Bimmerfest - BMW Forums - Latest Java installation has serious zero-day vulnerabilities

Bimmerfest - BMW Forums (http://www.bimmerfest.com/forums/index.php)

- Off-Topic (http://www.bimmerfest.com/forums/forumdisplay.php?f=3)

- - Latest Java installation has serious zero-day vulnerabilities (http://www.bimmerfest.com/forums/showthread.php?t=669370)

Latest Java installation has serious zero-day vulnerabilities

FYI:

The current TWO releases of Java 7 - update 9 and 10 have serious issues which are now being exploited - so much so, that security professionals are suggesting disabling Java in your browser

Google Search for News/Pages on the Vulnerability:
https://www.google.com/search?q=java...en-US:official

NetworkWorld.com Article on the vulnerability/exploits:
http://www.networkworld.com/news/201...ed-265723.html

Blog on the Problem:
http://www.compsecglobal.com/java-ze...-exploit-2013/

Quick "how-to" on manually checking that you have the latest Java (which is still vulnerable):
http://www.compsecglobal.com/updatin...he-manual-way/

(disclosure - the last two are our sites - if that crosses a line - please delete the links mods).

Reading more about this - I have instructions on how to disable Java from within the browser - the Oracle/Java official way to do this (and the recommended method) - is detailed here:

http://www.java.com/en/download/help...le_browser.xml

Although... and this is HUGE - I happen to have Java 7 Update 10 - but opening the CONTROL PANEL - reports Java 7 Update 1 in the "About" - I recommend UNINSTALLING Java 7 completely - and re-installing it - then disabling it in browsers (if you need it at all - otherwise - leave it unintalled).

OK - got to the bottom of this - my system had Java 7 Update 10 (32-bit) and Java 7 Update 1 (64-bit) - if you have a similar situation - remove the 64-bit version and restart - as I am doing now... :tsk:

Another update - removing the older J7U1-x64 did not show me the "Enable Java content in the browser" option which is supposed to be present in the Java Control Panel under "Security".

So...

I decided to completely remove Java and anything related - I uninstalled J7U1-x64 previously - now removing JavaFX 2.1.1 - and Java 7 U10-i586 (32-bit) - restarted the machine. Then downloaded theFULL installer of J7U10 – my Java control panel now shows the "enable Java content in the browser" option under the Security tab.

With an installation that had incrementally updated through releases – the control panel did not show those option on my machine. What is the point of upgrading if not every piece of the software gets upgraded?!?

I recommend you remove Java entirely - restart - visit the Java download page - get the full installer:

http://www.java.com/en/download/manual.jsp

Then install and restart. Finally - open the control panel - and UNCHECK the "Enable Java content ni the browser" option.

Here is what the Control panel - Security Tab *should* look like:

http://www.bimmerfest.com/forums/att...2&d=1357923612

another just FYI - more than one security professional I know are blaming Oracle for an incomplete and rushed patch to a previous vulnerability - this exploit is actually a combination of the old, not fully patched bug and another bugs:

http://www.compsecglobal.com/java-ze...omplete-patch/

Oracle may well have rushed out that patch, done a half-baked job and we have a situation where Java 7 Update 9+10 are as insecure as they have EVER been... :dunno:

OK - just to confirm - there is a lot of confusion about Java + JavaScript - most websites use tons of JavaScript to provide functionality - like Bimmerfest - the search etc.

Disabling Java in your browser using the Control panel - or manually disabling the Java Addons for each browser - should not seriously affect your browsing pleasure.

If you are REALLY concerned about JavaScript exploit (not this particular issue though) - you can use a browser plugin like "NoScript" - I have noscript for FireFox - and I allow sites I trust to run javascript in my browser - the fest is allowed - however, I do NOT allow every site - mainly sites I don't know well - or advertizing sites (as might be used on this site - like contextweb.com - not trusted).

To be honest - you have to really committed to NoScript - because every time you hit a new site - you have to decide if you trust it enough to run scripts and then reload the page - it will slow you down for sure.

Quote:

Originally Posted by wyb (Post 7305561)

........
(disclosure - the last two are our sites - if that crosses a line - please delete the links mods).

Not at all. But using it as an excuse to ban you for a week is very tempting.... :rofl:

Just joking! :rofl:

http://gizmodo.com/5975475/how-to-di...n-your-browser

Quote:

How To Disable Java in Your Browser
Eric Limer

Java isn't good for your for your computer's health right now. It can mess it up pretty bad. Bad enough that the Department of Homeland Security is warning us all to turn it off. OK, but how do you do that? Fortunately, it's not that hard.

All the current Java exploits come from Java (not Javascript) running in your browser. And while you can get all the way down to the root of the problem by uninstalling Java on the whole, you can also just lock it down in all your browsers, or just the browsers you actually use. That way you can still have it around with Minecraft or whatever and still be safe. Here's a rundown:

Chrome
Type "chrome://plugins" into your address bar. This will bring up a new tab. Find the item on the list that reads just plain "Java" and click below it where it says "Disable" in blue. Restart your browser.

Safari
Choose "Safari" and then "Preferences" on the taskbar or hit control and comma simultaneously (***8984;-,). Click "Security" on the top row of the new window. Uncheck the box that reads "Enable Java" if checked. Restart your browser.

Internet Explorer 8,9, and 10
Go to the "Tools" menu and select "Manage Add-ons." Go to the left of the window that pops up and in the drop-down box below the heading "Show:" select "All Add-ons." Scroll down the list on the right of the window until you find a subheading under the category "Group" that reads "Oracle America, Inc." Select each item and disable it with the "Disable" button in the bottom right-hand corner of the window. Restart your browser.

Firefox
Go to the "Tools" menu and select "Add-ons" or hit ctrl, shift, and the letter 'a' simultaneously. Select "Plug-ins" on the left-hand side of the new tab that shows up. Scroll the list on the right-hand side of the screen until you find an item that reads "Java (TM) Platform [somethingsomethingsomething]." Click the "Disable" button on the right. Restart your browser.

And there you go. If you really, really want to, you can uninstall Java entirely as well, though that's not necessary. You can find the official instructions for how to do so on OS X here, on Windows Vista, 7, and XP here, and on Linux (!) here.

Good luck out there. Stay safe.

Advice has changed - we and Brian Krebs are now saying - if you don't need Java - uninstall it.

If you have Java 6 and think you're safe - you might not be - reports are varied about whether 6 is affected - but Java 6 is end-of-life as of February 2013 - so it has to go anyway.

If you have a need for Java - consider a 2-browser approach - your everyday browser - turn Java off - for a site you absolutely MUST have Java - enable java for one browser and only visit that one site with the java-enabled browser.

Simply disabling or uninstalling java might work for some people - as Java isn't as prevalent as it once was. This might change the number of Oracle, who proudly claim 850+ million PCs and 3 BILLION devices run Java... ;)

Quote:

Originally Posted by wyb (Post 7309956)

If you have a need for Java - consider a 2-browser approach - your everyday browser - turn Java off - for a site you absolutely MUST have Java - enable java for one browser and only visit that one site with the java-enabled browser.

I uninstalled Java just about an hour ago, and already noticed a few places that got screwed up without it. One is here, the editing buttons on the post message are not working (Bold, quote, etc). Second, my Google homepage is gone. Of course JDownloader doesn't work either, when I tried to save a Youtube video into my hard disk. Oh well.

BUT, I noticed in Chrome that you can inter Exceptions. Go to Settings, in the Search Settings window (not Control F) type "java", it points you to Privacy > Content Settings... Click it, in the new window "java"script is already highlighted. Click "do not allow any site to run Javascript and then click "Exceptions Manager", there you can "add a hostname pattern" and select "Allow".

Your thoughts?

you are confusing javascript and java - don't disable javascript to get round this exploit - thats something completely different.

Read my blog from this morning - it is a summary of Q+As regarding this problem:

http://www.compsecglobal.com/java-wh...-need-to-know/

and yes - I based my blog on Brian's post - but gone are the days of copy/paste for blogging... for instance, these days all screenshots are done ourselves -we only re-use blogs from companies where we have permission - ie, our security suppliers, like ESET, Symantec, Kaspersky and Bitdefender give up permission to re-use their blogs "as-is" - we do that once in a while, but try to re-work them a little - putting our own "spin" or "opinion" or verbiage into them.

"Don't disable javascript to get around the exploit".

I suspected you'd say that. That's why I asked. Oh well. Java is uninstalled anyway. I'll see how much I miss it.

Java updated - Oracle has released Java 7 Update 11 - despite many saying they would not do an out of band update, they HAVE released an update in response to this zero-day exploit

http://www.java.com

I recommend updating if you haven't uninstalled - default settings for Java applets have been changed to HIGH SECURITY. It is a big change.