Skip to content
View in the app

A better way to browse. Learn more.
Thailand News and Discussion Forum | ASEANNOW

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Java 7 Zero-Day Security Hole

rakman
in IT and Computers

Featured Replies

US-Cert (which is the United States Computer Emergency Readiness Team) is advising people to disable Java in their Browsers.

Link: http://www.kb.cert.org/vuls/id/636312

Solution

We are currently unaware of a practical solution to this problem.

How to Disable Java

Disable the Java plug-in

Disabling the Java browser plugin may prevent a malicious webpage from exploiting this vulnerability.

  • Apple Safari: How to disable the Java web plug-in in Safari
  • Firefox: How to turn off Java applets
  • Microsoft Internet Explorer: Refer to the Java documentation for more details. In the Windows Control panel, open the Java item. Select the "Java" tab and click the "View" button. Uncheck "enabled" for any JRE version listed.
    Note that this method may not work on Vista or newer systems. As an alternative, you may use one of the following techniques:
    - Change the HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\<version>\UseJava2IExplorer registry value to 0, where <version> is any version of Java on your system. 10.6.2, for example.
    If you are running a 32-bit version of Java on a 64-bit platform, you should set the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in\<version>\UseJava2IExplorer registry value to 0.
    - Run javacpl.exe as administrator, click the "Advanced" tab, select "Microsoft Internet Explorer" in the "Default Java for browsers" section, and press the space bar to uncheck it. This will properly set the above registry value, despite the option being greyed out.
  • Chrome: See the "Disable specific plug-ins" section of the Chrome documentation for how to disable Java in Chrome.

Use NoScript

Using the Mozilla Firefox NoScript extension to whitelist web sites that can run scripts and access installed plugins will mitigate this vulnerability. See the NoScript FAQ for more information.

I'm playing with it in VMware, nasty one.

You can say that again, the major exploit kits have already incorporated this bug, and with no response yet from Oracle, I've disabled Java and I haven't (yet) run into websites which need it. So if you are not running any Java Specific Apps my advice would be disable Java. (Instructions in Post #2).

At the moment Java 1.7.0 to 1.7.06 (Cross Platform) are vulnerable to this 0-day exploit.

hasn't update 7 fixed this?

Don't think so....

Researchers from Polish firm Security Explorations – the ones who were the first to report the vulnerabilities which led to the now-infamous Java zero-day – have just reported another similar bug to Oracle. This means that Java users are still exposed, even if they’ve applied the patch released by the company.

If you *need* Java, 6 is safer than 7 at the moment, wouldn't you agree?

The preferred option is to disable or remove it, obviously. But some of us do not have that luxury.

^ If you need it, make sure you white list (allow) it only for the sites which you know are safe and for all other ones disable it.

These pages can help

Anyone with Firefox look at NoScript Link: http://noscript.net/

Anyone with Chrome look at NotScripts Link: http://optimalcycling.com/other-projects/notscripts/

Anyone with IE look at:

http://blogs.msdn.com/b/ieinternals/archive/2011/05/15/controlling-java-in-internet-explorer.aspx

    •
    • Like 1

    Yes we're big on trusted sites as we use the XSS filter as well.

    If you *need* Java, 6 is safer than 7 at the moment, wouldn't you agree?

    The preferred option is to disable or remove it, obviously. But some of us do not have that luxury.

    I would not agree that 6 is safer than 7. You need to stay current and disable when not on a trusted site. noscript does a great job of helping do that.

    If you *need* Java, 6 is safer than 7 at the moment, wouldn't you agree?

    The preferred option is to disable or remove it, obviously. But some of us do not have that luxury.

    I would not agree that 6 is safer than 7. You need to stay current and disable when not on a trusted site. noscript does a great job of helping do that.

    Well whether you agree or not, I think you'll find all the current known exploits are being targeted at 7, not 6.35.

    What's shocking is that Oracle have known about this since April and had already declared they would fix it in October. Only someone actually exploiting it has kicked their arse into doing something about it sooner (albeit poorly).

    I disabled my JAVA in chrome last week and have not noticed any issues with sites I regularly visit. I also have cometbird installed and that has java enabled but noscript installed and if I have issues with any site in chrome I try it in cometbird.

    I have looked into this more and it does seem that if you really need java and don't want to disable it then the best choice IS to use version 6 update 35 which can be found from oracle here or here.

    There is a good article on this here.

    of course you could also use noscript or for chrome use NotScripts

    ver 7 update 7 is the latest. It does not address all the security concerns.

    Apple seems to be addressing some issues on their own.

    Maybe M$ is doing the same.

    Personally, I have disabled java in chrome and even though I am a heavy user I don't miss it at all.

    I still have ver 7 update 7 installed and enabled in cometbird (FF clone) but I run noscript (I posted links above) to filter out much of the crap on the net.

    See post 18 for links to more relevant info.

    Create an account or sign in to comment
    Go to topic listing

    Recently Browsing 0

    • No registered users viewing this page.

    Account

    Navigation

    Search

    Search

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.