Homeland Security warns to disable Java amid zero-day flaw

[Fool_in_the_Rain]

Homeland Security warns to disable Java amid zero-day flaw

The U.S. Department of Homeland Security has warned users to disable or uninstall Java software on their computers, amid continuing fears and an escalation in warnings from security experts that hundreds of millions of business and consumer users are vulnerable to a serious flaw.

Hackers have discovered a weakness in Java 7 security that could allow the installation of malicious software and malware on machines that could increase the chance of identity theft, or the unauthorized participation in a botnet that could bring down networks or be used to carry out denial-of-service attacks against Web sites.

I found this interesting. This is, I believe, the first time they have warned users to disable a program. I know java does have security issues, but is this level of warning warranted?

[Amblydoper]

This is a zero-day attack that can affect pretty much any computer, anywhere. Most zero-day explots get patched faster then any serious harm can be done, but this security hole is still wide open.

Apple has disabled Java 7, so if you have a Mac, you are already safe. OSX has a secret blacklist that can remotely kill security issues.

[SmartAleq]

If you’re running Firefox and recently updated to v.18 I think you’ll discover that Java and Silverlight are both blocked for vulnerability issues.

[kittenblue]

I disabled it on two of my computers yesterday morning after hearing about it on Good Morning America, much to the derision of my SO, who couldn’t find mention of it in the news until yesterday evening. For those of us who aren’t up on the lingo, what is meant by “zero-day”? They keep tossing around that term as if it is common knowledge, and it ain’t!

[Sunspace]

I think ‘zero-day’ means that the vulnerability is known to the world when the software is released.

[Canadjun]

kittenblue:

I disabled it on two of my computers yesterday morning after hearing about it on Good Morning America, much to the derision of my SO, who couldn’t find mention of it in the news until yesterday evening. For those of us who aren’t up on the lingo, what is meant by “zero-day”? They keep tossing around that term as if it is common knowledge, and it ain’t!

Zero-day vulnerability

[Tom_Tildrum]

I use OpenOffice on Win7. Am I correct that it somehow requires Java?

[OttoDaFe]

So is this specific to Java 7? I seem to have missed the update boat, and I’m still using Java 6.

[DCnDC]

Tom_Tildrum:

I use OpenOffice on Win7. Am I correct that it somehow requires Java?

“Java is mainly required for the HSQLDB database engine.”

[DJ_Motorbike]

Amblydoper:

Apple has disabled Java 7, so if you have a Mac, you are already safe.

I think you forgot the [smug] [/smug] tags.

According to this article OSX is vulnerable.

Dormann said making matters worse is the fact that the vulnerability is true for most operating systems, including Windows, OS X and Linux, and browser-level protections will not work against it.

According to Oracle if I’m reading this correctly, they haven’t updated Java for 32bit Windows to v7 yet. It is not due for release until February.

If you’re using a 32bit version of Windows you’re safe because only v7 of Java is vulnerable according to DHS. I do happen to use Windows 7 32bit. I checked the version of Java installed. Yep, version 6 update 37 which is current for 32bit Windows.

[Smug]If you’re using 32bit Windows you should be safe, but if you’re using OS X you may not be.[/Smug]

[Sunspace]

DJ_Motorbike:

I think you forgot the [smug] [/smug] tags.

According to this article OSX is vulnerable.

According to Oracle if I’m reading this correctly, they haven’t updated Java for 32bit Windows to v7 yet. It is not due for release until February.

If you’re using a 32bit version of Windows you’re safe because only v7 of Java is vulnerable according to DHS. I do happen to use Windows 7 32bit. I checked the version of Java installed. Yep, version 6 update 37 which is current for 32bit Windows.

[Smug]If you’re using 32bit Windows you should be safe, but if you’re using OS X you may not be.[/Smug]

If you’re on OS X, there’s a Java Preferences app in /Applications/Utilities. I ran it and it said I have Java SE 6, both 32- and 64-bit.

[DJ_Motorbike]

Sunspace:

If you’re on OS X, there’s a Java Preferences app in /Applications/Utilities. I ran it and it said I have Java SE 6, both 32- and 64-bit.

Yeah, I wonder on how many machines v7 is actually installed. Anyway I’m disabling Java in Firefox just to be safe until I’ve heard something from Oracle addressing this. In Firefox it can be disabled by going to Tools then Options and then the “Content” tab there is a checkbox disable it if not already.

ETA:Of course half the internet doesn’t work now.

[Procrustus]

I would have no idea how to “disable” java. I hope no one out there wants to pretend to be me today.

[chappachula]

So …what’s Java, and how do I know if it’s installed on my computer?
I have a home computer with windows XP and IE8.
I have a work computer with Win7 and IE9.
Yes, I’m a total techno-phobe. Please answer using words, not incomprehesible capitalized 3-letter abbreviations.)

I know Java is a type of coffee .
I’ve heard of it as a computer language, too. but I have no idea what it does. Or why, if it’s so important for web sites, it isn’t automatically included in the browser. Or , if it’s not automatically included in everyones’ computer, why do websites use it?

I don’t give a damn what’s inside my computer, just like I don’t care what’s under the hood of my car.
I just turn 'em on, and use 'em.
When they break, I call a mechanic, or a help-line guy in India…

[Canadjun]

DJ_Motorbike:

Yeah, I wonder on how many machines v7 is actually installed. Anyway I’m disabling Java in Firefox just to be safe until I’ve heard something from Oracle addressing this. In Firefox it can be disabled by going to Tools then Options and then the “Content” tab there is a checkbox disable it if not already.

ETA:Of course half the internet doesn’t work now.

You do know that Javascript and Java are two VERY different things, don’t you? The security hole in question does not relate to Javascript.

[Sunspace]

Apple disables Java 7 in OS X.

[Sunspace]

It turns out that my Mac is too old for the affected version to run on anyways… Java 7 on the Mac requires OS X 10.7.3 or above. I’m running OS X 10.6.8. Link.

[DJ_Motorbike]

Canadjun:

You do know that Javascript and Java are two VERY different things, don’t you? The security hole in question does not relate to Javascript.

Ohhhh. :smack:

Thanks.

[ZenBeam]

Procrustus:

I would have no idea how to “disable” java. I hope no one out there wants to pretend to be me today.

How to Disable Java in Firefox. For me (on Linux), it was something called IcedTea-Web plugin, listed under Tools -> Add-ons -> Plugins. YMMV

ETA: for Chromium, enter chrome://plugins/ as the URL, and look for the same IcedTea Web Plugin.

[ftg]

First of all, it really isn’t a zero-day vulnerability.

Secondly, the term “zero-day” is so mis- and over-used that it really has no effective meaning anymore. Anytime I see an article that describes something as a “zero-day” flaw or whatever, I know immediately the article isn’t going to be technically useful.

The only things that really matters is if the flaw is being used in the wild and has it been patched yet?

The answers are not good for this one.