Motley Moose – Archive

Over the weekend Oracle, the company that distributes and maintains Java, released a patch to fix the Java vulnerability that was reported last week.  The update to Java is called “Java 7 (Update 11)”.  Oracle’s release statement for the update can be found here.

As of today, the Department of Homeland Security is still recommending that Java not be enabled in our browsers:

The U.S. Department of Homeland Security has reiterated its warning to Java users that the widely used Web plug-in still poses risks for Internet users, even after Oracle patched the software to prevent hackers from exploiting a zero-day vulnerability.

It comes as some security experts are warning that the new software — Java 7 (Update 11), which was released on Sunday — may not actually protect against hackers attempting to remotely execute code on user machines.

In a statement to CBS, a Java security expert at Security Explorations says:

Although Java 7 Update 11 released by Oracle yesterday addresses the 0-day attack spotted in the wild, there are still unpatched security vulnerabilities that affect the most recent version of the software. Just to mention the bug #50 we reported to Oracle on 25-Sep-2012.

The latest status on the Java issue from CERT can be found here.  It contains the warning:

Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future.

In my last diary on this subject, there were a lot of excellent suggestions relating to browsers and plug-ins which may help mitigate this kind of attack.  Firefox with the NoScript plugin and Chrome with the NotScript plugin were recommended.  Maybe the more technical among us can assist those with less technical knowledge in assessing which of these options may be best for them, and how to make sure they are browsing safely.

Regardless of the browser you are using now, your system is at risk whether you are on a Windows, Mac, or Linux computer and the Java Plug-in is enabled in that browser (or email client if it supports a Java Plug-in like Thunderbird).  Instructions on disabling Java can be found at this link.

I came across this tidbit reading the news today.  Sounds pretty scary, so I will rattle your cyber cages with it.

Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Pretty much every web browser in common use allows websites you visit to run programs written in Java.  Most of these programs provide dynamic content and such, but some are malicious.  Java contains a vulnerability called Zero Day that is apparently bad enough that Homeland Security recommends you disable Java in your web browser:

Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.

Solution

We are currently unaware of a practical solution to this problem. Please consider the following workarounds:

Disable Java in web browsers

Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Please see the Java documentation for more details.

Note: Due to what appears to potentially be a bug in the Java installer, the Java Control Panel applet may be missing on some Windows systems. In such cases, the Java Control Panel applet may be launched by finding and executing javacpl.exe manually. This file is likely to be found in C:Program FilesJavajre7bin or C:Program Files (x86)Javajre7bin.

Also note that we have encountered situations where Java will crash if it has been disabled in the web browser as described above and then subsequently re-enabled. Reinstalling Java appears to correct this situation.

I found this info through a ZDNet article.

If you’re using Firefox on windows, you can go to the Tools->Add-Ons menu.  I’ve disabled Java in the Extensions and Plug-Ins.  If you use IE, you’ll have to go to the control panel and disable it through the Java console there.

If somebody finds out that my follicles are aflame, I will delete this post and get back to laughing.

I’m gonna call out to JanF and Chris Blask, both of whom know more about this stuff than do I.