General Discussion

backscatter712

(26,355 posts) Fri Jan 18, 2013, 05:13 PM Jan 2013

Don't re-enable Java! The latest security updates to Java still have vulnerabilities!

Last edited Fri Jan 18, 2013, 08:23 PM - Edit history (2)

https://threatpost.com/en_us/blogs/latest-java-update-broken-two-new-sandbox-bypass-flaws-found-011813

Latest Java Update Broken; Two New Sandbox Bypass Flaws Found

Expect the roar from security experts urging users to abandon Java to reach ear-splitting levels after reports this morning that new sandbox bypass vulnerabilities are present in the latest Java update.

“We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11,” Java security researcher Adam Gowdiak of Security Explorations in Poland wrote a short while ago on the Full Disclosure mailing list.

Gowdiak said his organization reported two new flaws to Oracle today, along with working proof-of-concept code, a single exploit that relies on two vulnerabilities. He told Threatpost he would not share any details on the vulnerabilities, but said Oracle did confirm it had received the information he sent and had begun looking into the problem.

Reports surfaced earlier this week that the Java 7u11 update was incomplete, and that a vulnerability in the Java MBeanInstantiator had not been patched as promised by Oracle when it released the update last Sunday night. Researcher Esteban Guillardoy of Immunity Inc., said that attackers could pair that vulnerability with the reflection API with recursion in order to bypass Java security checks. The reflection issue was corrected in 7u11; Guillardoy said attackers with enough working knowledge of Java could pair another vulnerability with the MBeanInstantiator bug and have a working exploit.

24 replies

= new reply since forum marked as read

Highlight:

Don't re-enable Java! The latest security updates to Java still have vulnerabilities! (Original Post) backscatter712 Jan 2013 OP

It could be two years before Java is safe to use. lpbk2713 Jan 2013 #1

The problem is why they will say that MattBaggins Jan 2013 #9

Do you understand all of this? Sekhmets Daughter Jan 2013 #2

Most sites don't use Java, so you probably won't miss it much. backscatter712 Jan 2013 #3

Thanks for explaining it to us n/t Oilwellian Jan 2013 #6

Thanks... Sekhmets Daughter Jan 2013 #7

I agree Oilwellian Jan 2013 #5

Apparently I do not even have it on my Firefox browser anymore. dixiegrrrrl Jan 2013 #4

Where the hell is the 'plug-in' menu? Sekhmets Daughter Jan 2013 #8

Tools---> Addons (new browser tab opens)---> Plugins tab tkmorris Jan 2013 #10

Thanks... Sekhmets Daughter Jan 2013 #13

Control + Shift + A lpbk2713 Jan 2013 #11

Is that for a PC? Sekhmets Daughter Jan 2013 #15

OK ... disregard. lpbk2713 Jan 2013 #17

I can't pay my bills/do my banking without Java enabled War Horse Jan 2013 #12

You might try using two web browsers. backscatter712 Jan 2013 #18

Using Chrome, for the most part War Horse Jan 2013 #21

Suppose I should add that War Horse Jan 2013 #23

That's the purpose of using a second browser. backscatter712 Jan 2013 #24

Android apps are written in a custom form of java sooooo MattBaggins Jan 2013 #19

Ok, I hereby consider myself schooled War Horse Jan 2013 #22

Dude, I don't even know how to disable it. Skidmore Jan 2013 #14

here's one cthulu2016 Jan 2013 #16

ya. hubby took it off my computer the other day. nt seabeyond Jan 2013 #20

lpbk2713

(42,766 posts)

1. It could be two years before Java is safe to use.

Reply to backscatter712 (Original post)

Fri Jan 18, 2013, 05:17 PM

Jan 2013

Link: http://www.zdnet.com/security-experts-on-java-fixing-zero-day-exploit-could-take-two-years-7000009756/

And by that time most users will be saying "what's Java?" .

MattBaggins

(7,904 posts)

9. The problem is why they will say that

Reply to lpbk2713 (Reply #1)

Fri Jan 18, 2013, 05:35 PM

Jan 2013

As seen on this thread people think Java is some obscure unused plugin when in fact Java is all over the place and embedded in just about everything.

"I uninstalled java so I'm java free... Now let me get back to playing minecraft"

Google "Java is everywhere"

Sekhmets Daughter

(7,515 posts)

2. Do you understand all of this?

Reply to backscatter712 (Original post)

Fri Jan 18, 2013, 05:17 PM

Jan 2013

I have a new Mac desktop...OS X 10.8.2....Apple no longer installs Java on their new computers and I would have to go to Oracle and download Java from their site. The thing is I haven't a clue what Java does so I don't know if I should download it once the bugs are cleaned out.

backscatter712

(26,355 posts)

3. Most sites don't use Java, so you probably won't miss it much.

Reply to Sekhmets Daughter (Reply #2)

Fri Jan 18, 2013, 05:21 PM

Jan 2013

Java is a programming language, and a computing environment consisting of a virtual machine running Java programs in what should be (but isn't really) a controlled environment.

These days, Java's used a lot on the server-side, but you can also run java programs, called applets, in your web browser if you have Java installed. In theory, Java applets are kept in a "sandbox" that ensures the program can only do stuff in its own little space and can't mess with things it's not allowed to touch. In practice, the sandbox leaks like a sieve, and malicious Java applets can do nasty things like installing malware on your system or stealing your information.

Oilwellian

(12,647 posts)

6. Thanks for explaining it to us n/t

Reply to backscatter712 (Reply #3)

Fri Jan 18, 2013, 05:23 PM

Jan 2013

Sekhmets Daughter

(7,515 posts)

7. Thanks...

Reply to backscatter712 (Reply #3)

Fri Jan 18, 2013, 05:24 PM

Jan 2013

I haven't missed it to date...but how would I know which sites use Java?

Oilwellian

(12,647 posts)

5. I agree

Reply to Sekhmets Daughter (Reply #2)

Fri Jan 18, 2013, 05:22 PM

Jan 2013

I've never understood what Java does. Evidently, not much since I haven't missed a thing since I uninstalled it.

dixiegrrrrl

(60,010 posts)

4. Apparently I do not even have it on my Firefox browser anymore.

Reply to backscatter712 (Original post)

Fri Jan 18, 2013, 05:22 PM

Jan 2013

The Plug ins menu does not show it. And I have had no problems accessing anything on the web.
So I guess it is not even needed????

edited...hmm...it is not on my Opera browser either.
running Linux.
I think may have removed it some time ago for some reason or the other.

Sekhmets Daughter

(7,515 posts)

8. Where the hell is the 'plug-in' menu?

Reply to dixiegrrrrl (Reply #4)

Fri Jan 18, 2013, 05:28 PM

Jan 2013

I'm using FireFox right now, haven't a clue where to look.

tkmorris

(11,138 posts)

10. Tools---> Addons (new browser tab opens)---> Plugins tab

Reply to Sekhmets Daughter (Reply #8)

Fri Jan 18, 2013, 05:37 PM

Jan 2013

Sekhmets Daughter

(7,515 posts)

13. Thanks...

Reply to tkmorris (Reply #10)

Fri Jan 18, 2013, 05:39 PM

Jan 2013

Looks like I have nothing but a "placeholder"

lpbk2713

(42,766 posts)

11. Control + Shift + A

Reply to Sekhmets Daughter (Reply #8)

Fri Jan 18, 2013, 05:38 PM

Jan 2013

Then "Plugins" Tab

Enable or Disable at will.

Sekhmets Daughter

(7,515 posts)

15. Is that for a PC?

Reply to lpbk2713 (Reply #11)

Fri Jan 18, 2013, 05:42 PM

Jan 2013

Doesn't seem to work on my Mac, but someone else told me how to find it. Thanks, though.

lpbk2713

(42,766 posts)

17. OK ... disregard.

Reply to Sekhmets Daughter (Reply #15)

Fri Jan 18, 2013, 05:46 PM

Jan 2013

Glad you got it taken care of. Yes, it's a PC keyboard shortcut, doesn't apply to you.

War Horse

(931 posts)

12. I can't pay my bills/do my banking without Java enabled

Reply to backscatter712 (Original post)

Fri Jan 18, 2013, 05:39 PM

Jan 2013

Only device that doesn't have Java (yet) is my Droid. Doesn't really seem to be a way to avoid it.

backscatter712

(26,355 posts)

18. You might try using two web browsers.

Reply to War Horse (Reply #12)

Fri Jan 18, 2013, 05:47 PM

Jan 2013

For example, for general web browsing, you might use Firefox, and make sure Java is disabled completely there.

Then you use a second browser, say Opera, for that one place like your bank where Java is required, and you make sure you use that browser only for that single site, and nothing else.