Quantcast

U.S. Government Tells Computer Users To Disable Java

Discussion in 'Off-Topic Discussion' started by CatfishRivers, Jan 12, 2013.

  1. CatfishRivers

    CatfishRivers Well-Known Member

    Joined:
    Apr 5, 2011
    Messages:
    14,604
    Likes Received:
    877
    Trophy Points:
    113
    U.S. Government Tells Computer Users to Disable Java | TIME.com (click for full article)

    By Associated Press Jan. 12, 2013

    "(WASHINGTON) - The U.S. Department of Homeland Security is advising people to temporarily disable the Java software on their computers to avoid potential hacking attacks.


    The recommendation came in an advisory issued late Thursday, following up on concerns raised by computer security experts.


    Experts believe hackers have found a flaw in Java's coding that creates an opening for criminal activity and other high-tech mischief.


    Java is a widely used technical language that allows computer programmers to write a wide variety of Internet applications and other software programs that can run on just about any computer's operating system.


    Oracle Corp. bought Java as part of a $7.3 billion acquisition of the software's creator, Sun Microsystems, in 2010.


    Oracle, which is based in Redwood Shores, Calif., had no immediate comment late Friday."
     
    Last edited: Jan 12, 2013
  2. CatfishRivers

    CatfishRivers Well-Known Member

    Joined:
    Apr 5, 2011
    Messages:
    14,604
    Likes Received:
    877
    Trophy Points:
    113
    New malware exploiting Java 7 in Windows, Unix systems - CBS News (click for full article)

    By TOPHER KESSLER / CNET/ January 12, 2013, 6:52 PM

    "A new Trojan horse called Mal/JavaJar-B has been found that exploits a vulnerability in Oracle's Java 7 and affects even the latest version of the runtime (7u10).


    The exploit has been described by Sophos as a zero-day attack since it has been found being actively used in malware before developers have had a chance to investigate and patch it. The exploit is currently under review at the National Vulnerability Database and has been given an ID number CVE-2013-0422, where it is still described as relatively unknown:


    "Unspecified vulnerability in Oracle Java 7 Update 10 and earlier allows remote attackers to execute arbitrary code via unknown vectors, possibly related to "permissions of certain Java classes," as exploited in the wild in January 2013, and as demonstrated by Blackhole and Nuclear Pack."


    The malware has currently been seen attacking Windows, Linux and Unix systems, and while so far has not focused on OS X, may be able to do so given OS X is largely similar to Unix and Java is cross-platform. Additionally, the exploit is currently being distributed in the competing exploit kits "Blackhole" and "NuclearPack," making it far more convenient to criminal malware developers to use.


    Even though the exploit has not been seen in OS X, Apple has taken steps to block it by issuing an update to its built-in XProtect system to block the current version of the Java 7 runtime and require users install an as of yet unreleased version of the Java runtime (release b19). Additionally, the U.S. Department of Defense has issued an advisory to disable Java on systems that have it installed.


    Luckily with the latest versions of Java, users who need to keep it active can change a couple of settings to help secure their systems. Go to the Java Control Panel that is installed along with the runtime, and in the Security section uncheck the option to "Enable Java content in the browser," which will disable the browser plug-in. This will prevent the inadvertent execution of exploits that may be stumbled upon when browsing the Web, and is a recommended setting for most people to do. If you need to see a Java applet on the Web, then you can always temporarily re-enable the plug-in.


    The second setting is to increase the security level of the Java runtime, which can also be done in the same Security section of the Java Control Panel. The default security level is Medium, but you can increase this to High or Very High. At the High level, Java will prompt you for approval before running any unsigned Java code, and at the Very High level all Java code will require such approval, regardless of whether or not it is signed.


    Since this threat is Java-based, it will only affect systems that have Java installed. Most platforms do not come with Java, but if you have installed it and do not need or regularly use it, you might consider removing it from your system. While Java is convenient for legitimate developers, its conveniences also help malware developers spread their harmful practices to multiple platforms."
     
    Last edited: Jan 12, 2013
  3. CatfishRivers

    CatfishRivers Well-Known Member

    Joined:
    Apr 5, 2011
    Messages:
    14,604
    Likes Received:
    877
    Trophy Points:
    113
    Oracle releases emergency patch, but Java remains vulnerable | News | Geek.com (click for full article)

    Jan. 14, 2013 (3:27 pm) By: Matthew Humphries


    "Last week it was discovered that a new zero-day exploit existed in the latest version of Java (Java 7 Update 10) that left any computer running the browser plug-in susceptible to malware. The only fix at the time was to disable or uninstall Java.


    Oracle has since released an emergency patch over the weekend that fixes two vulnerabilities and defaults Java's security settings to "high." You can either download the patch or install it through an update using the Java Control Panel.


    The patch should close the zero-day hole, and with the security settings changed, users will now be warned when unsigned web apps attempt to run. You can still choose to run them, though.


    Even though Oracle reacted quickly, security experts are still urging users not to run Java on their machines unless completely necessary. Apparently there are still several critical security issues that haven't been fixed. Java is therefore by no means safe to run.


    As for how long it will take Oracle to patch those holes, security vendor Rapid7 believes anything up to 2 years is likely. In that time we could see further security issues appear in Java, meaning this seems to be a cycle that is set to continue.


    So the advice remains the same: don't allow Java to run on your PC unless you have a genuine need for it. If you want to disable or uninstall it, just follow our guide on how to disable Java on everything.


    via Reuters"
     
    Last edited: Jan 15, 2013

Share This Page