Java 7 Zero-Day Security Hole

[rakman]

This affects Windows and Macs with JRE 1.7 loaded.

http://www.computerworld.com/s/article/9230656/Macs_at_risk_from_super_dangerous_Java_zero_day?source=CTWNLE_nlt_pm_2012-08-27

Another massive hole where it shouldn't be.

[MJCM]

US-Cert (which is the United States Computer Emergency Readiness Team) is advising people to disable Java in their Browsers.

Link: http://www.kb.cert.org/vuls/id/636312

Solution

We are currently unaware of a practical solution to this problem.

How to Disable Java

Disable the Java plug-in

Disabling the Java browser plugin may prevent a malicious webpage from exploiting this vulnerability.

• Apple Safari: How to disable the Java web plug-in in Safari
  
• Firefox: How to turn off Java applets
  
• Microsoft Internet Explorer: Refer to the Java documentation for more details. In the Windows Control panel, open the Java item. Select the "Java" tab and click the "View" button. Uncheck "enabled" for any JRE version listed.
  Note that this method may not work on Vista or newer systems. As an alternative, you may use one of the following techniques:
  - Change the HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\<version>\UseJava2IExplorer registry value to 0, where <version> is any version of Java on your system. 10.6.2, for example.
  If you are running a 32-bit version of Java on a 64-bit platform, you should set the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in\<version>\UseJava2IExplorer registry value to 0.
  - Run javacpl.exe as administrator, click the "Advanced" tab, select "Microsoft Internet Explorer" in the "Default Java for browsers" section, and press the space bar to uncheck it. This will properly set the above registry value, despite the option being greyed out.
  
• Chrome: See the "Disable specific plug-ins" section of the Chrome documentation for how to disable Java in Chrome.
  

Use NoScript

Using the Mozilla Firefox NoScript extension to whitelist web sites that can run scripts and access installed plugins will mitigate this vulnerability. See the NoScript FAQ for more information.

[supashot]

I'm playing with it in VMware, nasty one.

[MJCM]

I'm playing with it in VMware, nasty one.

You can say that again, the major exploit kits have already incorporated this bug, and with no response yet from Oracle, I've disabled Java and I haven't (yet) run into websites which need it. So if you are not running any Java Specific Apps my advice would be disable Java. (Instructions in Post #2).

At the moment Java 1.7.0 to 1.7.06 (Cross Platform) are vulnerable to this 0-day exploit.

[Chicog]

If you need Java, downgrade to 6 (or stay on it).

Per CERT's notes, latest version is SE 6 Update 34.

http://www.kb.cert.org/vuls/id/636312

Edited August 30, 2012 by Chicog

[Jayman]

hasn't update 7 fixed this?

[Jayman]

http://www.isjavaexploitable.com/

looks like I am in the clear with update 7

http://www.java.com/inc/BrowserRedirect1.jsp?locale=en

[Chicog]

Don't think so....

Researchers from Polish firm Security Explorations – the ones who were the first to report the vulnerabilities which led to the now-infamous Java zero-day – have just reported another similar bug to Oracle. This means that Java users are still exposed, even if they’ve applied the patch released by the company.

[MJCM]

http://www.thaivisa....d/#entry5623468 Edited September 1, 2012 by MJCM

[Chicog]

If you *need* Java, 6 is safer than 7 at the moment, wouldn't you agree?

The preferred option is to disable or remove it, obviously. But some of us do not have that luxury.

[MJCM]

^ If you need it, make sure you white list (allow) it only for the sites which you know are safe and for all other ones disable it.

These pages can help

Anyone with Firefox look at NoScript Link: http://noscript.net/

Anyone with Chrome look at NotScripts Link: http://optimalcycling.com/other-projects/notscripts/

Anyone with IE look at:

http://blogs.msdn.com/b/ieinternals/archive/2011/05/15/controlling-java-in-internet-explorer.aspx

[Chicog]

Yes we're big on trusted sites as we use the XSS filter as well.

[Jayman]

If you *need* Java, 6 is safer than 7 at the moment, wouldn't you agree?

The preferred option is to disable or remove it, obviously. But some of us do not have that luxury.

I would not agree that 6 is safer than 7. You need to stay current and disable when not on a trusted site. noscript does a great job of helping do that.

[Chicog]

If you *need* Java, 6 is safer than 7 at the moment, wouldn't you agree?

The preferred option is to disable or remove it, obviously. But some of us do not have that luxury.

I would not agree that 6 is safer than 7. You need to stay current and disable when not on a trusted site. noscript does a great job of helping do that.

Well whether you agree or not, I think you'll find all the current known exploits are being targeted at 7, not 6.35.

What's shocking is that Oracle have known about this since April and had already declared they would fix it in October. Only someone actually exploiting it has kicked their arse into doing something about it sooner (albeit poorly).

Edited September 3, 2012 by Chicog

[MJCM]

Java Still Not Safe, Security Experts Say

Oracle needs to fix holes faster, say some security experts. Leave Java disabled for now, because Oracle's emergency patch is insufficient.

http://www.informationweek.com/security/attacks/java-still-not-safe-security-experts-say/240006876

[bangkokburning]

BUMP

Important

[Jayman]

I disabled my JAVA in chrome last week and have not noticed any issues with sites I regularly visit. I also have cometbird installed and that has java enabled but noscript installed and if I have issues with any site in chrome I try it in cometbird.

[Jayman]

I have looked into this more and it does seem that if you really need java and don't want to disable it then the best choice IS to use version 6 update 35 which can be found from oracle here or here.

There is a good article on this here.

of course you could also use noscript or for chrome use NotScripts

Edited September 8, 2012 by Jayman

[Chicog]

Apple have released a patch for it and appear to be kicking it into touch.

http://www.macworld.com/article/1168453/apple_plugs_java_hole_shifts_away_from_plugin.html

Microsoft patches are due on Sept. 11th but I haven't read the technotes yet so I don't know if they are addressing the problem or not.

[bangkokburning]

Any news IT peoples? I just rec'd a Java balloon for an update.

[MJCM]

The latest is still version 7 update 7. Have you already updated to that version ???

Could it be that it is a Microsoft Windows Update ?

http://support.microsoft.com/kb/894199

You can check the latest software updates for your PC with for example the following programs:

http://secunia.com/p...s/consumer/psi/

http://www.patchmypc.net/

Edited September 11, 2012 by MJCM

[Jayman]

ver 7 update 7 is the latest. It does not address all the security concerns.

Apple seems to be addressing some issues on their own.

Maybe M$ is doing the same.

Personally, I have disabled java in chrome and even though I am a heavy user I don't miss it at all.

I still have ver 7 update 7 installed and enabled in cometbird (FF clone) but I run noscript (I posted links above) to filter out much of the crap on the net.

See post 18 for links to more relevant info.