Java: Red Alert

[Skybird]

Once again.

As some of you may have noted, Java currently is in big troubles this year (was there ever a time when it wasn't?).

The recent update 7 for Java 7, just some days ago, was meant to close some of the security holes (not all) reported to Oracle by some Polish programmer in Spring this year. The problem, both the update to Java 7 and the update 7 for Java7 bring troubles of their own. The same guy has filed another report now, indicating that there alraedy is an exploit possible to simply switch off the Java-inbuilt sandbox, and breaking out that way. In other words Oracle has done a stinking brown mess of a job. Reports from IT-magazines say this exploit already is in use now and is spreading rapidly. First links of this exploiut with malware code have been detected - even for the update 07 which has been released just days ago. A test done by a German lab showed that only 9 of the tested 22 security software suits were able to identify and block it - which is what this Polish programmer has predicted, saying that antivirus and malware scanner will find it extremely difficult to find these new exploits.

There is currently only one reasonable option. As uncomfortable as it is: if you haven't already deactivated Java, do it now. For Windows-Explorer users this means that you have to uninstall it, AFAIK it cannot be just switched off. The Javascript entry that you find in the security settings of Explorer, is something totally different from Java, don'T assume you did deactivate Java when unticking that one.

You should be able to find articles on this easily via google, I had it all from German magazinse and blogs, so it is little use for most people to link to these. But the web is full of it, really. Check for something like zero-day exploit Java7 update 7, or limit search to timestamps not older than one day or one week.

Microsoft has never cared to carefully implement Java into Windows. That'S why Java is a total mess since so many years. It is a big drama that Java is so omnipresent nevertheless.

Surfing without Java will make a visible effect on your surfing experience - you have been advised. The risk-benefit-assessment is up to you. Just take into account that if you compromise your system, you also compromise the system of others with whom your system makes contact via the web.

[Skybird]

BASTARDS...!

http://www.theregister.co.uk/2012/08...w_about_flaws/

[the_tyrant]

.net for the win!

[Karle94]

Is it okay if you have Java 6 like me?

[kraznyi_oktjabr]

Quote:

Originally Posted by Karle94

Is it okay if you have Java 6 like me?

CERT-FI (finnish information safety authority) warned only about Java 7, but same patch meant for Java 7 is also used for Java 6. I don't know differences between 6 and 7 so I personally wouldn't take risk. I'm not sure was it CERT-FI or F-Secure who suggested that if you really have to use Java, install it to one browser (say IE) and when you do not need it use another browser without it (like Firefox).

[Skybird]

Java 6 is compromised.

Java 7 was meant to close it's holes, but it did that only for some of them. And added new exploits.

Java is maintained very badly by Oracle, it seems, you can see that when somtimes updating from an old version of Java, say Java 5, to newer version, say Java 6, version 6 does not replace and overwritte version 5, but leaves it intact. While your system then runs with Java 6, and gets all the updates for Java 6, it fporgets to care for Java 5 with all the open holes in there. And you the user are not even aware of that security hole. This is where manual inspection of your system or PSI (more on that down below) help. You do not need two versions of Java parallel to each other, only one, and ideally it should be the latest version. At least AFAIK. It does ot compare to certain Microsoft packages of which you may need different versions, one for each of any depending software like Office, and others.

In Germany, even the German Federal Police has strongly advised to switch off Java for the time being. Note that Explorer users cannot rely on the various recipes circling on the web to "deactivate" it like I read it is possible in other browsers via switches. If you want to be sure, you must reinstall it. These recipes do not even work for every system - that should give you a hint.

Deinstalling is easy via Windows Software screen. If later you need to reinstall it, it is also no problem and is done in a minute, automatically. So, no big deal. Check your browser addons that all Java addons there are deactivated and deleted, too. They can still be there, working, even after you deinstalled Java.

Do not mistake Java and Javascript.

---

Haplo, I finally figured out the sandbox thing, and got it configured. It all gets deleted now automatically when I close the sandboxed browser. I owe you one for pushing my view to that direction.

---

Some general ideas that I followed myself.

Run your internet browsing from a separated, password-protected account which has no adminsitrator rights. That and UAC then helps to contain the infection to that account'S rights - maybe. It is also recommended to use an administrator'S account only for installing software. All other activity should be done via a user account.

Note that the Windows defaultz account is labelled as adminsitrator - but does not have full adminsitrator'S rights. These must be unlocked in hidden options. Usually, this should not be necessary.

Use Secunia PSI (Private Software Inspector) to be sure that your software is always up to date. PSI compares your installed software with a databse at Secunia where they constantly update the version status of all software they support in that library. So PSI does not help with software not in that database. But it definitely does a great job in informing you on outdated software that is easy to forget to check, and sometimes even informs you on software updates that even Windows Updates do not mention. I had that case just yesterdays with Microsoft MSXML 4 or 6. The Windows Update page did not mention it at all. I clicked on the alarm from within Secunia, got an update from some x.20 to x.30 installed, and PSI was happy again.

Malwarebyte'S Antimalware has a very good reputation on the web for scanning out the nasty stuff that antivirus scanners often does not catch. Considering it is free, but thre active scanner is fully implemented, this is a must-have tool. Update must be downloaded manually as long as you do not use the payware version. The tool is great for quickly doing a quick file or system scan, I do it by routine every day when shutting down the system for bedtime, costs only a minute.

Use a sandbox. I found Sandboxie here: www.sandboxie.com. It is easy to use and seems to have a good reputation. When you use it, you can go with almost the default settings. Only two things you must remember: you must configure your email porogram manually in its options, and you must manually activate the option that the sandbox gets deleted every time it is being closed (you close browser or email program).

Be choosy on when and where to let run ActiveX scripts.

Never feel totally safe. You aren't.

[CaptainHaplo]

Quote:

Originally Posted by Skybird

Haplo, I finally figured out the sandbox thing, and got it configured.

Glad you did! Sandboxes save a lot of work! Good info here for most folks.

The issue is that Java is used in both the business world and by the private individual. Oracle makes money off of the business world - so they have a "patch" schedule and priority system for issues that accomodates their revenue stream. Because of this - the private individual - who pays nothing for Java - does not get the support they would like.

Its a two edged sword. Being in IT, I see both sides. I can't blame them for focusing on exploits that would "get through" most secured business networks, at the expense of those who don't help them survive as a company. Yet one has to wonder - do they realize the damage they are doing to their brand because of that? Business planners are not immune to public perception....

[Skybird]

Haplo,

a question for you. Is it possible to form an account under Windows 7 and have Java installed for it and this account exclusively, not being active in any other?

The situation is this. I had recommended friends with little kids a game, Settlers of Catan which I also liked myself. The PC version they got is nice, but is programmed in Java. I advice the husband on his system a bit, he is not too fit with computers (neither am I... ), I gave him the warning ion java and the advise on sandboxing his system, too, like I did for myself. No the kids this afternoon found out that Catan was gone, and you can imagine: big noise broke out when the game was not running anymore.

My idea is to have a separate "Catan" account and Java installed there exlusively. But i do not know if that is possible, to have Java limited to that account exclusively.

Can it be done, and safely?

[Chad]

Oy, *headache*..

I'm actually a Java developer who's slowly weaning away and going .NET. This may speed things up a bit

[MH]

Dual boot would be good solution here.

[Skybird]

Quote:

Originally Posted by MH

Dual boot would be good solution here.

You mean in reply to my question above? I never have installed a dual boot system. Can it be done afterwards, I mean after you have installed, and partitioned all HD space?

What about an external drive?

If Java is installed in such a different boot installation, can any possible infection not jump to the other boot installation as well? I mean there is no physial separation between both when they are on the same HD, or two drives are connected to the same mainboard. By instinct I do not trust separations that are not physical.

P.S. And wouldn't he need a second Windows registration code - one for each installation...!?

[the_tyrant]

Just to add something, it is completely possible to have multiple versions of java installed on your system at the same time.

Please make sure you have *0* old versions installed