22 {{ upvoteCount | shortNum }}
22 {{ upvoteCount | shortNum }}

Disable Java in browsers warns U.S. Homeland Security

by 1byte
16 replies
  • OFF TOPIC
    • |
Heads-up for those who may not be aware of this development. If you have Java installed on your browser, disable it now, if you haven't already.

The U.S. Dept of Homeland Security has just released a warning urging computer users to disable Oracle Corp's Java software in browsers due to security holes that can be exploited by hackers to install malicious software. You can read more about it here:

U.S. warns on Java software as security concerns escalate | Reuters

Note: Don't confuse Java with "JavaScript," as these are two completely different things, despite the name similarity. You should keep JavaScript enabled in your browser, or you will find that many websites will not display correctly (including probably your own).

*Update: For easy instructions on how to disable Java, here's a good guide: http://krebsonsecurity.com/how-to-un...m-the-browser/

Mods: Please feel free to move this thread if I've posted in the wrong place.
#browsers #disable #dsable #homeland #java #security #warning #warns
  • Profile picture of the author Daniel Elss
    Email I received today that relates.


    From Krebs Security Blog this am......
    Jan 13
    Zero-Day Java Exploit Debuts in Crimeware


    "The hackers who maintain Blackhole and Nuclear Pack - competing crimeware products that are made to be stitched into hacked sites and use browser flaws to foist malware -- say they've added a brand new exploit that attacks a previously unknown and currently unpatched security hole in Java.

    The curator of Blackhole, a miscreant who uses the nickname "Paunch," announced yesterday on several Underweb forums that the Java zero-day was a "New Year's Gift," to customers who use his exploit kit. Paunch bragged that his was the first to include the powerful offensive weapon, but shortly afterwards the same announcement was made by the maker and seller of Nuclear Pack.

    According to both crimeware authors, the vulnerability exists in all versions of Java 7, including the latest -- Java 7 Update 10. This information could not be immediately verified, but if you have Java installed, it would be a very good idea to unplug Java from your browser, or uninstall this program entirely if you don't need it."
    Signature
    {{ DiscussionBoard.errors[7590406].message }}
  • Profile picture of the author sbucciarel
    Banned
    I don't see any option for disabling java in Firefox. Any clues?
    {{ DiscussionBoard.errors[7590519].message }}
    • Profile picture of the author 1byte
      Originally Posted by sbucciarel View Post

      I don't see any option for disabling java in Firefox. Any clues?
      Yes, good question. In Firefox, go into Tools --> Addons --> Plugins. If you have Java, you will see something like "Java Deployment Toolkit" and/or "Java (TM) Platform," and perhaps some other Java plugins. Press the "Disable" button on each of these, and you may need to restart FF. That's about all there is to it as far as I know.

      *Update: Here's a guide on how to disable Java in most commonly used browsers:
      http://krebsonsecurity.com/how-to-un...m-the-browser/
      {{ DiscussionBoard.errors[7590549].message }}
      • Profile picture of the author sbucciarel
        Banned
        Originally Posted by 1byte View Post

        Yes, good question. In Firefox, go into Tools --> Addons --> Plugins. If you have Java, you will see something like "Java Deployment Toolkit" and/or "Java (TM) Platform," and perhaps some other Java plugins. Press the "Disable" button on each of these, and you may need to restart FF. That's about all there is too it as far as I know.

        *Update: Here's a guide on how to disable Java in most commonly used browsers:
        How to Unplug Java from the Browser — Krebs on Security
        Thanks. It looks like Mozilla already disabled it for me. It was disabled when I checked it.
        {{ DiscussionBoard.errors[7590586].message }}
        • Profile picture of the author 1byte
          Originally Posted by sbucciarel View Post

          Thanks. It looks like Mozilla already disabled it for me. It was disabled when I checked it.
          Yes, mine too, although mine was an older version 6.0.270.7, which also had security vulnerablities. The most recent version that Homeland Security is warning about is Java version 7, update 10, which I did not have installed. Either way, it appears Java has some huge security holes that need to be fixed by Oracle ASAP.
          {{ DiscussionBoard.errors[7590605].message }}
  • Profile picture of the author Robert Michael
    Thanks for the heads-up man, I haven't heard anything about this until I seen your post.

    My firefox just updated to 17, I wonder if that had anything to do with this?

    Either way, I disabled all Java products for now.. better to be safe than sorry.
    Signature
    {{ DiscussionBoard.errors[7590617].message }}
  • Profile picture of the author regervin
    Thanks for the heads up!
    Signature
    {{ DiscussionBoard.errors[7590669].message }}
  • Profile picture of the author jasonl70
    I wonder if Homeland Security does this for all zero day exploits?

    maybe it's the conspiracy theorist in me, but working in this space somewhat (not just java development, but penetration testing and security) I am aware of zero-day exploits quite often - don't really recall Homeland Security getting involved (I could be wrong), nor people being told to not use the technology (never been told to remove IE, or windows, or mac os ).

    But then, Oracle may not have the clout/pull that MS and Apple have in DC
    Signature

    -Jason

    {{ DiscussionBoard.errors[7590737].message }}
  • Profile picture of the author Rbtmarshall
    Tomorrows headline:
    Homeland security recommends disabling all WordPress sites due to numerous security vulnerabilities.
    {{ DiscussionBoard.errors[7590895].message }}
    • Profile picture of the author 1byte
      Originally Posted by Rbtmarshall View Post

      Tomorrows headline: Homeland security recommends disabling all WordPress sites due to numerous security vulnerabilities.
      Ha ha, good one!
      {{ DiscussionBoard.errors[7590898].message }}
      • Profile picture of the author paulgl
        Just was perusing the forum to see if anyone posted this yet.

        I think this is a first for homeland security.

        The product will need a complete makeover.

        I don't know why the US is not telling people other
        java settings options. Dismissing those options will
        send a bad message to people about java. Oracle
        might be stuck with a very expensive white elephant.

        The web is everything these days. You can't panic the
        general public without it creeping up the food chain.
        All java users will be nervous.

        Paul
        Signature

        If you were disappointed in your results today, lower your standards tomorrow.

        {{ DiscussionBoard.errors[7593201].message }}
        • Profile picture of the author GlobalTrader
          I read about this late last evening and sent an email to a friend who was a lead programmer for the US Navy for over 30 years and the following was his reply:

          "I quit installing Java a while back. Every time I reinstall my PC, I wait
          for an application to say it needs it to run. I reinstalled my PC about 2
          months ago and have not had a need to reinstall it. I guess the more you
          hack on the web, i.e., visit questionable sites, the more susceptible you
          would be. I'd uninstall it if you do not need it."
          Signature

          GlobalTrader

          {{ DiscussionBoard.errors[7593400].message }}
  • Profile picture of the author seasoned
    I had forgotten all about this. THANKS. All mine were disabled. But Java is VERY popular. You likely have it all over your system. LUCKILY, the browser is generally the only way for a site to connect to it.

    Steve
    {{ DiscussionBoard.errors[7593735].message }}
  • Profile picture of the author Patrician
    THANK YOU 1Byte et al!

    I am telling you this forum is the place for the latest breaking news - more times I first learned about something serious here! (sometimes literally minutes after Google news has it).

    Sometimes I say - no don't waste any time reading this inane crap here about your favorite ice cream... Wrong! There are gems here to this day!

    I disabled Java in all 3 browsers with no hitch that I know of (FF, Chr, IE)

    Have a safe day.
    Signature

    Patricia Brucoli
    Plug-In Profit Site Helpdesk

    {{ DiscussionBoard.errors[7593904].message }}
  • Profile picture of the author Rick B
    Yesterday Oracle issued a statement that they will have a fix for Java available soon.
    {{ DiscussionBoard.errors[7596936].message }}
    • Profile picture of the author 1byte
      Originally Posted by Rick B View Post

      Yesterday Oracle issued a statement that they will have a fix for Java available soon.
      That's good news. Unfortunately, "soon" is "too late" for anyone who got hacked by using the "unfixed" versions of Java.
      {{ DiscussionBoard.errors[7596998].message }}

Trending Topics