Disable or Update Java now!

[Baydestrian]

Was going through the deleted emails on my work computer and found this one from the IT department here:

Late last week, computer security companies, the Department of Homeland Security, and many news outlets reported a serious security flaw in Oracle's Java software. This flaw allows a compromised website to take full control of your machine, typically to install and run malware. There is good evidence that the flaw is being actively exploited. Macs and PC’s are equally vulnerable. The DHS statement is here: http://www.kb.cert.org/vuls/id/625617.

Currently, the best defense against this flaw is to disable Java in all web browsers. Although Oracle released a patch for the issue yesterday, DHS and many computer security companies recommend that even with the update installed, Java should be disabled unless absolutely necessary.

Exponent IT recommends that Exponent employees take the following steps to reduce your exposure to this security flaw:

1. If Java is installed on your machine, disable it in all web browsers you use to access the internet. The following URL describes the steps needed for the most popular web browsers:

http://howto.cnet.co...ome-and-safari/

Please note, if the Java plug-in settings described in the URL are not available in your web browsers, this means that Java is not installed and your machine is not at risk for this flaw.

2. If websites that you visit require Java, please use one of the following methods to protect yourself against the security flaw while continuing to use Java:

a. Update the version of Java installed on your machine to Version 7, update 11. Update instructions for most installations:

i. Windows: Open the Java Control Panel. Go to the Update tab and select Update Now.

ii. Mac: Open System Preferences, Java. Go to the Update tab and select Update Now.

b. Enable Java in a web browser that is used only to access known sites which require Java. Use another browser, with Java disabled, to access all other sites.

[WastedTalent]

Odd, just the other day, I went to update java as it said there was an update. I hit update and it told me I had the most current version. And my ANT video downloader wouldn't work so I got something else. But I only use that computer for stupid things and nothing important. Use another computer without java for the important stuff such as paying bills.

Thanks for the heads up man.

[audiofanaticz]

I just spent a couple hours fixing my moms and dads pc's 2 days ago. Also updated java to version 7 update 9, then yesterday i did update 10. and Im sure ill have to update them again since its now on update 11...

Wish disabling java was easy, but its needed to play the Pogo games they play and theres no other solution besides using java... so your pretty much fucked!

Oracle brags about how 3billion phones run java, and miscellaneous other items, but yet they have a flawed or at risk software every month it seems... They need to get their shit together its getting annoying.

[BassBomb™]

this isn't a big deal, it happens often we just don't hear about it often.

these exploits stay hidden for long before released or discovered, at that stage they are called 0-day exploits.

and there are probably a thousand other critical vulnerabilities that exist at this very moment and nobody knows.

the only problem is the second the exploit module gets released thousands of script kiddies get hold of it and it gets blown out of proportion by media and Java shits themselves.

This exact thing happened just a few months ago with java. allowing an applet to bypass permissions and execute what ever it wants silently.

just from visiting the website.

and an update was released and that's that.

So just update java.

[Raptorman]

Not a big deal. If you know how to surf the interwebs, you'll be fine. It's actually pretty tough to get a virus if you are safe while browsing.

[n8ball2013]

this isn't a big deal, it happens often we just don't hear about it often.

these exploits stay hidden for long before released or discovered, at that stage they are called 0-day exploits.

and there are probably a thousand other critical vulnerabilities that exist at this very moment and nobody knows.

the only problem is the second the exploit module gets released thousands of script kiddies get hold of it and it gets blown out of proportion by media and Java shits themselves.

This exact thing happened just a few months ago with java. allowing an applet to bypass permissions and execute what ever it wants silently.

just from visiting the website.

and an update was released and that's that.

So just update java.

exactly Microsoft just released one as well. Nobody knew about the out of band microsoft patch though did they?

Heres the way its exploited

By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system. Note that applications that use the Internet Explorer web content rendering components, such as Microsoft Office or Windows Desktop Search, may also be used as an attack vector for this vulnerability.

so it requires user interaction. Remember if it looks funny it probably is.

[dog24fret]

So other than virus type of protections. How or what are other ways to protect your computer from attacker programs and so forth? I constantly get Microsoft and java updates they drive me nutty. I just thought some of them were a waste of space. I guess not.

[BassBomb™]

So other than virus type of protections. How or what are other ways to protect your computer from attacker programs and so forth? I constantly get Microsoft and java updates they drive me nutty. I just thought some of them were a waste of space. I guess not.

well Microsoft updates are sometimes important.

Just keep java up to date.

Have good AV installed.

and for an extra measure if you are skeptical about visiting a website run your browser inside Sandboxie.

This will basically not allow the browser or anything running in the browser to touch your PC.

it's all virtualized inside the sandbox and any changes made to your PC while its running in the sandbox will not be permanent and only exist inside the sandbox.

IE: you download a song.

That song will be in the sandbox and you cant see it from windows unless you explore the sandbox..

IE: Harmful exploit gets executed from the browser that deletes your System Files..

Those system files will be deleted inside the sandbox and not actually deleted from your PC.

Note: software ran in Sandboxie can still read from memory / Hard Drive so it doesn't protect your information from being stolen or compromised like passwords.

Bit it does prevent damage to your PC 100%

[Baydestrian]

Oh trust me I know about safe browsing, been years since I got a virus *knock on wood*. This is more so for you guys to see and help out ppl who may not be as interweb savvy, like my parents