Subscribe now and choose from over 30 free gifts worth up to £49 - Plus get £25 to spend in our shop
This could be get messy.
There's a zero-day Java exploit in the wild, and I'm seeing reports of "massive" take-up of it. Details here,
http://www.zdnet.com/homeland-security-warns-to-disable-java-amid-zero-day-flaw-7000009713/
As current versions of Java are affected, the usual 'update to the latest version' advice doesn't apply. You're better off disabling it temporarily or, if you don't think you need it, uninstalling it. (I've just pulled it from my machine.)
If you're running the current version, Java 7 Update 10, it's simple to disable. See [url= http://www.java.com/en/download/help/disable_browser.xml ]here[/url].
If you're not (and why not?), you can do it though your browser. Instructions [url= https://krebsonsecurity.com/how-to-unplug-java-from-the-browser/ ]here[/url]. Note that unbundling it from Internet Explorer is a mess; if you use IE I'd suggest either changing browsers, uninstalling Java completely or updating to the latest version and then disabling it in Control Panel as per the link in the previous paragraph.
Be careful out there.
firefox seems to have disabled this automatically (though by the time I'd seen that I'd disabled it manually - so I then re-enabled it manually to allow the automaic process to take precedence).
With me so far ? Will my re-enabling override the original auto-blocking do you think ?
Interesting this - I have no idea what zero-day expoits are and yet I've done what you suggested. Would you like my banking details now ?
(-:
Firefox blocks older versions automatically; I had U9 installed rather than U10 (lax of me) and it was disabled. I uninstalled it anyway; I've next to nothing that uses it.
http://en.wikipedia.org/wiki/Zero-day_attack
silly me - I imagine you've had 'em for months
From Cougars link
A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, meaning that the attack occurs on "day zero" of awareness of the vulnerability.[1] This means that the developers have had zero days to address and patch the vulnerability. Zero-day exploits (actual software that uses a security hole to carry out an attack) are used or shared by attackers before the developer of the target software knows about the vulnerability.
If i just use my computer for surfing and typing documents and emails am i as well just ditching Java?
Probably.
Generally, if you hit something that requires it, it should complain / prompt you about it anyway, then you can make an informed decision.
I've said this before, but out of date versions of Flash and Java are collectively the single biggest points of attack (and thus the biggest cause of malware infections*) on Windows systems currently, by a very long way. If you can get rid then do so, if you can't then make sure you're current.
(* - that and people wilfully installing hostile programs)
I read something about this yesterday, it seems Apple have already taken appropriate action to disable Java until something can be done to fix the problem.
Yes, here:
As noted by ZDNet, a major security vulnerability in Java 7 has been discovered, with the vulnerability currently being exploited in the wild by malicious parties. In response to threat, the U.S. Department of Homeland Security has recommended that users disable the Java 7 browser plug-in entirely until a patch is made available by Oracle.
Hackers have discovered a weakness in Java 7 security that could allow the installation of malicious software and malware on machines that could increase the chance of identity theft, or the unauthorized participation in a botnet that could bring down networks or be used to carry out denial-of-service attacks against Web sites."We are currently unaware of a practical solution to this problem," said the DHS' Computer Emergency Readiness Team (CERT) in a post on its Web site on Thursday evening. "This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available."
Apple has, however, apparently already moved quickly to address the issue, disabling the Java 7 plug-in on Macs where it is already installed. Apple has achieved this by updating its "Xprotect.plist" blacklist to require a minimum of an as-yet unreleased 1.7.0_10-b19 version of Java 7. With the current publicly-available version of Java 7 being 1.7.0_10-b18, all systems running Java 7 are failing to pass the check initiated through the anti-malware system built into OS X.Apple's updated plug-in blacklist requiring an unreleased version of Java 7
Apple historically provided its own support for Java on OS X, but in October 2010 began pushing support for Java back to Oracle, with Steve Jobs noting that the previous arrangement resulted in Apple's Java always being a version behind that available to other platforms through Oracle. Consequently, Jobs acknowledged that having Apple responsible for Java "may not be the best way to do it."
It wasn't until last August that the transition was essentially complete, with Oracle officially launching Java 7 for OS X. Java 7 does not ship by default on Mac systems, meaning that many users are not affected this latest issue or other recent ones, but those users who have manually installed Java 7 may be experiencing issues with their systems.
There is no word yet on when an updated version of Java addressing the issue will be made available by Oracle.
Update: As detailed in the National Vulnerability Database, the issue affects not only the Java 7 plug-in, but all versions from 4 through 7.
cheers cougar.
Uninstalling as I type.
http://www.zdnet.com/homeland-security-warns-to-disable-java-amid-zero-day-flaw-7000009713/ <
Word of mouth info so I don't have a link, but apparently Oracle have acknowledged it and are working on a fix as a priority.
Cougar, as you are back another noob question -
I seem to have 3 Java programs on my netbook, J2SE runtime 5, Java 6 something (already uninstalled) and Java 7.10.
If i want rid of Java but want to be able to use web sites running java script is it ok to remove them all?
java is not related to javascript, but I think uninstalling java is a bit of an overeaction
It's entirely possible, likely even, to have multiple copies of Java installed; different versions can install in parallel for compatibility reasons (so that for example, if a program requires 5 then installing 6 won't break it). I'd remove the lot, then consider reinstalling the latest once a patch is released.
Day to day, as a bare minimum and exploit aside, I'd uninstall all bar 7.10 as a matter of course. This could, theoretically, break something that needs it but I've never seen it happen on the desktop (and in any case, if something requires Java 5 it probably needs updating / uninstalling itself).
As Skids says, Java and Javascript are two very different things with a similar name.
I think uninstalling java is a bit of an overeaction
I'm suggesting uninstalling it temporarily until a patch is released. Hands up who actually uses it regularly? Exactly.
Cougar - Member
Word of mouth info so I don't have a link, but apparently Oracle have acknowledged it and are working on a fix as a priority.
I heard it's not actually a zero day as oracle were made aware of it several months ago...
I use BikeCAD which runs in Java - would just disabling it in Firefox do the trick?
Fix released.
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
http://www.java.com/en/download/inc/windows_new_xpi.jsp?locale=en
thanks again. better than a technet RSS feed 🙂
will install new version tomorrow.
Pulse, finger, thereof.
HTH. (-: