from Experts urge PC users to disable Java, cite security flaw

...
"Moore said machines running on Mac OS X, Linux or Windows all appear to be vulnerable to attack."
...

http://www.reuters.com/article/2013/01/10/us-java-security-idUSBRE90919X20130110

??

there's an option to enable Java or not.. we'll see

What's the difference here?

"Zero day" just means that it's new, so there's no patch yet.

go to articles posted in August of 2012.

Is this new? If so, why are all the links going to old information?

This is the bit that's new: http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/

B*gger. Our LMS (online course provider) requires Java to operate and the semester starts in a week and a half (and of course my classes are far from ready to launch).

Guess I need to actually start using NoScript in a serious way.

I have the flu. I do not want to deal with this right now.
*whinge, moan, complain*

Reveton has been around a while, and it's more of a pain in the ass than a real danger. Basically, it locks your computer up tight, prevents you from accessing your files, and pastes a nasty message on screen that prevents you from clicking or opening anything. The message usually carries some variant of a message claiming that your PC has child pornography, pirated files, or something like that on it. It tells you that you've been fined a small amount (usually a few hundred dollars), and that if you wire your "fine" to the FBI, they'll send you an unlock code to give you access to your computer again. Luckily, most newbie techs can remove it in about 30 minutes anyway.

It goes without saying that the money doesn't go to the FBI, and you'll never get that unlock code.

Reveton itself doesn't pull your data or invade your privacy, but simply tries to scam you out of money. Thing is, Reveton COULD easily do anything it wanted, as it ends up controlling your system. It doesn't do so simply because that's not the scam they're running. If they change the scam, or if another outfit uses the exploit for something else, the your personal privacy can go out the window in a heartbeat. That's why it's a danger.

By the way, what this article DOESN'T mention is that Reveton is primarily distributed through shady eastern European porn sites. They'll put up a "free gallery" site, link it into a western Gallery Post site (basically, sites where other porn sites advertise themselves to get traffic) and lure unsuspecting clickers in (a browser can't tell the difference between an American and Russian .com site). Someone comes in, looks at an image or two, and the virus installs itself and locks the computer down.

If you don't browse random free porn sites and don't click anonymous links in emails, the odds of you getting this virus are actually very low.

But damn, my ThinkPad has this on it.

I'm on my desktop now and it is ok however.

BUT, I'm screwed as I use the ThinkPad 99% of the time.

Ran SuperAntiSpyware, now got a virus check going, have cleared caches, etc.

ThinkPad is major messed up. Why? I don't know.

FYI if you're interested: a detailed analysis of this latest exploit:

http://joe4security.blogspot.com/
http://www.joesecurity.org/reports/report-237f8ffc0c24191c5bb7bd9099802ee4.html


This is actually 2 bugs in 1 (http://www.kb.cert.org/vuls/id/625617)
The miscreants found a way around the previous Oracle "patch" (October '12) of a bug reported in Aug '12:
http://www.kb.cert.org/vuls/id/636312#solution

Luckily, mine is disabled.

.... it does not discuss the implications of turning off Java, it acts like it is like turning off a toaster.

Does it mean that some of my programs will fail to run? which ones? Can I still use a browser to read email and surf DU?

I am reluctant to turn off my Java because I play many games on Pogo.com that require Java.

If you download and install the game's own software, and play the game by clicking on the resulting icon on your desktop, then I'm guessing you're safe (unless the game's developers are crooked or incompetent). I ask because I play such a game.

Alas, I'm only guessing here. I'd welcome clarification from someone who actually knows this area.

So DU does lose some of it's functionality.

You may not be able to see some videos, some sites will be skewed a bit, others will not allow you to make comments or use buttons. It just depends on the site. A lot of comment, news and blogging sites are full of java.

my virus/malware protections upgraded. I also know that I need Java. I am a computer truck driver. I know what a super charger is and does but I cannot tear one down. Compound that with dyslexia. I would rather contact Oracle and download a patch. Is this possible yet?

I wondered why I got an extra jelping of phishing junk mail today. Thanks and help.......

Until the security hole gets patched. It looks like you have to click on a malicious link before you can get affected.

I'm a java programmer and I've had java turned off in my browsers for years. I have never missed it. Couple that with the fact that nowdays when you try and update Java, Oracle tries to cram new toolbars and crapware onto your machine. No thank you.

It started with the fact that Java was annoying. A lot of web sites started using it for distracting animated ads (the same reason I use flashblock nowdays). I turned it off as an experiment and was delighted to discover I never missed it.

Seriously. Turn it off, don't worry about it. You won't miss it.

That's a WIN for declining short-term memory.

there a lot of stuff on sites that don't work without it. One good thing is that turning it off stops the hated quantserve hangs. Ad software use java applets and most info seeking pests.

I turn it on and off all the time... (Firefox)

which has a shred of credibility.

No links or attribution.

Sounds like Fox and a fear campaign!

post #8

My pc had been acting funny and even just shutting off with some pics and animation, and I tried all kinds of diagnostics but no answer. Reinstalling adobe didn't help, either, now I know why, and when I reinstalled windows it took 5 frickin' tries-kept shutting off right when it went from "preparing installion" to "installing".

Fortunately I can read DU from my phone, or I would have really been tearing my hair out.

Today I received an Adobe Reader Update notification prompting me to click on and install update 10.1.4. Does anyone know if this update in any way relates to the Java issue? Many thanks in advance for enlightening me.

Although a lot of people prefer the FREE Foxit Reader over Adobe because it's smaller, faster and a LOT less intrusive

http://download.cnet.com/Foxit-Reader/3000-10743_4-10313206.html

http://www.pcmag.com/article2/0,2817,2401826,00.asp

http://www.pcworld.com/article/256310/use_foxit_reader_to_fill_out_pdf_forms.html

And my Linux default opens pdf via Document reader.
So I am able to by pass Adobe most of the time.

I'm in the habit of not using pop-up windows to update anything. My preference require a prompt for some updates, but I go to the domains directly when I do it manually.

As it turned out, your exact thought had occurred to me on my own, almost immediately after I clicked on the "Adobe" pop-up window. So very soon afterwards, I went and used the "revert computer back to an earlier time" function and back tracked by one day. Immediately after I did that, the Adobe update icon appeared again in my bottom tray. So I am guessing that my reversal was a success.

You'd think I would have learned by now. All of a sudden I remembered back to a while ago when I began receiving a ton of pop up windows from Yahoo (whose mail service I use) telling me to click on their pop-up to download the latest "update" from Firefox. At that time, it occurred to me to ask myself, "Why is Yahoo repeatedly sending me pop-ups to download an improvement for the software of someone else?" So I went right to the Firefox site and verified that I was already running the latest version of their software.

My conclusion was that Yahoo was trying to fool me into downloading something that would permit them to cram more of their frigging advertising down my throat.

From now on, I will never download a software update again, unless it comes directly from the internet site of the owner of that software.

I can choose to enable the pop up if I really need it, rarely have to tho.

Published On :Fri, Jan 11,2013


http://www.ciol.com/ciol/news/157842/experts-advice-disabling-java-browser-plugin

the display of the reply post title list when you click the "Replies to me" numbers in My Posts. I haven't found anything else that doesn't work, yet, after disabling it in Chrome.

Took me a minute to understand what was happening, as I have dialup and there are lots of times I try to respond to things, but can't because it has slowed everything online to a crawl.

This time I remembered, turned the java back on and immediately could accept the jury summons.

They're different.
DU uses javascript, but I don't think it uses Java at all.

After reading another post, I enabled my javascript again.

Then I checked at Java.com and there was no Java found. I am computer illiterate, fact. But now I sort of know a little bit of something that I didn't know before, so it's all good

(Reuters) - The U.S. Department of Homeland Security urged computer users to disable Oracle Corp's Java software, amplifying security experts' prior warnings to hundreds of millions of consumers and businesses that use it to surf the Web.

Hackers have figured out how to exploit Java to install malicious software enabling them to commit crimes ranging from identity theft to making an infected computer part of an ad-hoc network of computers that can be used to attack websites.

"We are currently unaware of a practical solution to this problem," the Department of Homeland Security's Computer Emergency Readiness Team said in a posting on its website late on Thursday.

"This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered," the agency said. "To defend against this and future Java vulnerabilities, disable Java in Web browsers."

http://www.reuters.com/article/2013/01/11/us-java-security-idUSBRE90A0S320130111

i use forefox. can i just enable/disable when needed?

There is a plugins sections of the addons page which lets you enable/disable java...

"Edit" > "preferences"> " content" where you will find an "enable Java Script" box to uncheck.
fast and easy to re-check it for things you really need.

I have it off almost all the time.

two different things.

sorry.....

I run Firefox and checked my add-ons tab. When I clicked on plug-ins, I found out that Firefox blocked Java until a fix is available because it's vulnerable. I have to play Pogo on IE9--the only time I'm using IE.

For the last month, whenever I click on (most) pages to read something while using Firefox, I get a drop down box that says "Java script error" and something about syntax, with an "ok" button to click.

I have to click this button, sometimes six times in a row, to unfreeze Firefox. I can't make this stop happening.

As a result, I'm using Chrome more and more.

Does this happen to anyone else?

I'm seeing a lot of comments about lost functionality here that sounds like people are disabling Javascript. In spite of the similar names, they two are NOT the same technology. More importantly, if you turn off Javascript, or simply disable scripting, it will NOT disable Java, which means that your computer will still be vulnerable to the virus.

Also, everyone should be aware that many modern antivirus applications are ALREADY blocking this exploit. I'm running the latest TrendMicro patch, which already has protections in place for this virus. If you have antivirus software in place, I would suggest that you check their site and update it FIRST. You may only need to get a definitions update to protect yourself.

If not, here's how you block the virus on Windows....

IE9: Gear Icon > Internet Options > Programs > Mange AddOns. Click on the Java Helper from Sun Microsystems, and click the Disable button.

Chrome: No need to disable anything. Chrome disables Java by default. Whenever a page wants to use it, Chrome will ask you whether you want to permit it. Just say NO until this problem is patched.

Firefox: Firefox > Add Ons. Click the Plugins tab. Find the Java Platform plugin, and click the Disable button.

Mac Users: Yes, you're vulnerable. The exploit is currently only being used to distribute the Reveton virus to PC's, but they could potentially release a virus for the Mac at any time. Unless you need Java for something, there's no reason to leave your computer exposed. Firefox and Chrome instructions are the same as the PC.

To disable Java on Safari, click Safari > Preferences. Click the Security button, and uncheck the Enable Java checkbox.

not sure how f'd up I am yet from this damned thing!

I think I got "it".

Have disabled Java running SuperAntispyware.

Laptop was trying to run a wireless connection but I have a DSL connection.

OH WHAT A MESS!!!!!

Updated Firefox ... Fu ... KKKKKKK!!!!

I disabled my Java crap a long time ago but will certainly pass the word!

Source: Reuters