Jump to content

Java 7 Zero-Day Security Hole


rakman

Recommended Posts

US-Cert (which is the United States Computer Emergency Readiness Team) is advising people to disable Java in their Browsers.

Link: http://www.kb.cert.org/vuls/id/636312

Solution

We are currently unaware of a practical solution to this problem.

How to Disable Java

Disable the Java plug-in

Disabling the Java browser plugin may prevent a malicious webpage from exploiting this vulnerability.

  • Apple Safari: How to disable the Java web plug-in in Safari
  • Firefox: How to turn off Java applets
  • Microsoft Internet Explorer: Refer to the Java documentation for more details. In the Windows Control panel, open the Java item. Select the "Java" tab and click the "View" button. Uncheck "enabled" for any JRE version listed.
    Note that this method may not work on Vista or newer systems. As an alternative, you may use one of the following techniques:
    - Change the HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\<version>\UseJava2IExplorer registry value to 0, where <version> is any version of Java on your system. 10.6.2, for example.
    If you are running a 32-bit version of Java on a 64-bit platform, you should set the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in\<version>\UseJava2IExplorer registry value to 0.
    - Run javacpl.exe as administrator, click the "Advanced" tab, select "Microsoft Internet Explorer" in the "Default Java for browsers" section, and press the space bar to uncheck it. This will properly set the above registry value, despite the option being greyed out.
  • Chrome: See the "Disable specific plug-ins" section of the Chrome documentation for how to disable Java in Chrome.

Use NoScript

Using the Mozilla Firefox NoScript extension to whitelist web sites that can run scripts and access installed plugins will mitigate this vulnerability. See the NoScript FAQ for more information.

Link to comment
Share on other sites

I'm playing with it in VMware, nasty one.

You can say that again, the major exploit kits have already incorporated this bug, and with no response yet from Oracle, I've disabled Java and I haven't (yet) run into websites which need it. So if you are not running any Java Specific Apps my advice would be disable Java. (Instructions in Post #2).

At the moment Java 1.7.0 to 1.7.06 (Cross Platform) are vulnerable to this 0-day exploit.

Link to comment
Share on other sites

^ If you need it, make sure you white list (allow) it only for the sites which you know are safe and for all other ones disable it.

These pages can help

Anyone with Firefox look at NoScript Link: http://noscript.net/

Anyone with Chrome look at NotScripts Link: http://optimalcycling.com/other-projects/notscripts/

Anyone with IE look at:

http://blogs.msdn.com/b/ieinternals/archive/2011/05/15/controlling-java-in-internet-explorer.aspx

  • Like 1
Link to comment
Share on other sites

If you *need* Java, 6 is safer than 7 at the moment, wouldn't you agree?

The preferred option is to disable or remove it, obviously. But some of us do not have that luxury.

I would not agree that 6 is safer than 7. You need to stay current and disable when not on a trusted site. noscript does a great job of helping do that.

Link to comment
Share on other sites

If you *need* Java, 6 is safer than 7 at the moment, wouldn't you agree?

The preferred option is to disable or remove it, obviously. But some of us do not have that luxury.

I would not agree that 6 is safer than 7. You need to stay current and disable when not on a trusted site. noscript does a great job of helping do that.

Well whether you agree or not, I think you'll find all the current known exploits are being targeted at 7, not 6.35.

What's shocking is that Oracle have known about this since April and had already declared they would fix it in October. Only someone actually exploiting it has kicked their arse into doing something about it sooner (albeit poorly).

Edited by Chicog
Link to comment
Share on other sites

I disabled my JAVA in chrome last week and have not noticed any issues with sites I regularly visit. I also have cometbird installed and that has java enabled but noscript installed and if I have issues with any site in chrome I try it in cometbird.

Link to comment
Share on other sites

I have looked into this more and it does seem that if you really need java and don't want to disable it then the best choice IS to use version 6 update 35 which can be found from oracle here or here.

There is a good article on this here.

of course you could also use noscript or for chrome use NotScripts

Edited by Jayman
Link to comment
Share on other sites

The latest is still version 7 update 7. Have you already updated to that version ???

Could it be that it is a Microsoft Windows Update ?

http://support.microsoft.com/kb/894199

You can check the latest software updates for your PC with for example the following programs:

http://secunia.com/p...s/consumer/psi/

http://www.patchmypc.net/

Edited by MJCM
Link to comment
Share on other sites

ver 7 update 7 is the latest. It does not address all the security concerns.

Apple seems to be addressing some issues on their own.

Maybe M$ is doing the same.

Personally, I have disabled java in chrome and even though I am a heavy user I don't miss it at all.

I still have ver 7 update 7 installed and enabled in cometbird (FF clone) but I run noscript (I posted links above) to filter out much of the crap on the net.

See post 18 for links to more relevant info.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.



×
×
  • Create New...