Kill that Java plugin now! New 0-day exploit running wild online
Source: The Register
A new Java zero-day security vulnerability is already being actively exploited to compromise PCs. The best way to defend against the attacks is to disable any Java browser plugins on your systems.
The offending bug is present in fully patched and up-to-date installations of the Java platform, now overseen by database giant Oracle, according to Jaime Blasco, head of labs at security tools firm AlienVault.
"The exploit is the same as the zero-day vulnerabilities we have been seeing in the past year in IE, Java and Flash," Blasco warned.
"The hacker can virtually own your computer if you visit a malicious link thanks to this new vulnerability. At the moment, there is no patch for this vulnerability, so the only way to protect yourself is by disabling Java."
Read more: http://www.theregister.co.uk/2013/01/10/java_0day/
I suspect as java is largely OS agnostic, so is the exploit...
99th_Monkey
(19,326 posts)Bosonic
(3,746 posts)from Experts urge PC users to disable Java, cite security flaw
...
"Moore said machines running on Mac OS X, Linux or Windows all appear to be vulnerable to attack."
...
http://www.reuters.com/article/2013/01/10/us-java-security-idUSBRE90919X20130110
Voice for Peace
(13,141 posts)??
Bosonic
(3,746 posts)Voice for Peace
(13,141 posts)there's an option to enable Java or not.. we'll see
KareBear
(192 posts)Voice for Peace
(13,141 posts)FreeBC
(403 posts)What's the difference here?
"Zero day" just means that it's new, so there's no patch yet.
enlightenment
(8,830 posts)go to articles posted in August of 2012.
Is this new? If so, why are all the links going to old information?
muriel_volestrangler
(101,316 posts)This is the bit that's new: http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
enlightenment
(8,830 posts)B*gger. Our LMS (online course provider) requires Java to operate and the semester starts in a week and a half (and of course my classes are far from ready to launch).
Guess I need to actually start using NoScript in a serious way.
I have the flu. I do not want to deal with this right now.
*whinge, moan, complain*
cbrer
(1,831 posts)pscot
(21,024 posts)Xithras
(16,191 posts)Reveton has been around a while, and it's more of a pain in the ass than a real danger. Basically, it locks your computer up tight, prevents you from accessing your files, and pastes a nasty message on screen that prevents you from clicking or opening anything. The message usually carries some variant of a message claiming that your PC has child pornography, pirated files, or something like that on it. It tells you that you've been fined a small amount (usually a few hundred dollars), and that if you wire your "fine" to the FBI, they'll send you an unlock code to give you access to your computer again. Luckily, most newbie techs can remove it in about 30 minutes anyway.
It goes without saying that the money doesn't go to the FBI, and you'll never get that unlock code.
Reveton itself doesn't pull your data or invade your privacy, but simply tries to scam you out of money. Thing is, Reveton COULD easily do anything it wanted, as it ends up controlling your system. It doesn't do so simply because that's not the scam they're running. If they change the scam, or if another outfit uses the exploit for something else, the your personal privacy can go out the window in a heartbeat. That's why it's a danger.
By the way, what this article DOESN'T mention is that Reveton is primarily distributed through shady eastern European porn sites. They'll put up a "free gallery" site, link it into a western Gallery Post site (basically, sites where other porn sites advertise themselves to get traffic) and lure unsuspecting clickers in (a browser can't tell the difference between an American and Russian .com site). Someone comes in, looks at an image or two, and the virus installs itself and locks the computer down.
If you don't browse random free porn sites and don't click anonymous links in emails, the odds of you getting this virus are actually very low.
CountAllVotes
(20,870 posts)But damn, my ThinkPad has this on it.
I'm on my desktop now and it is ok however.
BUT, I'm screwed as I use the ThinkPad 99% of the time.
Ran SuperAntiSpyware, now got a virus check going, have cleared caches, etc.
ThinkPad is major messed up. Why? I don't know.
pscot
(21,024 posts)Earth Bound Misfit
(3,554 posts)FYI if you're interested: a detailed analysis of this latest exploit:
http://joe4security.blogspot.com/
http://www.joesecurity.org/reports/report-237f8ffc0c24191c5bb7bd9099802ee4.html
This is actually 2 bugs in 1 (http://www.kb.cert.org/vuls/id/625617)
The miscreants found a way around the previous Oracle "patch" (October '12) of a bug reported in Aug '12:
http://www.kb.cert.org/vuls/id/636312#solution
MynameisBlarney
(2,979 posts)Luckily, mine is disabled.
sendero
(28,552 posts).... it does not discuss the implications of turning off Java, it acts like it is like turning off a toaster.
Jim Lane
(11,175 posts)Does it mean that some of my programs will fail to run? which ones? Can I still use a browser to read email and surf DU?
RebelOne
(30,947 posts)I am reluctant to turn off my Java because I play many games on Pogo.com that require Java.
Jim Lane
(11,175 posts)If you download and install the game's own software, and play the game by clicking on the resulting icon on your desktop, then I'm guessing you're safe (unless the game's developers are crooked or incompetent). I ask because I play such a game.
Alas, I'm only guessing here. I'd welcome clarification from someone who actually knows this area.
Turborama
(22,109 posts)So DU does lose some of it's functionality.
defacto7
(13,485 posts)You may not be able to see some videos, some sites will be skewed a bit, others will not allow you to make comments or use buttons. It just depends on the site. A lot of comment, news and blogging sites are full of java.
Squinch
(50,949 posts)marble falls
(57,083 posts)my virus/malware protections upgraded. I also know that I need Java. I am a computer truck driver. I know what a super charger is and does but I cannot tear one down. Compound that with dyslexia. I would rather contact Oracle and download a patch. Is this possible yet?
I wondered why I got an extra jelping of phishing junk mail today. Thanks and help.......
pam4water
(2,916 posts)Until the security hole gets patched. It looks like you have to click on a malicious link before you can get affected.
FreeBC
(403 posts)kestrel91316
(51,666 posts)Ratty
(2,100 posts)I'm a java programmer and I've had java turned off in my browsers for years. I have never missed it. Couple that with the fact that nowdays when you try and update Java, Oracle tries to cram new toolbars and crapware onto your machine. No thank you.
It started with the fact that Java was annoying. A lot of web sites started using it for distracting animated ads (the same reason I use flashblock nowdays). I turned it off as an experiment and was delighted to discover I never missed it.
Seriously. Turn it off, don't worry about it. You won't miss it.
kestrel91316
(51,666 posts)That's a WIN for declining short-term memory.
defacto7
(13,485 posts)there a lot of stuff on sites that don't work without it. One good thing is that turning it off stops the hated quantserve hangs. Ad software use java applets and most info seeking pests.
I turn it on and off all the time... (Firefox)
RebelOne
(30,947 posts)kestrel91316
(51,666 posts)RebelOne
(30,947 posts)SCVDem
(5,103 posts)which has a shred of credibility.
No links or attribution.
Sounds like Fox and a fear campaign!
defacto7
(13,485 posts)post #8
freeplessinseattle
(3,508 posts)My pc had been acting funny and even just shutting off with some pics and animation, and I tried all kinds of diagnostics but no answer. Reinstalling adobe didn't help, either, now I know why, and when I reinstalled windows it took 5 frickin' tries-kept shutting off right when it went from "preparing installion" to "installing".
Fortunately I can read DU from my phone, or I would have really been tearing my hair out.
left on green only
(1,484 posts)Today I received an Adobe Reader Update notification prompting me to click on and install update 10.1.4. Does anyone know if this update in any way relates to the Java issue? Many thanks in advance for enlightening me.
66 dmhlt
(1,941 posts)Although a lot of people prefer the FREE Foxit Reader over Adobe because it's smaller, faster and a LOT less intrusive
http://download.cnet.com/Foxit-Reader/3000-10743_4-10313206.html
http://www.pcmag.com/article2/0,2817,2401826,00.asp
http://www.pcworld.com/article/256310/use_foxit_reader_to_fill_out_pdf_forms.html
left on green only
(1,484 posts)dixiegrrrrl
(60,010 posts)And my Linux default opens pdf via Document reader.
So I am able to by pass Adobe most of the time.
Coyotl
(15,262 posts)I'm in the habit of not using pop-up windows to update anything. My preference require a prompt for some updates, but I go to the domains directly when I do it manually.
left on green only
(1,484 posts)As it turned out, your exact thought had occurred to me on my own, almost immediately after I clicked on the "Adobe" pop-up window. So very soon afterwards, I went and used the "revert computer back to an earlier time" function and back tracked by one day. Immediately after I did that, the Adobe update icon appeared again in my bottom tray. So I am guessing that my reversal was a success.
You'd think I would have learned by now. All of a sudden I remembered back to a while ago when I began receiving a ton of pop up windows from Yahoo (whose mail service I use) telling me to click on their pop-up to download the latest "update" from Firefox. At that time, it occurred to me to ask myself, "Why is Yahoo repeatedly sending me pop-ups to download an improvement for the software of someone else?" So I went right to the Firefox site and verified that I was already running the latest version of their software.
My conclusion was that Yahoo was trying to fool me into downloading something that would permit them to cram more of their frigging advertising down my throat.
From now on, I will never download a software update again, unless it comes directly from the internet site of the owner of that software.
dixiegrrrrl
(60,010 posts)I can choose to enable the pop up if I really need it, rarely have to tho.
steve2470
(37,457 posts)Published On :Fri, Jan 11,2013
http://www.ciol.com/ciol/news/157842/experts-advice-disabling-java-browser-plugin
MineralMan
(146,308 posts)the display of the reply post title list when you click the "Replies to me" numbers in My Posts. I haven't found anything else that doesn't work, yet, after disabling it in Chrome.
DeschutesRiver
(2,354 posts)Took me a minute to understand what was happening, as I have dialup and there are lots of times I try to respond to things, but can't because it has slowed everything online to a crawl.
This time I remembered, turned the java back on and immediately could accept the jury summons.
bananas
(27,509 posts)They're different.
DU uses javascript, but I don't think it uses Java at all.
DeschutesRiver
(2,354 posts)After reading another post, I enabled my javascript again.
Then I checked at Java.com and there was no Java found. I am computer illiterate, fact. But now I sort of know a little bit of something that I didn't know before, so it's all good
Bosonic
(3,746 posts)(Reuters) - The U.S. Department of Homeland Security urged computer users to disable Oracle Corp's Java software, amplifying security experts' prior warnings to hundreds of millions of consumers and businesses that use it to surf the Web.
Hackers have figured out how to exploit Java to install malicious software enabling them to commit crimes ranging from identity theft to making an infected computer part of an ad-hoc network of computers that can be used to attack websites.
"We are currently unaware of a practical solution to this problem," the Department of Homeland Security's Computer Emergency Readiness Team said in a posting on its website late on Thursday.
"This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered," the agency said. "To defend against this and future Java vulnerabilities, disable Java in Web browsers."
http://www.reuters.com/article/2013/01/11/us-java-security-idUSBRE90A0S320130111
ellenfl
(8,660 posts)i use forefox. can i just enable/disable when needed?
There is a plugins sections of the addons page which lets you enable/disable java...
dixiegrrrrl
(60,010 posts)"Edit" > "preferences"> " content" where you will find an "enable Java Script" box to uncheck.
fast and easy to re-check it for things you really need.
I have it off almost all the time.
Bosonic
(3,746 posts)two different things.
dixiegrrrrl
(60,010 posts)sorry.....
meow2u3
(24,764 posts)I run Firefox and checked my add-ons tab. When I clicked on plug-ins, I found out that Firefox blocked Java until a fix is available because it's vulnerable. I have to play Pogo on IE9--the only time I'm using IE.
RainDog
(28,784 posts)For the last month, whenever I click on (most) pages to read something while using Firefox, I get a drop down box that says "Java script error" and something about syntax, with an "ok" button to click.
I have to click this button, sometimes six times in a row, to unfreeze Firefox. I can't make this stop happening.
As a result, I'm using Chrome more and more.
Does this happen to anyone else?
Xithras
(16,191 posts)I'm seeing a lot of comments about lost functionality here that sounds like people are disabling Javascript. In spite of the similar names, they two are NOT the same technology. More importantly, if you turn off Javascript, or simply disable scripting, it will NOT disable Java, which means that your computer will still be vulnerable to the virus.
Also, everyone should be aware that many modern antivirus applications are ALREADY blocking this exploit. I'm running the latest TrendMicro patch, which already has protections in place for this virus. If you have antivirus software in place, I would suggest that you check their site and update it FIRST. You may only need to get a definitions update to protect yourself.
If not, here's how you block the virus on Windows....
IE9: Gear Icon > Internet Options > Programs > Mange AddOns. Click on the Java Helper from Sun Microsystems, and click the Disable button.
Chrome: No need to disable anything. Chrome disables Java by default. Whenever a page wants to use it, Chrome will ask you whether you want to permit it. Just say NO until this problem is patched.
Firefox: Firefox > Add Ons. Click the Plugins tab. Find the Java Platform plugin, and click the Disable button.
Mac Users: Yes, you're vulnerable. The exploit is currently only being used to distribute the Reveton virus to PC's, but they could potentially release a virus for the Mac at any time. Unless you need Java for something, there's no reason to leave your computer exposed. Firefox and Chrome instructions are the same as the PC.
To disable Java on Safari, click Safari > Preferences. Click the Security button, and uncheck the Enable Java checkbox.
CountAllVotes
(20,870 posts)not sure how f'd up I am yet from this damned thing!
DeschutesRiver
(2,354 posts)and-justice-for-all
(14,765 posts)CountAllVotes
(20,870 posts)I think I got "it".
Have disabled Java running SuperAntispyware.
Laptop was trying to run a wireless connection but I have a DSL connection.
OH WHAT A MESS!!!!!
Updated Firefox ... Fu ... KKKKKKK!!!!
nc4bo
(17,651 posts)I disabled my Java crap a long time ago but will certainly pass the word!
AverageJoe90
(10,745 posts)Eugene
(61,894 posts)Source: Reuters
By Jim Finkle
BOSTON | Sat Jan 12, 2013 1:15pm EST
(Reuters) - Oracle Corp said it is preparing an update to address a flaw in its widely used Java software after the U.S. Department of Homeland Security urged computer users to disable the program in web browsers because criminal hackers are exploiting a security bug to attack PCs.
"A fix will be available shortly," the company said in a statement released late on Friday.
Company officials could not be reached on Saturday to say how quickly the update would be available for the hundreds of millions of PCs that have Java installed.
The Department of Homeland Security and computer security experts said on Thursday that hackers figured out how to exploit the bug in a version of Java used with Internet browsers to install malicious software on PCs. That has enabled them to commit crimes from identity theft to making an infected computer part of an ad-hoc computer network that can be used to attack websites.
[font size=1]-snip-[/font]
Read more: http://www.reuters.com/article/2013/01/12/us-usa-java-security-idUSBRE90B0EX20130112