Java again! (12 January 2013)

[jcat]

US Department of Homeland Security Calls On Computer Users To Disable Java

Concerns about the susceptibility of the Java programming language to cyberattacks culminated Thursday night, with a warning posted on the Department of Homeland Security’s Computer Emergency Readiness Team (US-Cert) calling on the public to temporarily disable Java on their personal computers....Mac owners who use Google Chrome can go to Chrome://plugins and verify that the Java plugin is disabled. If you use Safari, you can choose Safari>Preferences, click security and uncheck the box that says “enable Java.” If you use Firefox, you can choose Tools>Add-ons, search “My add-ons” and disable any Java plugin.

Windows users can find a good guide to turning off Java on KrebsonSecurity.com.

Java Under Attack Again, Disable Now
Experts urge PC users to disable Java, cite security flaw

 

[jcat]

This article, Jettisoning Java, has useful links:
How to disable the Java plugin in Firefox
How to disable the Java plugin in Chrome (Disable specific plugins)
How to disable the Java web plug-in in Safari

 

[catfella]

Thank you for the update. I just disabled Java in the browsers I use: Firefox and Safari.

 

[jazzythecat]

As a programmer that writes Java, I am shocked as this seems to happen almost once a month. Needless to say, Java has been disabled on Chrome, thanks for the info Tricia, I was out of the country for a week and was not able to check any security sites.

 

[jcat]

A patched version is supposed to come out this week. I've uninstalled Java completely from our computers and so far it hasn't caused any trouble, but we're not doing any programming. I can't see hyperlinks at one site if I'm using Chrome, but can using Firefox (19.0 beta).

 

[minka]

Eh, the people in the comments on the articles seem to think this is rubbish, so I'm not worried.

 

[mrblanche]

I got a "first day" Java exploit a while back.  They can be very nasty to get rid of, and this one looks like it's like that.  So far, there is not a removal method for the hack that is happening.  The only way to avoid it is to disable Java on your machine, if you have the newest update, which is version 7.

I know that I have been getting regular spam e-mails from one member on this forum (I told her about it a while back), so you guys might not be as protected as you think.
 

 

[jcat]

They're saying Java 7.10 and earlier. It's rare for governments to issue a software warning, so why not play it safe? The German government did it the last time there was a problem with Java, too, and a couple of other governments followed suit.
Oracle says Java update coming Tuesday

The company says it will release a patch that will fix 86 vulnerabilities in Java 7 on Tuesday.

The Department of Homeland Security last week said computer users should disable the program in web browsers because hackers were using a zero-day vulnerability to attack computer systems. Criminals were using the flaw to stealthily install malware on the computers of users who visit compromised websites.

The problem, which affects Oracle Java 7 update 10 and earlier, can allow an untrusted Java applet to escalate its privileges, without requiring code signing.

 

[c1atsite]

 I've uninstalled Java completely from our computers and so far it hasn't caused any trouble, but we're not doing any programming. I can't see hyperlinks at one site if I'm using Chrome, but can using Firefox (19.0 beta).

Thank you for protecting us. I prefer to access TCS on my phone for now til this blows over.

 

[whaler]

they released an update this afternoon. only took them four months to address their most recent mess.

i would still recommend uninstalling it altogether, there are less and less instances where it is needed. if for some reason you do still need it your best bet is disable it in your browser and use a different browser for the rare occasions that you do need it

they (oracle) really need to rewrite it from scratch. it has gotten so large and so many programmers have worked on it, it is clear that they have lost control of what is in it.

 

[jcat]

I think I'm going to leave it uninstalled unless I really run into problems without it. The New York Times has an article summarizing the recent security problems with Java. What guarantee is there that the patched or next version isn't just as buggy?

 

[minka]

Okay, I've been talking to my tech friends (radioshack employees, computer builders and IT tech) and they say there is no need to uninstall java from your computer.
My friend who ran his own business of fixing computers in people's homes and setting up servers and networks said he's never seen a virus use java against the user. Or exploit it. He said as long as you are smart about using the Internet, you will be fine.

 

[jazzythecat]

Okay, I've been talking to my tech friends (radioshack employees, computer builders and IT tech) and they say there is no need to uninstall java from your computer.
My friend who ran his own business of fixing computers in people's homes and setting up servers and networks said he's never seen a virus use java against the user. Or exploit it. He said as long as you are smart about using the Internet, you will be fine.

Are these people certified in any way that makes you believe them? I KNOW that Java can be used against the user and has been numerous times, drive-by downloads exist and trust me, these can be pretty bad, I've fixed many PC's that have been infected through drive-by downloads, some from Java, and as a result have had their passwords stolen and sometimes worse. Also, being safe on the internet HAS NOTHING to do with this, if you use some sort of anti-virus program or firewall that won't help until the virus has been patched by which time it's too late. Also, drive-by downloads can be put onto any website through some sort of SQL injection or other exploit to enable malicious users to put their programs onto sites.

Certifications are not the only things that matter, experience in the subject matters as well. I am A+, Network+, Security+, MCITP: Desktop Technician, MCompSc, MCSE, IC^3.. Well I could go on for quite some time on my qualifications.. Simply stated, I'm qualified to discuss, give answers to others and provide feedback.

 

[otto]

I disabled Java a few months back when the first problems were announced. I haven't noticed any difference without it.

 

[minka]

Are these people certified in any way that makes you believe them? I KNOW that Java can be used against the user and has been numerous times, drive-by downloads exist and trust me, these can be pretty bad, I've fixed many PC's that have been infected through drive-by downloads, some from Java, and as a result have had their passwords stolen and sometimes worse. Also, being safe on the internet HAS NOTHING to do with this, if you use some sort of anti-virus program or firewall that won't help until the virus has been patched by which time it's too late. Also, drive-by downloads can be put onto any website through some sort of SQL injection or other exploit to enable malicious users to put their programs onto sites.

Certifications are not the only things that matter, experience in the subject matters as well. I am A+, Network+, Security+, MCITP: Desktop Technician, MCompSc, MCSE, IC^3.. Well I could go on for quite some time on my qualifications.. Simply stated, I'm qualified to discuss, give answers to others and provide feedback.

My Radioshack friend is certified... well, through Radioshack and my friend who runs a computer repair/network repair-setup business went to school for that so... Yes, I believe them.

 

[otto]

Wish I had a friend like that. I don't know anybody that knows anything about computers. Anyone local that is.

 

[jazzythecat]

Are these people certified in any way that makes you believe them? I KNOW that Java can be used against the user and has been numerous times, drive-by downloads exist and trust me, these can be pretty bad, I've fixed many PC's that have been infected through drive-by downloads, some from Java, and as a result have had their passwords stolen and sometimes worse. Also, being safe on the internet HAS NOTHING to do with this, if you use some sort of anti-virus program or firewall that won't help until the virus has been patched by which time it's too late. Also, drive-by downloads can be put onto any website through some sort of SQL injection or other exploit to enable malicious users to put their programs onto sites.

Certifications are not the only things that matter, experience in the subject matters as well. I am A+, Network+, Security+, MCITP: Desktop Technician, MCompSc, MCSE, IC^3.. Well I could go on for quite some time on my qualifications.. Simply stated, I'm qualified to discuss, give answers to others and provide feedback.

My Radioshack friend is certified... well, through Radioshack and my friend who runs a computer repair/network repair-setup business went to school for that so... Yes, I believe them.

Sorry if I came across as rude in my post, that wasn't my intention. I just really dislike it when people without any sort of qualifications think they know better than experienced, qualified members of the IT community.

Once again, I apologise if I came across as rude in the above post.