Disable JAVA Now - 0-day exploit hits web

[no1_vern]

Disable Java NOW, users told, as 0-day exploit hits web • The Register

All operating systems, browsers vulnerable
By Neil McAllister in San Francisco

Posted in Security, 27th August 2012 23:42 GMT

A new browser-based exploit for a Java vulnerability that allows attackers to execute arbitrary code on client systems has been spotted in the wild – and because of Oracle's Java patch schedule, it may be some time before a fix becomes widely available.

The vulnerability is present in the Java Runtime Environment (JRE) version 1.7 or later, Atif Mushtaq of security firm FireEye reported on Sunday, while PCs with Java versions 1.6 or earlier installed are not at risk.

The vulnerability allows attackers to use a custom web page to force systems to download and run an arbitrary payload – for example, a keylogger or some other type of malware. The payload does not need to be a Java app itself.

In the form in which it was discovered, the exploit only works on Windows machines, because the payload that it downloads is a Windows executable. But the hackers behind the Metasploit penetration testing software say they have studied the exploit and found that it could just as easily be used to attack machines running Linux or Mac OS X, given the appropriate payload.

Disabling Java immediately is strongly encouraged!

In Firefox: Press Firefox button -> Add-ons, go to Plugins and click the "Disable" button next to anything named "Java".
In Chrome: Type in: "chrome://plugins/" into the address bar (no speech marks). Scroll down to Java and click disable.
In Opera: Type in "opera: plugins" into the address bar (no speech marks). Scroll down to:
Java(TM) Platform <click on> Disable.
Java Deployment Toolkit <click on> Disable.

EDIT:

I do not have to disable javascript, just JAVA.

[ShyguyXPC]

good for me, seems I never reinstalled Java in the form of Plugins or addons for Chrome or FF, looked and its not present.


looked through task manager for anything Java or Oracle related, nothing, short of going through the registry, looks like i never reinstalled it after my OS reinstall a few months ago.



Another related article I just saw over at XPC posted by their news bot.

Unpatched Java vulnerability exploited in targeted attacks, researchers say

[RicheemxX]

Here is a quick easy detection site to see if you have java enabled or not

Is Java Exploitable? powered by Rapid7

I had it running, they still use it on a few sites I visit so I had to reinstall it after the last exploit popped up.

Most places say disable it, I'm just going to go ahead and remove it for now. Oracle is usually pretty quick on updates so if you need it down the road you can always re-install it once they get it patched.

BTW - JavaScript and JAVA are two entirely different things (just sayin )

[ShyguyXPC]

yep, disabled on my end, and not installed.

Thanks for the link Rich, will add it to my FB postings of this, for those that even read them. LOL

[RicheemxX]

You can go directly to the java site as well How do I test whether Java is working on my computer? - but that only tells you if its working and not if its the affected version.

I guess Oracle's next update isn't until Oct so unless they release an emergency patch it might be a bit of a wait. Guess I won't be playing any browser based java games for now

[stroyal]

From what I heard, Oracle only updates 3 times a year, and the next is October, as Rich posted.

[stroyal]

Probably a stupid question, but one of my 7 machines, had Java in "Add and Remove Programs".

I removed it, but was it the same thing??

[RicheemxX]

Yeah Java is added as a program in the add-remove box. If you uninstalled it then as with any other program it should be gone. That is what I did for now as I couldn't get it to turn off in IE and figured since it's disabled I might as well not even have it on the computer anymore.

JavaSript, which is often confused with being part of Java, really has nothing to do with it. JavaScript is a markup language that is found in HTML and runs from your browser. Java is a stand alone programing language that has to run from within the java application.

[stroyal]

So the one in Add and Remove programs, was for IE.

I was surprised, none of my XP machines, had java anyplace, and My win7 laptop had it in both places.
Ubuntu was clean also.

I knew Java script was different, but I can't say I know much more about either.

[RicheemxX]

The java program is for the entire pc, it doesn't matter which browser you are using it opens up the program itself. So uninstalling it removes it as an option for everything. But FF, Chrome ect makes it easy (or easier) to turn it off or on. For me IE was the only one making it a PITA.

[CERuppel]

I just saw this?!?

Man, those must have been some goooood meds...

Thank you, Vern.

PS: Firefox Add-On Updater (link off of the Add-Ons settings page) immediately offered me a "New" version of Java... I know I got the script installed, and I had just un-installed Java, so I thought "OK, just need to restart and everything will be nice". I am more out of touch than I knew, because of course Firefox is still offering me a "New" Java... Just sort of FYI, and wanted to know if anyone else had noticed this.

[RicheemxX]

Looks like they released a new patch today, now sure how I missed that news
Oracle patches Java 7 vulnerability | MacFixIt - CNET Reviews

[stroyal]

They deviated from their schedule?

I guess I'll wait till I need it.

[stroyal]

There are 4 Ubuntu updates with Java in the name.
2 are NetX, and the other 2 are web browser plugins.

[KarmaKiller]

They released a patch to fix this, but the patch already has been picked apart and they still left some gaping security holes in it.. =\
Here we go again: Critical flaw found in just-patched Java • The Register