Disable Java? think about it.

Search
Go

Discussion Topic

Return to Forum List
Post a Reply
Messages 1 - 54 of total 54 in this topic
zBrown

Ice climber
chingadero de chula vista
Topic Author's Original Post - Jan 11, 2013 - 07:20pm PT
US government tells computer users to disable Java


http://xfinity.comcast.net/articles/news-general/20130112/US.Java.Warning/
nature

climber
Boulder, CO
Jan 11, 2013 - 07:23pm PT
didn't they also tell us to stalk up on duct tape and water for y2k?


edit: i typed 'stalk'... leaving it!
zBrown

Ice climber
chingadero de chula vista
Topic Author's Reply - Jan 11, 2013 - 07:27pm PT
the present generation under the age 25 is holy and wise

The user formerly known as stzzo

climber
Sneaking up behind you
Jan 11, 2013 - 10:52pm PT
Yep...

It's sound advice.
mechrist

Gym climber
South of Heaven
Jan 11, 2013 - 10:57pm PT
THEY CAN HAVE MY COFFEE WHEN THEY PRY IT FROM MY COLD DEAD HANDS!
Jim Brennan

Trad climber
Vancouver Canada
Jan 11, 2013 - 11:22pm PT
My whole on line life was hacked and flashed before my eyes.



I fell asleep...
mouse from merced

Trad climber
The finger of fate, my friends, is fickle.
Jan 11, 2013 - 11:24pm PT
Brazil nuts, commonly referred to as nigger toes, walked out of talks today with Djakarta's top coffee experts and exporters in a protest against renaming the popular beverage.

Many coffee drinkers call their cup of joe "Java." There is a movement afoot to get as many people as possible to call the drink not "Java" but "Brazil," since it is a staple of the Brazilian economy, even moreso than that of Indonesia, or Malaysia, or whatever they call the place.

Brazil nuts have often sided with non-coffee interests in the past, and they are referred to in the coffee trade as Joe Toes or Ho Joes, thought to be a double entendre aimed at the popular chain restaurant, Howard Johnson's, which serves Brazilians as well as Indonesians. It's law.

My brain is sore now. Can I go to bed? I don't want to have to explain that again.
froodish

Social climber
Portland, Oregon
Jan 12, 2013 - 12:08pm PT
Almost all of the recent bad browser exploits have used either Flash, Java or PDF. Disabling all those in your browser is prudent IMO.
TwistedCrank

climber
Dingleberry Gulch, Ideeho
Jan 12, 2013 - 12:56pm PT
Let's hope this sounds the death knell for Oracle. That would be funny as all get out.



OK Wishful thinking, but whatever.
Wade Icey

Trad climber
www.alohashirtrescue.com
Jan 12, 2013 - 01:19pm PT
I dont drink coffee, so, no.
Dave Kos

Trad climber
Temecula
Jan 12, 2013 - 01:39pm PT
Let's hope this sounds the death knell for Oracle.

Might take a little more than some bad press about Java in browsers.

Or is this about coffee?
zBrown

Ice climber
chingadero de chula vista
Topic Author's Reply - Jan 12, 2013 - 01:47pm PT
^Yeah I don't think Oracle will die soon

Oracle continues to be steady in terms of selling new database and middleware licenses and cloud-service subscriptions, which rose 5 percent over 2011. Conversely, Oracle is still struggling in its hardware division, which makes servers, storage, switches, and other items. Total hardware revenue dipped 19 percent from a year ago.


http://www.eweek.com/c/a/Database/Oracle-Profits-Up-But-Revenues-Slip-128028/
Reilly

Mountain climber
The Other Monrovia- CA
Jan 12, 2013 - 02:00pm PT
Let me get this straight, the person who checks my bung hole at the airport
is also telling me what's gud for my 'puter? Damn! The guvmint is really
getting cost effective!
jstan

climber
Jan 12, 2013 - 02:13pm PT
My browser is too old to allow me to access the government link above. I would disable Java if I
could find the application allowing it. I have started to encounter more Java script icons on my
desktop and the computer's performance has gotten more and more unreliable. It could be caused
by changes in software generation being used out there, or it could be a symptom of something else.
zBrown

Ice climber
chingadero de chula vista
Topic Author's Reply - Jan 12, 2013 - 02:19pm PT
If anyone is interested.

http://www.podfeet.com/wordpress/tutorials/how-to-disable-java-in-chrome/

http://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets

http://www.designntrend.com/articles/3110/20130112/how-to-disable-java-step-by-step-tutorial-protect-yourself-hackers-using-java-photos.htm
froodish

Social climber
Portland, Oregon
Jan 12, 2013 - 06:44pm PT
John,

Java != JavaScript

Despite the similar names they are not related. Java in the browser is implemented as a plugin and I doubt you'll miss it if you disable it.

khanom

Trad climber
Greeley Hill
Jan 12, 2013 - 07:04pm PT
This kind of sh1t is highlarious.



Disable ur computer! Only way you're gonna be "safe".
The user formerly known as stzzo

climber
Sneaking up behind you
Jan 12, 2013 - 07:04pm PT
My browser is too old to allow me to access the government link above. I would disable Java if I
could find the application allowing it. I have started to encounter more Java script icons on my
desktop and the computer's performance has gotten more and more unreliable. It could be caused
by changes in software generation being used out there, or it could be a symptom of something else.

Your computer's performance degradation is very likely not related to javascript icons on the desktop.

There are lots of things you can do to "clean out" an old computer and speed it up a bit.
ec

climber
ca
Jan 12, 2013 - 09:24pm PT
Say, "NO!" to Decaf!!
froodish

Social climber
Portland, Oregon
Jan 12, 2013 - 10:04pm PT
This kind of sh1t is highlarious.


Disable ur computer! Only way you're gonna be "safe".

Well, I for one in computing (and climbing) usually pay attention to the odds. Given that almost all the recent browser exploits have been due to shoddy programming in the Flash, Java and PDF browser plugins (and there's one about every month), I choose to disable those. Not sure why that's "highlarious", seems like the smart thing to do IMO.

khanom

Trad climber
Greeley Hill
Jan 12, 2013 - 10:34pm PT
IOW, carefully triple lock your back door while leaving the front door wide open.
NoTokeRedKneck

climber
Jan 12, 2013 - 11:17pm PT
What does the language matter when fractions of a cent
have been redirected from a banks customers to a programmers account?
Of course they were finally caught and I think it was before java and
gettree();.
The user formerly known as stzzo

climber
Sneaking up behind you
Jan 13, 2013 - 12:35am PT
What does the language matter when fractions of a cent
have been redirected from a banks customers to a programmers account?
Of course they were finally caught and I think it was before java and
gettree();.

What does this have to do with java vulnerabilities?
NoTokeRedKneck

climber
Jan 13, 2013 - 07:20am PT
The first article link seems to be committing a fallacy commonly known
as missing the point. What is the vulnerability to begin with?

java works with floating point numbers though random access using
seek() maybe used for monetary changes incrementing int"s" instead
of floats. Im not certain exactly how the programmer took fractions
of a cent code wise as I did not see the code nor was I paid to write
a simulation to figure it out, but 1000's if not millions of customers
were loosing about a 1/4 of cent off each automated transaction. This
was discussed in a C++ class in college and I don't think java was used
though it could certainly do the same. However it was criminal coding not a
language error. Something to think about, in the 70's under US law it
was ruled wages may not be waged electronically.
TwistedCrank

climber
Dingleberry Gulch, Ideeho
Jan 13, 2013 - 07:35am PT
Java programmers make big bucks. Especially if its bolted to Oracle.

Somebody's making out, and its not the consumer.

I was at Hidden Valley and Larry Ellison was there, and he got all bitchy when I urinated on his campfire. I told him to take a chill pill.
NoTokeRedKneck

climber
Jan 13, 2013 - 07:01pm PT
What do they do? Other than applets which can be shut off in browsers
I haven't seen yet that java controls operating systems. Fedora/Red Hat
looks to have transitioned from C at level 3 computer architecture to
Python. The last Sun system I installed almost 10 years ago I think
was still GUI controlled with C?
Malemute

Ice climber
the ghost
Jan 13, 2013 - 08:34pm PT
The user formerly known as stzzo

climber
Sneaking up behind you
Jan 13, 2013 - 10:21pm PT
The first article link seems to be committing a fallacy commonly known
as missing the point. What is the vulnerability to begin with?

This is a fallacy commonly known as being uninformed.
TrundleBum

Trad climber
Las Vegas
Jan 13, 2013 - 10:39pm PT

Well you've got to be careful how you get 'tubed'

it's not true:
"only a surfer knows the feeling"

http://www.youtube.com/watch?v=f99PcP0aFNE
Shack

Big Wall climber
Reno NV
Jan 13, 2013 - 11:27pm PT
The vulnerability allows serious access to your computer...
and all the experts are still scratching their heads apparently not sure what to do.

http://www.zdnet.com/homeland-security-warns-to-disable-java-amid-zero-day-flaw-7000009713/?s_cid=e589
zBrown

Ice climber
chingadero de chula vista
Topic Author's Reply - Jan 14, 2013 - 06:41am PT
They think they do


http://www.foxnews.com/tech/2013/01/14/java-flaw-homeland-security-warning-fixed/

http://java.com/en/download/java_update.jsp

Adam Gowdiak, a researcher with Poland's Security Explorations who has discovered several bugs in the software over the past year, told Reuters that the update leaves unfixed several other, notable security issues

Reilly

Mountain climber
The Other Monrovia- CA
Jan 14, 2013 - 08:06am PT
I would like some straight up honest advice from a non-paranoid. Is there
really anything to this? I have to have Java on my machine so the wife can
access her work system from home, otherwise she never comes home. I thought
I saw on WindowsBBS that Oracle had fixed it.
Crimpergirl

Sport climber
Boulder, Colorado!
Jan 14, 2013 - 08:33am PT
Agreed Reilly. I have a homework software that comes with a stats text that my students use (I clearly have to get into it). It seems it's java based.

Thoughts for the person who doesn't speak computer language? What to do?
squishy

Mountain climber
Jan 14, 2013 - 09:23am PT
Let's hope this sounds the death knell for Oracle.

Why would we hope for that?

Besides Oracle's business is hardly java, it's many things. We gave them 25 mil this year to upgrade all our hardware and software, it's some pretty nifty stuff..
khanom

Trad climber
Greeley Hill
Jan 14, 2013 - 09:28am PT
Read this practical advice:

http://www.zdnet.com/zero-day-paranoia-and-the-reality-of-modern-web-browsing-7000009726/
kunlun_shan

Mountain climber
SF, CA
Jan 14, 2013 - 09:40am PT
Interesting article, khanom. Thanks!

Reilly, I don't know how technically saavy you are, or how much trouble/work you are willing to do, but Virtualbox could be a good fix. Its free and fairly easy to implement. I've found this guide straightforward, and it walks you through enough that by the end, you'd have a good understanding of this flavor of VM: http://www.packtpub.com/virtualbox-3-1-beginners-guide/book . On the machine you use now, setup one VM with what your wife needs, and another for browsing the web.

Plus its very cool and fun to be able to run the equivalent of multiple computers, each with whatever OS you want, at the same time on a single machine. Unless you have a very old, slow computer you might only need some extra RAM.
Shack

Big Wall climber
Reno NV
Jan 14, 2013 - 09:55am PT
Nope. Not fixed by Oracle. They issued an emergency "patch" but it doesn't do enough.
They say it sould take 2 years to fix. ouch.

http://www.zdnet.com/security-experts-on-java-fixing-zero-day-exploit-could-take-two-years-7000009756/?s_cid=e539
Crimpergirl

Sport climber
Boulder, Colorado!
Jan 14, 2013 - 10:45am PT
Saw this too. Decent advice here?

http://blog.chron.com/techblog/2013/01/do-you-have-java-on-your-computer-update-it-now/

Will read link provided upthread now. Thanks for posting it!
zBrown

Ice climber
chingadero de chula vista
Topic Author's Reply - Jan 14, 2013 - 10:53am PT
which could result in the installation of malware, identity theft or used to rope personal computers in to becoming unauthorized botnets -- which can then be used in denial-of-service attacks against other sites.


You would think that some (all) of the security vendors should be able to update their software to detect whether a machine has been compromised, even if they can't prevent it.


EDIT:

After doing some poking around on this, it appears that this task is more difficult than you might suspect.

Here's an interesting article on using one free tool, Sysinternals Process Explorer, to detect and clean a system.

http://www.windowsecurity.com/articles/Hunt-Down-Kill-Malware-Sysinternals-Tools-Part1.html

quote from another artucle

The problem is that if you have no idea what you are looking for, it's almost impossible to find it. Suppose a process has made itself hidden to the task manager by hooking EnumProcesses. You might think this would be an easy case to detect. However, the process could be hooking EnumProcesses through a variety of different ways. For example, an unconditional hook at the start of the function, an IAT hook, causing an access violation to occur at EnumProcessesand catching that with a VEH and modifying the EIP/RIP, etc. etc. Even in this simple case, it is not possible to guarantee detection of the hook. This is all assuming that the hook has been performed at usermode on a specific API and also that the code makes no attempt to hide itself from detection.

If you are looking for general guidelines, the best method is probably to look at common detouring techniques.


Reilly

Mountain climber
The Other Monrovia- CA
Jan 14, 2013 - 10:58am PT
Khanom, good article but I still need to use Java if I ever want to see me wife.
froodish

Social climber
Portland, Oregon
Jan 14, 2013 - 11:44am PT
Reilly,

Do you need the Java browser plugin, or just need the Java environment installed? (ie: does you wife initiate the action through the browser, or does she launch a Java executable?)

The main danger is from "drive by" attacks (unknowingly visiting a website that is distributing the malware - and contrary to the advice in one of the linked articles earlier, there are sometimes "legit" sites that have been compromised and are distributing things like this so just staying away from pr0n sites doesn't ensure safety)

If you don't need the browser plugin, disable it (Chrome, Firefox and Safari let you easily disable the plugin). If you do need it, only enable the plugin only when you need it and disable it for all other browsing.
Reilly

Mountain climber
The Other Monrovia- CA
Jan 14, 2013 - 12:05pm PT
It's a complicated logon process but I think it starts with the browser*.
But then it seems like there's a Java app in the next step. I guess she
should just call one of her IT guys from home so I can translate. Not that
I'm so hot but, well, between you and me and these four walls, let's just
say she doesn't get by on her 'puter expertise. ;-)


*I don't pay much attention - don't wanna get brought up on HIPA charges!
The user formerly known as stzzo

climber
Sneaking up behind you
Jan 14, 2013 - 01:45pm PT
Khanom, the first thing that article recommends is:

So how do you prevent yourself from becoming a victim? Well, a couple of ways.

In the case of the current Java exploit, if you don't have any applications that require the use of Java, then turn off the plugin in all of your browsers and uninstall Java from your computer.

He's also being naive to say that it's only a problem if you click on a link that someone sends you. Websites get hacked right and left, and it's quite possible for a motivated malware distributor to put their payload on a site that would be a reasonable visit by any old person.

Recently, someone hacked this site and put up their own front page. It could easily have been a malware vector. While the owners are outstanding first aid instructors, don't know enough about websites to quickly remove the hack, and it was up there for a while.

Reilly,

It's a complicated logon process but I think it starts with the browser*.
But then it seems like there's a Java app in the next step. I guess she
should just call one of her IT guys from home so I can translate. Not that
I'm so hot but, well, between you and me and these four walls, let's just
say she doesn't get by on her 'puter expertise. ;-)

Perhaps she should call up her IT guy and have you just get the answers from "him", rather than you trying to solve this via SuperTopo... That's what IT departments are paid to do :-).

It's not uncommon for a java app to be started via a web browser. Some image upload apps and chat apps are java, and I've seen plenty of others...

So, it may be that you can't eliminate java from your browser.

But, what you can do is keep a separate browser with java enabled that's only used by you wife and only when she needs to access that site.
The user formerly known as stzzo

climber
Sneaking up behind you
Jan 14, 2013 - 01:56pm PT
Ah, I read more carefully -- the ZDNet article separates social engineering exploits from the java exploits and doesn't say that it's only a problem when you click on a link that someone sends you.
zBrown

Ice climber
chingadero de chula vista
Topic Author's Reply - Feb 5, 2013 - 06:13am PT
Java Stumbles Again

Not long after the Department of Homeland Security was advising users to disable Java, another flaw has been discovered in Oracle's programming language.

Last week a bug was found that undermined Java's "maximum security setting." That setting, which Oracle activated by default in the last hasty update of the software, requires a user to give their OK to run unsigned Java applets. Because of the flaw, unsigned Java apps can run on a Windows system regardless of the Java security settings.

Instead of fixing security issues found in the previous version of Java, the most recent release of the program merely sidesteps them, said Bogdan Botezatu, a senior e-threat analyst with cyber security software maker Bitdefender.

"They just tried to prevent the user from triggering the issue," Botezatu told TechNewsWorld.

Leaving the resolution of security issues to the user is not a good idea. "One of the worse things a developer can do is let the user make security decisions," he said. If a pop-up message appears when a user is in the middle of doing something they want done, they'll click OK regardless of what the message says.
NoTokeRedKneck

climber
Feb 5, 2013 - 07:33am PT
zBrown, unfortunately the ieee.org appears to be getting worse with their site filtering when their suppose to be top notch.

*If you can find it, order and read desiginating a object for destruction.
It was published around 2005 or 2006 by a Hamed and another who's name
I can't remember now.

It greatly simplifies routing with XML using java getree();

*The link to the article for ordering is also posted within here
at supertopo somewhere but i can't remember where.
Ken M

Mountain climber
Los Angeles, Ca
Feb 5, 2013 - 08:22am PT
following up on concerns raised by computer security experts.

So it's NOT the gov't, it is the community of private computer security experts.

The gov't is passing the word along.
NoTokeRedKneck

climber
Feb 5, 2013 - 08:41am PT
Slavery has not been abolished in the US. Under civil laws dealing
with technology slavery is allowed which is specified by return of
matter and properties to the master, noting master is the word under
law and owner is not the word.

Java is proprietary, Gosling is probably a master but he did not write
the 1'st java compiler and neither did Microsoft, the Govt. nor gnu.

What's becoming of all the Linux and other, free, Open etc. data bases?
Credit: NoTokeRedKneck
sunsite? Photo maybe enlarged.
zBrown

Ice climber
chingadero de chula vista
Topic Author's Reply - Feb 5, 2013 - 08:43am PT
The link is here


Taxonomy of Conflicts in Network Security Policiesby H Hamed - 2006 -
Cited by 34 - Related articles Policy conflicts may cause serious security
breaches and network .... security policies. Figure 3 shows the
organization of our taxonomy of these conflicts. ...
ieeexplore.ieee.org/iel5/35/33764/01607877.pdf

http://ieee.org/searchresults/index.html?cx=006539740418318249752%3Af2h38l7gvis&cof=FORID%3A11&qp=&ie=UTF-8&oe=UTF-8&q=Taxonomy+of+network+security+breaches&siteurl=ieee.org%2Findex.html#1005




NoTokeRedKneck

climber
Feb 5, 2013 - 12:19pm PT
zBrown

I just found it again. Apology as i forgot the name and i was not trying to mislead you.

Taxonomy of conflicts in network security policies

http://ieeexplore.ieee.org/xpl/articleDetails.jsp?reload=true&arnumber=1607877

The previous qouted i think i confused with a mathworks patent
that's really named something like that. To me the patent is
probably not worthy as such and the interiors of it looked to
be nothing other than a stack of associate of science in computer
science algorithms taught, noting this "~();" by Stroustrup can
also be done like this "--".

Maybe their site is still functioning top notch. I just searched Google
instead of the iee when I remembered the name.
B_E_S

climber
Feb 5, 2013 - 03:27pm PT
zBrown, so what one or few of the JRE should I try?

http://www.supertopo.com/climbing/thread.php?topic_id=1107767&msg=2063051#msg2063051

I did not disable java applets in the browser and the
above data base runs outside of the browser.

I paid for Open BSD 5.2 and this should probably be in the ports
on CD.

http://www.libreoffice.org/

However the other configurations come first.

froodish

Social climber
Portland, Oregon
Feb 7, 2013 - 05:09pm PT
Your regularly scheduled Flash exploit for Feb:

http://arstechnica.com/security/2013/02/adobe-issues-emergency-flash-update-for-attacks-on-windows-mac-users/

Affects Windows and Mac. It's out there in the wild.

Adobe has released security updates for Adobe Flash Player 11.5.502.146 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.261 and earlier versions for Linux, Adobe Flash Player 11.1.115.36 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.31 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe is aware of reports that CVE-2013-0633 is being exploited in the wild in targeted attacks designed to trick the user into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content. The exploit for CVE-2013-0633 targets the ActiveX version of Flash Player on Windows.

Adobe advisory here:

https://www.adobe.com/support/security/bulletins/apsb13-04.html
froodish

Social climber
Portland, Oregon
Mar 1, 2013 - 10:03am PT
And yet another zero day Java exploit is in the wild.

Hackers are exploiting a previously unknown and currently unpatched vulnerability in the latest version of Java to surreptitiously infect targets with malware, security researchers said Thursday night.

The critical vulnerability is being exploited to install a remote-access trojan dubbed McRat, researchers from security firm FireEye warned. The attacks work against Java versions 1.6 Update 41 and 1.7 Update 15, which are the latest available releases of the widely used software. The attack is triggered when people with a vulnerable version of the Java browser plugin visit a website that has been booby-trapped with attack code. FireEye researchers Darien Kindlund and Yichong Lin said the exploit is being used against "multiple customers" and that they have "observed successful exploitation."

Disable Java in your browser if you haven't already.
zBrown

Ice climber
Brujo de La Playa
Topic Author's Reply - Jan 21, 2014 - 07:05am PT
No action here for some time. Disabling Java does cause certain applications to complain, e.g. Youtube.


What is anyone thinking on this currently?

Messages 1 - 54 of total 54 in this topic
Return to Forum List
Post a Reply
 
Our Guidebooks
Check 'em out!
SuperTopo Guidebooks


Try a free sample topo!

 
SuperTopo on the Web

Review Categories
Recent Route Beta
Recent Gear Reviews