Disable Java? think about it.

Search
Go

Discussion Topic

Return to Forum List
Post a Reply
Messages 21 - 40 of total 44 in this topic << First  |  < Previous  |  Show All  |  Next >  |  Last >>
TwistedCrank

climber
Dingleberry Gulch, Ideeho
Jan 13, 2013 - 10:35am PT
Java programmers make big bucks. Especially if its bolted to Oracle.

Somebody's making out, and its not the consumer.

I was at Hidden Valley and Larry Ellison was there, and he got all bitchy when I urinated on his campfire. I told him to take a chill pill.
Malemute

Ice climber
the ghost
Jan 13, 2013 - 11:34pm PT
The user formerly known as stzzo

climber
Sneaking up behind you
Jan 14, 2013 - 01:21am PT
The first article link seems to be committing a fallacy commonly known
as missing the point. What is the vulnerability to begin with?

This is a fallacy commonly known as being uninformed.
TrundleBum

Trad climber
Las Vegas
Jan 14, 2013 - 01:39am PT

Well you've got to be careful how you get 'tubed'

it's not true:
"only a surfer knows the feeling"

http://www.youtube.com/watch?v=f99PcP0aFNE
Shack

Big Wall climber
Reno NV
Jan 14, 2013 - 02:27am PT
The vulnerability allows serious access to your computer...
and all the experts are still scratching their heads apparently not sure what to do.

http://www.zdnet.com/homeland-security-warns-to-disable-java-amid-zero-day-flaw-7000009713/?s_cid=e589
zBrown

Ice climber
chingadero de chula vista
Topic Author's Reply - Jan 14, 2013 - 09:41am PT
They think they do


http://www.foxnews.com/tech/2013/01/14/java-flaw-homeland-security-warning-fixed/

http://java.com/en/download/java_update.jsp

Adam Gowdiak, a researcher with Poland's Security Explorations who has discovered several bugs in the software over the past year, told Reuters that the update leaves unfixed several other, notable security issues

Reilly

Mountain climber
The Other Monrovia- CA
Jan 14, 2013 - 11:06am PT
I would like some straight up honest advice from a non-paranoid. Is there
really anything to this? I have to have Java on my machine so the wife can
access her work system from home, otherwise she never comes home. I thought
I saw on WindowsBBS that Oracle had fixed it.
Crimpergirl

Sport climber
Boulder, Colorado!
Jan 14, 2013 - 11:33am PT
Agreed Reilly. I have a homework software that comes with a stats text that my students use (I clearly have to get into it). It seems it's java based.

Thoughts for the person who doesn't speak computer language? What to do?
squishy

Mountain climber
Jan 14, 2013 - 12:23pm PT
Let's hope this sounds the death knell for Oracle.

Why would we hope for that?

Besides Oracle's business is hardly java, it's many things. We gave them 25 mil this year to upgrade all our hardware and software, it's some pretty nifty stuff..
kunlun_shan

Mountain climber
SF, CA
Jan 14, 2013 - 12:40pm PT
Interesting article, khanom. Thanks!

Reilly, I don't know how technically saavy you are, or how much trouble/work you are willing to do, but Virtualbox could be a good fix. Its free and fairly easy to implement. I've found this guide straightforward, and it walks you through enough that by the end, you'd have a good understanding of this flavor of VM: http://www.packtpub.com/virtualbox-3-1-beginners-guide/book . On the machine you use now, setup one VM with what your wife needs, and another for browsing the web.

Plus its very cool and fun to be able to run the equivalent of multiple computers, each with whatever OS you want, at the same time on a single machine. Unless you have a very old, slow computer you might only need some extra RAM.
Shack

Big Wall climber
Reno NV
Jan 14, 2013 - 12:55pm PT
Nope. Not fixed by Oracle. They issued an emergency "patch" but it doesn't do enough.
They say it sould take 2 years to fix. ouch.

http://www.zdnet.com/security-experts-on-java-fixing-zero-day-exploit-could-take-two-years-7000009756/?s_cid=e539
Crimpergirl

Sport climber
Boulder, Colorado!
Jan 14, 2013 - 01:45pm PT
Saw this too. Decent advice here?

http://blog.chron.com/techblog/2013/01/do-you-have-java-on-your-computer-update-it-now/

Will read link provided upthread now. Thanks for posting it!
zBrown

Ice climber
chingadero de chula vista
Topic Author's Reply - Jan 14, 2013 - 01:53pm PT
which could result in the installation of malware, identity theft or used to rope personal computers in to becoming unauthorized botnets -- which can then be used in denial-of-service attacks against other sites.


You would think that some (all) of the security vendors should be able to update their software to detect whether a machine has been compromised, even if they can't prevent it.


EDIT:

After doing some poking around on this, it appears that this task is more difficult than you might suspect.

Here's an interesting article on using one free tool, Sysinternals Process Explorer, to detect and clean a system.

http://www.windowsecurity.com/articles/Hunt-Down-Kill-Malware-Sysinternals-Tools-Part1.html

quote from another artucle

The problem is that if you have no idea what you are looking for, it's almost impossible to find it. Suppose a process has made itself hidden to the task manager by hooking EnumProcesses. You might think this would be an easy case to detect. However, the process could be hooking EnumProcesses through a variety of different ways. For example, an unconditional hook at the start of the function, an IAT hook, causing an access violation to occur at EnumProcessesand catching that with a VEH and modifying the EIP/RIP, etc. etc. Even in this simple case, it is not possible to guarantee detection of the hook. This is all assuming that the hook has been performed at usermode on a specific API and also that the code makes no attempt to hide itself from detection.

If you are looking for general guidelines, the best method is probably to look at common detouring techniques.


Reilly

Mountain climber
The Other Monrovia- CA
Jan 14, 2013 - 01:58pm PT
Khanom, good article but I still need to use Java if I ever want to see me wife.
froodish

Social climber
Portland, Oregon
Jan 14, 2013 - 02:44pm PT
Reilly,

Do you need the Java browser plugin, or just need the Java environment installed? (ie: does you wife initiate the action through the browser, or does she launch a Java executable?)

The main danger is from "drive by" attacks (unknowingly visiting a website that is distributing the malware - and contrary to the advice in one of the linked articles earlier, there are sometimes "legit" sites that have been compromised and are distributing things like this so just staying away from pr0n sites doesn't ensure safety)

If you don't need the browser plugin, disable it (Chrome, Firefox and Safari let you easily disable the plugin). If you do need it, only enable the plugin only when you need it and disable it for all other browsing.
Reilly

Mountain climber
The Other Monrovia- CA
Jan 14, 2013 - 03:05pm PT
It's a complicated logon process but I think it starts with the browser*.
But then it seems like there's a Java app in the next step. I guess she
should just call one of her IT guys from home so I can translate. Not that
I'm so hot but, well, between you and me and these four walls, let's just
say she doesn't get by on her 'puter expertise. ;-)


*I don't pay much attention - don't wanna get brought up on HIPA charges!
The user formerly known as stzzo

climber
Sneaking up behind you
Jan 14, 2013 - 04:45pm PT
Khanom, the first thing that article recommends is:

So how do you prevent yourself from becoming a victim? Well, a couple of ways.

In the case of the current Java exploit, if you don't have any applications that require the use of Java, then turn off the plugin in all of your browsers and uninstall Java from your computer.

He's also being naive to say that it's only a problem if you click on a link that someone sends you. Websites get hacked right and left, and it's quite possible for a motivated malware distributor to put their payload on a site that would be a reasonable visit by any old person.

Recently, someone hacked this site and put up their own front page. It could easily have been a malware vector. While the owners are outstanding first aid instructors, don't know enough about websites to quickly remove the hack, and it was up there for a while.

Reilly,

It's a complicated logon process but I think it starts with the browser*.
But then it seems like there's a Java app in the next step. I guess she
should just call one of her IT guys from home so I can translate. Not that
I'm so hot but, well, between you and me and these four walls, let's just
say she doesn't get by on her 'puter expertise. ;-)

Perhaps she should call up her IT guy and have you just get the answers from "him", rather than you trying to solve this via SuperTopo... That's what IT departments are paid to do :-).

It's not uncommon for a java app to be started via a web browser. Some image upload apps and chat apps are java, and I've seen plenty of others...

So, it may be that you can't eliminate java from your browser.

But, what you can do is keep a separate browser with java enabled that's only used by you wife and only when she needs to access that site.
The user formerly known as stzzo

climber
Sneaking up behind you
Jan 14, 2013 - 04:56pm PT
Ah, I read more carefully -- the ZDNet article separates social engineering exploits from the java exploits and doesn't say that it's only a problem when you click on a link that someone sends you.
zBrown

Ice climber
chingadero de chula vista
Topic Author's Reply - Feb 5, 2013 - 09:13am PT
Java Stumbles Again

Not long after the Department of Homeland Security was advising users to disable Java, another flaw has been discovered in Oracle's programming language.

Last week a bug was found that undermined Java's "maximum security setting." That setting, which Oracle activated by default in the last hasty update of the software, requires a user to give their OK to run unsigned Java applets. Because of the flaw, unsigned Java apps can run on a Windows system regardless of the Java security settings.

Instead of fixing security issues found in the previous version of Java, the most recent release of the program merely sidesteps them, said Bogdan Botezatu, a senior e-threat analyst with cyber security software maker Bitdefender.

"They just tried to prevent the user from triggering the issue," Botezatu told TechNewsWorld.

Leaving the resolution of security issues to the user is not a good idea. "One of the worse things a developer can do is let the user make security decisions," he said. If a pop-up message appears when a user is in the middle of doing something they want done, they'll click OK regardless of what the message says.
Ken M

Mountain climber
Los Angeles, Ca
Feb 5, 2013 - 11:22am PT
following up on concerns raised by computer security experts.

So it's NOT the gov't, it is the community of private computer security experts.

The gov't is passing the word along.
Messages 21 - 40 of total 44 in this topic << First  |  < Previous  |  Show All  |  Next >  |  Last >>
Return to Forum List
Post a Reply
 
Our Guidebooks
Check 'em out!
SuperTopo Guidebooks


Try a free sample topo!

 
SuperTopo on the Web

Review Categories
Recent Trip Report and Articles
Recent Route Beta
Recent Gear Reviews