August 28, 201213 yr This affects Windows and Macs with JRE 1.7 loaded. http://www.computerworld.com/s/article/9230656/Macs_at_risk_from_super_dangerous_Java_zero_day?source=CTWNLE_nlt_pm_2012-08-27 Another massive hole where it shouldn't be.
August 29, 201213 yr US-Cert (which is the United States Computer Emergency Readiness Team) is advising people to disable Java in their Browsers. Link: http://www.kb.cert.org/vuls/id/636312 SolutionWe are currently unaware of a practical solution to this problem. How to Disable Java Disable the Java plug-in Disabling the Java browser plugin may prevent a malicious webpage from exploiting this vulnerability. Apple Safari: How to disable the Java web plug-in in Safari Firefox: How to turn off Java applets Microsoft Internet Explorer: Refer to the Java documentation for more details. In the Windows Control panel, open the Java item. Select the "Java" tab and click the "View" button. Uncheck "enabled" for any JRE version listed.Note that this method may not work on Vista or newer systems. As an alternative, you may use one of the following techniques:- Change the HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\<version>\UseJava2IExplorer registry value to 0, where <version> is any version of Java on your system. 10.6.2, for example.If you are running a 32-bit version of Java on a 64-bit platform, you should set the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in\<version>\UseJava2IExplorer registry value to 0.- Run javacpl.exe as administrator, click the "Advanced" tab, select "Microsoft Internet Explorer" in the "Default Java for browsers" section, and press the space bar to uncheck it. This will properly set the above registry value, despite the option being greyed out. Chrome: See the "Disable specific plug-ins" section of the Chrome documentation for how to disable Java in Chrome. Use NoScript Using the Mozilla Firefox NoScript extension to whitelist web sites that can run scripts and access installed plugins will mitigate this vulnerability. See the NoScript FAQ for more information.
August 30, 201213 yr I'm playing with it in VMware, nasty one. You can say that again, the major exploit kits have already incorporated this bug, and with no response yet from Oracle, I've disabled Java and I haven't (yet) run into websites which need it. So if you are not running any Java Specific Apps my advice would be disable Java. (Instructions in Post #2). At the moment Java 1.7.0 to 1.7.06 (Cross Platform) are vulnerable to this 0-day exploit.
August 30, 201213 yr If you need Java, downgrade to 6 (or stay on it). Per CERT's notes, latest version is SE 6 Update 34. http://www.kb.cert.org/vuls/id/636312 Edited August 30, 201213 yr by Chicog
August 30, 201213 yr http://www.isjavaexploitable.com/ looks like I am in the clear with update 7 http://www.java.com/inc/BrowserRedirect1.jsp?locale=en
August 31, 201213 yr Don't think so.... Researchers from Polish firm Security Explorations – the ones who were the first to report the vulnerabilities which led to the now-infamous Java zero-day – have just reported another similar bug to Oracle. This means that Java users are still exposed, even if they’ve applied the patch released by the company.
September 1, 201213 yr If you *need* Java, 6 is safer than 7 at the moment, wouldn't you agree? The preferred option is to disable or remove it, obviously. But some of us do not have that luxury.
September 1, 201213 yr ^ If you need it, make sure you white list (allow) it only for the sites which you know are safe and for all other ones disable it. These pages can help Anyone with Firefox look at NoScript Link: http://noscript.net/ Anyone with Chrome look at NotScripts Link: http://optimalcycling.com/other-projects/notscripts/ Anyone with IE look at: http://blogs.msdn.com/b/ieinternals/archive/2011/05/15/controlling-java-in-internet-explorer.aspx
September 2, 201213 yr If you *need* Java, 6 is safer than 7 at the moment, wouldn't you agree? The preferred option is to disable or remove it, obviously. But some of us do not have that luxury. I would not agree that 6 is safer than 7. You need to stay current and disable when not on a trusted site. noscript does a great job of helping do that.
September 3, 201213 yr If you *need* Java, 6 is safer than 7 at the moment, wouldn't you agree? The preferred option is to disable or remove it, obviously. But some of us do not have that luxury. I would not agree that 6 is safer than 7. You need to stay current and disable when not on a trusted site. noscript does a great job of helping do that. Well whether you agree or not, I think you'll find all the current known exploits are being targeted at 7, not 6.35. What's shocking is that Oracle have known about this since April and had already declared they would fix it in October. Only someone actually exploiting it has kicked their arse into doing something about it sooner (albeit poorly). Edited September 3, 201213 yr by Chicog
September 7, 201213 yr Java Still Not Safe, Security Experts Say Oracle needs to fix holes faster, say some security experts. Leave Java disabled for now, because Oracle's emergency patch is insufficient. http://www.informationweek.com/security/attacks/java-still-not-safe-security-experts-say/240006876
September 8, 201213 yr I disabled my JAVA in chrome last week and have not noticed any issues with sites I regularly visit. I also have cometbird installed and that has java enabled but noscript installed and if I have issues with any site in chrome I try it in cometbird.
September 8, 201213 yr I have looked into this more and it does seem that if you really need java and don't want to disable it then the best choice IS to use version 6 update 35 which can be found from oracle here or here. There is a good article on this here. of course you could also use noscript or for chrome use NotScripts Edited September 8, 201213 yr by Jayman
September 8, 201213 yr Apple have released a patch for it and appear to be kicking it into touch. http://www.macworld.com/article/1168453/apple_plugs_java_hole_shifts_away_from_plugin.html Microsoft patches are due on Sept. 11th but I haven't read the technotes yet so I don't know if they are addressing the problem or not.
September 11, 201213 yr The latest is still version 7 update 7. Have you already updated to that version ??? Could it be that it is a Microsoft Windows Update ? http://support.microsoft.com/kb/894199 You can check the latest software updates for your PC with for example the following programs: http://secunia.com/p...s/consumer/psi/ http://www.patchmypc.net/ Edited September 11, 201213 yr by MJCM
September 11, 201213 yr ver 7 update 7 is the latest. It does not address all the security concerns. Apple seems to be addressing some issues on their own. Maybe M$ is doing the same. Personally, I have disabled java in chrome and even though I am a heavy user I don't miss it at all. I still have ver 7 update 7 installed and enabled in cometbird (FF clone) but I run noscript (I posted links above) to filter out much of the crap on the net. See post 18 for links to more relevant info.
Create an account or sign in to comment