says Oracle's update leaves "several critical security flaws" unfixed.

"We don't dare to tell users that it's safe to enable Java again," Gowdiak told Reuters.

In a statement given to CBS News, Security Exploration elaborated on the possible security flaw.


Although Java 7 Update 11 released by Oracle yesterday addresses the 0-day attack spotted in the wild, there are still unpatched security vulnerabilities that affect the most recent version of the software. Just to mention the bug #50 we reported to Oracle on 25-Sep-2012.
That doesn't necessarily mean users should skip the software update. Kurt Baumgartner, senior security researcher at Kaspersky Lab, tells CBSNews.com that it appears that Oracle fixed the issue at hand, but there are always going to be flaws in software.

"No one is going to guarantee 100 percent on any issue, but they are taking care of the issue at hand," Baumgartner said, adding that it's unnecessary, and to a certain extent unrealistic, for all users to disable Java.

Last year Kaspersky Labs found that 50 percent of all cyber attacks last year using software bugs were done by exploiting a hole in Java. Baumgartner posits that one of the security risks is that Oracle may know about a software vulnerability, but may not release a patch in time to protect users.

[Westy78]

Huh. I guess it's better to just leave it disabled for the time being. I've disabled it in the "Java Control Panel" under the advanced tab in the computer control panel for "Mozilla Family" and "Microsoft Internet Explorer" for now. I wonder if I can still use my online banking without it?

[Amskeptic]

Huh. I guess it's better to just leave it disabled for the time being. I've disabled it in the "Java Control Panel" under the advanced tab in the computer control panel for "Mozilla Family" and "Microsoft Internet Explorer" for now. I wonder if I can still use my online banking without it?

I had no idea how ubiquitous this "Java" stuff is. Even the folders on this site went dead, so did the buttons up there, like "quote" I had to manually enter.
Stupid new world. They got us over the barrel. "you agree to allow us to share information about your browser experience . . . . "

[Westy78]

The quote button still works on my end with Java disabled.? But yeah, Java is in way more than you think.

[Amskeptic]

The quote button still works on my end with Java disabled.? But yeah, Java is in way more than you think.

Might be my Chrome settings, I am on "full paranoid".
Colin

[tristessa]

There's a difference between Java and JavaScript. All of the forum functions (at least the ones *I* see) are in JavaScript.

This isn't to say that JavaScript can't be used for malicious things (that's been going on for years), but it's a different thing altogether from the current Java vulnerability.

[Amskeptic]

There's a difference between Java and JavaScript. All of the forum functions (at least the ones *I* see) are in JavaScript.

This isn't to say that JavaScript can't be used for malicious things (that's been going on for years), but it's a different thing altogether from the current Java vulnerability.

I deleted everything with the name JAVA to await the new improved shouldabintightfromthegitgo JAVA update.
Colin
(how 'bout that Boeing Dreamliner, huh?)

[zabo]

yea no need for that - its like pulling off your plug wires because your glovebox is broken

Sophos Security notes that understandably, some users mistakenly think turning off Java also turns off JavaScript, which controls the look and feel of Web pages.

"Most modern websites make heavy use of JavaScript, so these people are worried that sites such as Facebook, Twitter ... will be pretty much useless if they follow our 'turn Java off' advice," writes Paul Ducklin of Sophos Security on the company's blog Wednesday.

"Turning off Java will not turn off JavaScript," he says.

http://www.nbcnews.com/technology/techn ... -1B8000547

[RSorak 71Westy]

They came out with a JAVA update a few days ago that was supposed to fix the problem. But then the next day the discoverers of the original flaw announced that it was just as broke as before.....so still be careful, till the next update comes out.

[Amskeptic]

They came out with a JAVA update a few days ago that was supposed to fix the problem. But then the next day the discoverers of the original flaw announced that it was just as broke as before.....so still be careful, till the next update comes out.

I have had three blue screens of death in the past two days. Event 2003 Category 102
Colin