Disable Java? think about it.

Search
Go

Discussion Topic

Return to Forum List
Post a Reply
Messages 41 - 53 of total 53 in this topic << First  |  < Previous  |  Show All  |  Next >  |  Last >>
froodish

Social climber
Portland, Oregon
Jan 14, 2013 - 02:44pm PT
Reilly,

Do you need the Java browser plugin, or just need the Java environment installed? (ie: does you wife initiate the action through the browser, or does she launch a Java executable?)

The main danger is from "drive by" attacks (unknowingly visiting a website that is distributing the malware - and contrary to the advice in one of the linked articles earlier, there are sometimes "legit" sites that have been compromised and are distributing things like this so just staying away from pr0n sites doesn't ensure safety)

If you don't need the browser plugin, disable it (Chrome, Firefox and Safari let you easily disable the plugin). If you do need it, only enable the plugin only when you need it and disable it for all other browsing.
Reilly

Mountain climber
The Other Monrovia- CA
Jan 14, 2013 - 03:05pm PT
It's a complicated logon process but I think it starts with the browser*.
But then it seems like there's a Java app in the next step. I guess she
should just call one of her IT guys from home so I can translate. Not that
I'm so hot but, well, between you and me and these four walls, let's just
say she doesn't get by on her 'puter expertise. ;-)


*I don't pay much attention - don't wanna get brought up on HIPA charges!
The user formerly known as stzzo

climber
Sneaking up behind you
Jan 14, 2013 - 04:45pm PT
Khanom, the first thing that article recommends is:

So how do you prevent yourself from becoming a victim? Well, a couple of ways.

In the case of the current Java exploit, if you don't have any applications that require the use of Java, then turn off the plugin in all of your browsers and uninstall Java from your computer.

He's also being naive to say that it's only a problem if you click on a link that someone sends you. Websites get hacked right and left, and it's quite possible for a motivated malware distributor to put their payload on a site that would be a reasonable visit by any old person.

Recently, someone hacked this site and put up their own front page. It could easily have been a malware vector. While the owners are outstanding first aid instructors, don't know enough about websites to quickly remove the hack, and it was up there for a while.

Reilly,

It's a complicated logon process but I think it starts with the browser*.
But then it seems like there's a Java app in the next step. I guess she
should just call one of her IT guys from home so I can translate. Not that
I'm so hot but, well, between you and me and these four walls, let's just
say she doesn't get by on her 'puter expertise. ;-)

Perhaps she should call up her IT guy and have you just get the answers from "him", rather than you trying to solve this via SuperTopo... That's what IT departments are paid to do :-).

It's not uncommon for a java app to be started via a web browser. Some image upload apps and chat apps are java, and I've seen plenty of others...

So, it may be that you can't eliminate java from your browser.

But, what you can do is keep a separate browser with java enabled that's only used by you wife and only when she needs to access that site.
The user formerly known as stzzo

climber
Sneaking up behind you
Jan 14, 2013 - 04:56pm PT
Ah, I read more carefully -- the ZDNet article separates social engineering exploits from the java exploits and doesn't say that it's only a problem when you click on a link that someone sends you.
zBrown

Ice climber
chingadero de chula vista
Topic Author's Reply - Feb 5, 2013 - 09:13am PT
Java Stumbles Again

Not long after the Department of Homeland Security was advising users to disable Java, another flaw has been discovered in Oracle's programming language.

Last week a bug was found that undermined Java's "maximum security setting." That setting, which Oracle activated by default in the last hasty update of the software, requires a user to give their OK to run unsigned Java applets. Because of the flaw, unsigned Java apps can run on a Windows system regardless of the Java security settings.

Instead of fixing security issues found in the previous version of Java, the most recent release of the program merely sidesteps them, said Bogdan Botezatu, a senior e-threat analyst with cyber security software maker Bitdefender.

"They just tried to prevent the user from triggering the issue," Botezatu told TechNewsWorld.

Leaving the resolution of security issues to the user is not a good idea. "One of the worse things a developer can do is let the user make security decisions," he said. If a pop-up message appears when a user is in the middle of doing something they want done, they'll click OK regardless of what the message says.
NoTokeRedKneck

climber
Feb 5, 2013 - 10:33am PT
zBrown, unfortunately the ieee.org appears to be getting worse with their site filtering when their suppose to be top notch.

*If you can find it, order and read desiginating a object for destruction.
It was published around 2005 or 2006 by a Hamed and another who's name
I can't remember now.

It greatly simplifies routing with XML using java getree();

*The link to the article for ordering is also posted within here
at supertopo somewhere but i can't remember where.
Ken M

Mountain climber
Los Angeles, Ca
Feb 5, 2013 - 11:22am PT
following up on concerns raised by computer security experts.

So it's NOT the gov't, it is the community of private computer security experts.

The gov't is passing the word along.
NoTokeRedKneck

climber
Feb 5, 2013 - 11:41am PT
Slavery has not been abolished in the US. Under civil laws dealing
with technology slavery is allowed which is specified by return of
matter and properties to the master, noting master is the word under
law and owner is not the word.

Java is proprietary, Gosling is probably a master but he did not write
the 1'st java compiler and neither did Microsoft, the Govt. nor gnu.

What's becoming of all the Linux and other, free, Open etc. data bases?
Credit: NoTokeRedKneck
sunsite? Photo maybe enlarged.
zBrown

Ice climber
chingadero de chula vista
Topic Author's Reply - Feb 5, 2013 - 11:43am PT
The link is here


Taxonomy of Conflicts in Network Security Policiesby H Hamed - 2006 -
Cited by 34 - Related articles Policy conflicts may cause serious security
breaches and network .... security policies. Figure 3 shows the
organization of our taxonomy of these conflicts. ...
ieeexplore.ieee.org/iel5/35/33764/01607877.pdf

http://ieee.org/searchresults/index.html?cx=006539740418318249752%3Af2h38l7gvis&cof=FORID%3A11&qp=&ie=UTF-8&oe=UTF-8&q=Taxonomy+of+network+security+breaches&siteurl=ieee.org%2Findex.html#1005




NoTokeRedKneck

climber
Feb 5, 2013 - 03:19pm PT
zBrown

I just found it again. Apology as i forgot the name and i was not trying to mislead you.

Taxonomy of conflicts in network security policies

http://ieeexplore.ieee.org/xpl/articleDetails.jsp?reload=true&arnumber=1607877

The previous qouted i think i confused with a mathworks patent
that's really named something like that. To me the patent is
probably not worthy as such and the interiors of it looked to
be nothing other than a stack of associate of science in computer
science algorithms taught, noting this "~();" by Stroustrup can
also be done like this "--".

Maybe their site is still functioning top notch. I just searched Google
instead of the iee when I remembered the name.
froodish

Social climber
Portland, Oregon
Feb 7, 2013 - 08:09pm PT
Your regularly scheduled Flash exploit for Feb:

http://arstechnica.com/security/2013/02/adobe-issues-emergency-flash-update-for-attacks-on-windows-mac-users/

Affects Windows and Mac. It's out there in the wild.

Adobe has released security updates for Adobe Flash Player 11.5.502.146 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.261 and earlier versions for Linux, Adobe Flash Player 11.1.115.36 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.31 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.

Adobe is aware of reports that CVE-2013-0633 is being exploited in the wild in targeted attacks designed to trick the user into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content. The exploit for CVE-2013-0633 targets the ActiveX version of Flash Player on Windows.

Adobe advisory here:

https://www.adobe.com/support/security/bulletins/apsb13-04.html
froodish

Social climber
Portland, Oregon
Mar 1, 2013 - 01:03pm PT
And yet another zero day Java exploit is in the wild.

Hackers are exploiting a previously unknown and currently unpatched vulnerability in the latest version of Java to surreptitiously infect targets with malware, security researchers said Thursday night.

The critical vulnerability is being exploited to install a remote-access trojan dubbed McRat, researchers from security firm FireEye warned. The attacks work against Java versions 1.6 Update 41 and 1.7 Update 15, which are the latest available releases of the widely used software. The attack is triggered when people with a vulnerable version of the Java browser plugin visit a website that has been booby-trapped with attack code. FireEye researchers Darien Kindlund and Yichong Lin said the exploit is being used against "multiple customers" and that they have "observed successful exploitation."

Disable Java in your browser if you haven't already.
zBrown

Ice climber
Brujo de La Playa
Topic Author's Reply - Jan 21, 2014 - 10:05am PT
No action here for some time. Disabling Java does cause certain applications to complain, e.g. Youtube.


What is anyone thinking on this currently?

Messages 41 - 53 of total 53 in this topic << First  |  < Previous  |  Show All  |  Next >  |  Last >>
Return to Forum List
Post a Reply
 
Our Guidebooks
Check 'em out!
SuperTopo Guidebooks


Try a free sample topo!

 
SuperTopo on the Web

Review Categories
Recent Route Beta
Recent Gear Reviews