U.S. Department of Homeland Security warns computer users: Disable Java now

Hi all
didnt really know where to post this

this was just breaking on a site I frequent.. Dont really have alot of info..

But I do have java so should I diasable java ?

The U.S. Department of Homeland Security has warned computer users to disable or uninstall Java software.

Read more here: charlotteobserver.com

Hackers have discovered a weakness in Java 7 security that could allow the installation of malicious software and malware on machines that could increase the chance of identity theft, or the unauthorized participation in a botnet that could bring down networks or be used to carry out denial-of-service attacks against Web sites

www.zdnet.com...

Right.

I think I'll keep it on thank you very much.

If DHS says something = do the opposite... you'll be safer.

There are exploits in everything, why is this one important?

reply to post by goou111


The exploit is in Java 7. Just run the latest build for Java 6 and disable the Java updater until it's solved.

does this mean the ATS Chat feature is at risk?

curious because i need java for certain things.

Nvm.....i see the post above this one.

reply to post by goou111


Hmm...Java is probably interfering with DHS's own illegal malicious intrusive identity theft programs already running on our computers...

The chat feature is probably AJAX. Which means Javascript and not Java.

Well, CERT doesn't normally go for hoaxes and rumors. They'd better fix this real quick. A lot of things depend on Java working. I'd read the material from ZD.net and then the CERT advisories themselves that link back from there before deciding to brush this aside though. Personally, I uninstalled Java for right now. It can go back on in a few seconds when this is all cleared up with a patch. Not worth it to me and most sites aren't dependent on it like it used to be anyway.

Well, the DHS wasn't the deciding factor, but ZDnet is have some respect for.
I did disable...and the instructions are here.
www.java.com...

I'm not sure what Java even does...or how often if is used on my PC.
I do know Amazon Cloud uses it to back up stuff.....

Originally posted by DontTreadOnMe
Well, the DHS wasn't the deciding factor, but ZDnet is have some respect for.
I did disable...and the instructions are here.
www.java.com...

I'm not sure what Java even does...or how often if is used on my PC.
I do know Amazon Cloud uses it to back up stuff.....

Correct me if I'm wrong bust isn't Java necessary for the chat function here on ATS??? I say this because I used to use the chat function until it required me to install Java...(which I have never liked)

reply to post by goou111


This what firewalls and anti virus software is for. Of course updating your virus definition library and performing an actual virus scan at least once a week is strongly recommended. There's no need to disable java.

reply to post by DontTreadOnMe

If you play games like Pogo (I'll hear about this tonight from my other half..lol) it's Java. It's what makes it do something as opposed to web pages that just show text/graphics. Of course there are better things than Java now but try telling that to a Pogo-addict. better......fix......soooooon!

Here is some of the specific CERT advisory text for help in seeing what makes this so serious:

By leveraging the a vulnerability in the Java Management Extensions (JMX) MBean components, unprivileged Java code can access restricted classes. By using that vulnerability in conjunction with a second vulnerability involving the Reflection API and the invokeWithArguments method of the MethodHandle class, an untrusted Java applet can escalate its privileges by calling the the setSecurityManager() function to allow full privileges, without requiring code signing. Oracle Java 7 update 10 and earlier are affected.

This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available.

Impact
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system. Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for this vulnerability.

Solution
We are currently unaware of a practical solution to this problem. Please consider the following workarounds:

CERT Advisory
0 Day exploits are called that because it's day 0 to a solution and generally only TAKES a day to find one. It's rare that something as undefended as 0 day suggests is a many on going day thing. I don't mean to make light because the article says this has been around long enough to be in script kiddie packages. Now that IS bad and why are we JUST hearing about it in a major way? That's disturbing.

Wow, coming form HOMELAND SECURITY (which now supervises FEMA NASA(!) & other agencies)?

Wonder if there's any confirmed cases of hacks thru this Java 'vulnerability'

and what else is vulnerable.

Will they eventually warn people to disable their Search Engine, and then claim too many people are losing their identity over the free internet, shut it down altogether and require a federally licensed connection to the next?

And what about on phones/tablets/phablets/tabloids??

reply to post by DontTreadOnMe


thamks for the link.. I just disabled mine.. better safe right?

Can anyone confirm to me if this has happend with previous versions of Java ?

I only ask, as back in early December/late November I remember reading something about a problem with Java, about it being compromised...Exploitable by hackers.

I removed Java from my puter at the time off the back of it.

At the time I was having a lot of problems with my puter in general, and was searching ways to rid the trojans, and came across it.

Is this a regular problem with Java?

reply to post by Swills


firewall/antivirus are ineffective in this case due to the fact that if you have Java enabled and authorized on your browser, your firewall wont see it as an intruder.

Whats the difference between Java & Javascript, and might both be prone to a security risk or only Java?

The Java instructions say this:

Starting with Java Version 7 Update 10, a new security feature has been added to Java. Some web pages may include content or apps that use the Java plug-in, and these can now be disabled using a single option in the Java Control Panel.

So given the latest versions, how does one disable Java?

Is it possible to delete Java completely to be on the sure side? Will certains things not work, like YT or videos?

reply to post by minnow


I'm pretty sure I just uninstalled it from my PC, whether I did right or wrong, I don't know????

CERT Releases Oracle Java 7 Security Advisory added Thursday, January 10, 2013 at 4:20 pm | updated Friday, January 11, 2013 at 4:42 pm The CERT Program has released Vulnerability Note VU#625617 to address a vulnerability in Oracle Java Runtime Environment (JRE) 7 and earlier that is currently being exploited in the wild. This vulnerability may allow an attacker to execute arbitrary code on vulnerable systems. US-CERT encourages users and administrators to review CERT Vulnerability Note VU#625617 and US-CERT Alert TA13-010A. Due to the number and severity of this and prior Java vulnerabilities, it is recommended that Java be disabled temporarily in web browsers as described in the "Solution" section of the US-CERT Alert and in the Oracle Technical Note "Setting the Security Level of the Java Client."

www.us-cert.gov...

www.us-cert.gov...

docs.oracle.com...

...in case it helps.

reply to post by minnow


I play alot of online casinos and poker that I know use java,and those sites always want your cc and all your info.. so I guess I wont be doing that for a while...