Welcome to Bimmerfest -- The #1 Online Community for BMW related information! Please enjoy the discussion forums below and share your experiences with the 200,000 current, new and past BMW owners. The forums are broken out by car model and into other special interest sections such as BMW European Delivery and a special forum to voice your questions to the many BMW dealers on the site to assist our members!

Please follow the links below to help get you started!

Go Back   Bimmerfest - BMW Forums > Everything Else > Off-Topic

Off-Topic
Everything not about BMWs. Posts must be "primetime safe" and in good taste. No personal attacks allowed. Political posting is restricted to the Political Science forum!

Reply
 
Thread Tools Display Modes
  #1  
Old 01-11-2013, 07:06 AM
wyb's Avatar
wyb wyb is offline
Officially Welcomed to the 'Fest
Location: Stepping away from the keyboard ...
 
Join Date: Jul 2008
Posts: 5,087
Mein Auto: A car
Latest Java installation has serious zero-day vulnerabilities

FYI:

The current TWO releases of Java 7 - update 9 and 10 have serious issues which are now being exploited - so much so, that security professionals are suggesting disabling Java in your browser

Google Search for News/Pages on the Vulnerability:
https://www.google.com/search?q=java...en-US:official

NetworkWorld.com Article on the vulnerability/exploits:
http://www.networkworld.com/news/201...ed-265723.html

Blog on the Problem:
http://www.compsecglobal.com/java-ze...-exploit-2013/

Quick "how-to" on manually checking that you have the latest Java (which is still vulnerable):
http://www.compsecglobal.com/updatin...he-manual-way/

(disclosure - the last two are our sites - if that crosses a line - please delete the links mods).
__________________
535i XDrive | Alpine White w/Black+Natural Leather Interior

It's ALL perspective - get some. No - I am NOT addressing YOU!
Reply With Quote
Advertisement
  #2  
Old 01-11-2013, 08:03 AM
wyb's Avatar
wyb wyb is offline
Officially Welcomed to the 'Fest
Location: Stepping away from the keyboard ...
 
Join Date: Jul 2008
Posts: 5,087
Mein Auto: A car
Reading more about this - I have instructions on how to disable Java from within the browser - the Oracle/Java official way to do this (and the recommended method) - is detailed here:


http://www.java.com/en/download/help...le_browser.xml

Although... and this is HUGE - I happen to have Java 7 Update 10 - but opening the CONTROL PANEL - reports Java 7 Update 1 in the "About" - I recommend UNINSTALLING Java 7 completely - and re-installing it - then disabling it in browsers (if you need it at all - otherwise - leave it unintalled).
__________________
535i XDrive | Alpine White w/Black+Natural Leather Interior

It's ALL perspective - get some. No - I am NOT addressing YOU!

Last edited by wyb; 01-11-2013 at 08:05 AM. Reason: updated with personal experience - instructions don't work in all cases.
Reply With Quote
  #3  
Old 01-11-2013, 08:20 AM
wyb's Avatar
wyb wyb is offline
Officially Welcomed to the 'Fest
Location: Stepping away from the keyboard ...
 
Join Date: Jul 2008
Posts: 5,087
Mein Auto: A car
OK - got to the bottom of this - my system had Java 7 Update 10 (32-bit) and Java 7 Update 1 (64-bit) - if you have a similar situation - remove the 64-bit version and restart - as I am doing now...
__________________
535i XDrive | Alpine White w/Black+Natural Leather Interior

It's ALL perspective - get some. No - I am NOT addressing YOU!
Reply With Quote
  #4  
Old 01-11-2013, 08:55 AM
wyb's Avatar
wyb wyb is offline
Officially Welcomed to the 'Fest
Location: Stepping away from the keyboard ...
 
Join Date: Jul 2008
Posts: 5,087
Mein Auto: A car
Another update - removing the older J7U1-x64 did not show me the "Enable Java content in the browser" option which is supposed to be present in the Java Control Panel under "Security".

So...

I decided to completely remove Java and anything related - I uninstalled J7U1-x64 previously - now removing JavaFX 2.1.1 - and Java 7 U10-i586 (32-bit) - restarted the machine. Then downloaded theFULL installer of J7U10 my Java control panel now shows the "enable Java content in the browser" option under the Security tab.

With an installation that had incrementally updated through releases the control panel did not show those option on my machine. What is the point of upgrading if not every piece of the software gets upgraded?!?

I recommend you remove Java entirely - restart - visit the Java download page - get the full installer:

http://www.java.com/en/download/manual.jsp


Then install and restart. Finally - open the control panel - and UNCHECK the "Enable Java content ni the browser" option.

Here is what the Control panel - Security Tab *should* look like:

__________________
535i XDrive | Alpine White w/Black+Natural Leather Interior

It's ALL perspective - get some. No - I am NOT addressing YOU!

Last edited by wyb; 01-11-2013 at 09:01 AM.
Reply With Quote
  #5  
Old 01-12-2013, 06:34 AM
wyb's Avatar
wyb wyb is offline
Officially Welcomed to the 'Fest
Location: Stepping away from the keyboard ...
 
Join Date: Jul 2008
Posts: 5,087
Mein Auto: A car
another just FYI - more than one security professional I know are blaming Oracle for an incomplete and rushed patch to a previous vulnerability - this exploit is actually a combination of the old, not fully patched bug and another bugs:

http://www.compsecglobal.com/java-ze...omplete-patch/

Oracle may well have rushed out that patch, done a half-baked job and we have a situation where Java 7 Update 9+10 are as insecure as they have EVER been...
__________________
535i XDrive | Alpine White w/Black+Natural Leather Interior

It's ALL perspective - get some. No - I am NOT addressing YOU!
Reply With Quote
  #6  
Old 01-12-2013, 06:59 AM
wyb's Avatar
wyb wyb is offline
Officially Welcomed to the 'Fest
Location: Stepping away from the keyboard ...
 
Join Date: Jul 2008
Posts: 5,087
Mein Auto: A car
OK - just to confirm - there is a lot of confusion about Java + JavaScript - most websites use tons of JavaScript to provide functionality - like Bimmerfest - the search etc.

Disabling Java in your browser using the Control panel - or manually disabling the Java Addons for each browser - should not seriously affect your browsing pleasure.

If you are REALLY concerned about JavaScript exploit (not this particular issue though) - you can use a browser plugin like "NoScript" - I have noscript for FireFox - and I allow sites I trust to run javascript in my browser - the fest is allowed - however, I do NOT allow every site - mainly sites I don't know well - or advertizing sites (as might be used on this site - like contextweb.com - not trusted).

To be honest - you have to really committed to NoScript - because every time you hit a new site - you have to decide if you trust it enough to run scripts and then reload the page - it will slow you down for sure.
__________________
535i XDrive | Alpine White w/Black+Natural Leather Interior

It's ALL perspective - get some. No - I am NOT addressing YOU!
Reply With Quote
  #7  
Old 01-12-2013, 08:33 AM
MatWiz's Avatar
MatWiz MatWiz is offline
Psychology Reversalist
Location: NYC
 
Join Date: Jul 2004
Posts: 15,874
Mein Auto: 528
Quote:
Originally Posted by wyb View Post
........
(disclosure - the last two are our sites - if that crosses a line - please delete the links mods).
Not at all. But using it as an excuse to ban you for a week is very tempting....


Just joking!
__________________
MatWiz
"Seeing is not believing. Believing is seeing." -Judy the Elf
Reply With Quote
  #8  
Old 01-13-2013, 07:53 AM
MatWiz's Avatar
MatWiz MatWiz is offline
Psychology Reversalist
Location: NYC
 
Join Date: Jul 2004
Posts: 15,874
Mein Auto: 528
http://gizmodo.com/5975475/how-to-di...n-your-browser

Quote:
How To Disable Java in Your Browser
Eric Limer

Java isn't good for your for your computer's health right now. It can mess it up pretty bad. Bad enough that the Department of Homeland Security is warning us all to turn it off. OK, but how do you do that? Fortunately, it's not that hard.

All the current Java exploits come from Java (not Javascript) running in your browser. And while you can get all the way down to the root of the problem by uninstalling Java on the whole, you can also just lock it down in all your browsers, or just the browsers you actually use. That way you can still have it around with Minecraft or whatever and still be safe. Here's a rundown:

Chrome
Type "chrome://plugins" into your address bar. This will bring up a new tab. Find the item on the list that reads just plain "Java" and click below it where it says "Disable" in blue. Restart your browser.

Safari
Choose "Safari" and then "Preferences" on the taskbar or hit control and comma simultaneously (***8984;-,). Click "Security" on the top row of the new window. Uncheck the box that reads "Enable Java" if checked. Restart your browser.

Internet Explorer 8,9, and 10
Go to the "Tools" menu and select "Manage Add-ons." Go to the left of the window that pops up and in the drop-down box below the heading "Show:" select "All Add-ons." Scroll down the list on the right of the window until you find a subheading under the category "Group" that reads "Oracle America, Inc." Select each item and disable it with the "Disable" button in the bottom right-hand corner of the window. Restart your browser.

Firefox
Go to the "Tools" menu and select "Add-ons" or hit ctrl, shift, and the letter 'a' simultaneously. Select "Plug-ins" on the left-hand side of the new tab that shows up. Scroll the list on the right-hand side of the screen until you find an item that reads "Java (TM) Platform [somethingsomethingsomething]." Click the "Disable" button on the right. Restart your browser.

And there you go. If you really, really want to, you can uninstall Java entirely as well, though that's not necessary. You can find the official instructions for how to do so on OS X here, on Windows Vista, 7, and XP here, and on Linux (!) here.

Good luck out there. Stay safe.
__________________
MatWiz
"Seeing is not believing. Believing is seeing." -Judy the Elf
Reply With Quote
  #9  
Old 01-13-2013, 07:59 AM
wyb's Avatar
wyb wyb is offline
Officially Welcomed to the 'Fest
Location: Stepping away from the keyboard ...
 
Join Date: Jul 2008
Posts: 5,087
Mein Auto: A car
Advice has changed - we and Brian Krebs are now saying - if you don't need Java - uninstall it.

If you have Java 6 and think you're safe - you might not be - reports are varied about whether 6 is affected - but Java 6 is end-of-life as of February 2013 - so it has to go anyway.

If you have a need for Java - consider a 2-browser approach - your everyday browser - turn Java off - for a site you absolutely MUST have Java - enable java for one browser and only visit that one site with the java-enabled browser.

Simply disabling or uninstalling java might work for some people - as Java isn't as prevalent as it once was. This might change the number of Oracle, who proudly claim 850+ million PCs and 3 BILLION devices run Java...
__________________
535i XDrive | Alpine White w/Black+Natural Leather Interior

It's ALL perspective - get some. No - I am NOT addressing YOU!
Reply With Quote
  #10  
Old 01-13-2013, 08:49 AM
MatWiz's Avatar
MatWiz MatWiz is offline
Psychology Reversalist
Location: NYC
 
Join Date: Jul 2004
Posts: 15,874
Mein Auto: 528
Quote:
Originally Posted by wyb View Post
If you have a need for Java - consider a 2-browser approach - your everyday browser - turn Java off - for a site you absolutely MUST have Java - enable java for one browser and only visit that one site with the java-enabled browser.
I uninstalled Java just about an hour ago, and already noticed a few places that got screwed up without it. One is here, the editing buttons on the post message are not working (Bold, quote, etc). Second, my Google homepage is gone. Of course JDownloader doesn't work either, when I tried to save a Youtube video into my hard disk. Oh well.

BUT, I noticed in Chrome that you can inter Exceptions. Go to Settings, in the Search Settings window (not Control F) type "java", it points you to Privacy > Content Settings... Click it, in the new window "java"script is already highlighted. Click "do not allow any site to run Javascript and then click "Exceptions Manager", there you can "add a hostname pattern" and select "Allow".

Your thoughts?
__________________
MatWiz
"Seeing is not believing. Believing is seeing." -Judy the Elf
Reply With Quote
  #11  
Old 01-13-2013, 09:12 AM
wyb's Avatar
wyb wyb is offline
Officially Welcomed to the 'Fest
Location: Stepping away from the keyboard ...
 
Join Date: Jul 2008
Posts: 5,087
Mein Auto: A car
you are confusing javascript and java - don't disable javascript to get round this exploit - thats something completely different.

Read my blog from this morning - it is a summary of Q+As regarding this problem:

http://www.compsecglobal.com/java-wh...-need-to-know/

and yes - I based my blog on Brian's post - but gone are the days of copy/paste for blogging... for instance, these days all screenshots are done ourselves -we only re-use blogs from companies where we have permission - ie, our security suppliers, like ESET, Symantec, Kaspersky and Bitdefender give up permission to re-use their blogs "as-is" - we do that once in a while, but try to re-work them a little - putting our own "spin" or "opinion" or verbiage into them.
__________________
535i XDrive | Alpine White w/Black+Natural Leather Interior

It's ALL perspective - get some. No - I am NOT addressing YOU!

Last edited by wyb; 01-13-2013 at 09:18 AM.
Reply With Quote
  #12  
Old 01-13-2013, 09:27 AM
MatWiz's Avatar
MatWiz MatWiz is offline
Psychology Reversalist
Location: NYC
 
Join Date: Jul 2004
Posts: 15,874
Mein Auto: 528
"Don't disable javascript to get around the exploit".

I suspected you'd say that. That's why I asked. Oh well. Java is uninstalled anyway. I'll see how much I miss it.
__________________
MatWiz
"Seeing is not believing. Believing is seeing." -Judy the Elf
Reply With Quote
  #13  
Old 01-13-2013, 03:40 PM
wyb's Avatar
wyb wyb is offline
Officially Welcomed to the 'Fest
Location: Stepping away from the keyboard ...
 
Join Date: Jul 2008
Posts: 5,087
Mein Auto: A car
Java updated - Oracle has released Java 7 Update 11 - despite many saying they would not do an out of band update, they HAVE released an update in response to this zero-day exploit

http://www.java.com

I recommend updating if you haven't uninstalled - default settings for Java applets have been changed to HIGH SECURITY. It is a big change.
__________________
535i XDrive | Alpine White w/Black+Natural Leather Interior

It's ALL perspective - get some. No - I am NOT addressing YOU!
Reply With Quote
Reply

Bookmarks


Forum Navigation
Go Back   Bimmerfest - BMW Forums > Everything Else > Off-Topic
Today's Posts Search
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On



Forum Jump


All times are GMT -7. The time now is 09:15 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
© 2001-2011 performanceIX, Inc. All Rights Reserved .: guidelines .:. privacy .:. terms