[LINK] Security problems with Java in browsers
Robin Whittle
rw at firstpr.com.au
Tue Sep 18 01:16:37 AEST 2012
It looks like it might be a good idea to turn off Java applets (not
javascript) in browsers, on Windows, Linux and Mac, due to a spate of
problems in recent weeks:
https://blog.mozilla.org/security/2012/08/28/protecting-users-against-java-security-vulnerability/
Here is how to disable Java for Firefox, Safari, Chrome, Opera and MSIE
(looks really complex):
http://nakedsecurity.sophos.com/2012/08/30/how-turn-off-java-browser/
http://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets
Unless there is a clear need for it, it may be easier to uninstall Java
from the computer entirely.
Oracle released a version which apparently fixes the vulnerability:
http://www.theregister.co.uk/2012/08/31/critical_flaw_found_in_patched_java/
http://www.theregister.co.uk/2012/09/06/apple_java_update/
but was not clear to me whether or not the version installed on my
Windows XP machines here (1.6.0_35, via Control Panel > Java > Java >
View) fixes the vulnerability. Since the vulnerability was reported to
Oracle in April, and only fixed in late August after it was widely
exploited:
http://www.theregister.co.uk/2012/08/22/malware_crisis/
this doesn't inspire confidence in enabling Java at all in web browsers.
How would I know when it is "safe" to enable it? I haven't figured
this out. It is never entirely safe, to run any Internet-capable
software.
Clicking the "Update Now" button in Control Panel > Java > Update told
me that I can use it to install Java 7 update 07. But when I did so (I
only run Windows XP) the window identified itself as "Java 6 Update 33".
Once this was done, the View button lead to a display of "1.7.0_07".
I guess this version fixes the vulnerability:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4681
which has caused the recent trouble. When I rebooted Firefox, Tools >
Addons > Plugins indicated that "Java(TM) Platform SE 7 U7 10.7.2.11"
was enabled. I disabled it in Firefox and other browsers I occasionally
use. (I use Java on one machine for cross-platform shareware eBay
bidding program Jbidwatcher.)
Java vulnerability has been a hot topic in the last three weeks:
http://www.google.com/search?q=%22disable+Java%22
http://thenextweb.com/apps/2012/08/28/security-companies-you-disable-java-just-uninstall/
This is how difficult it can be to remove the Zeroaccess rootkit, which
is one of the items of malware being installed via the Java vulnerability.
http://www.theregister.co.uk/2012/09/03/java_cleanup/
I guess these vulnerabilities may be beyond the capacity of anti-virus
programs. I run a well-known commercial antivirus program not because I
think it offers complete protection, but because I guess it provides
more protection than I could achieve myself without devoting myself
full-time to computer security. It frequently announces it is busy
doing things, and sometimes declares downloaded files as "safe", but it
hasn't made a bleat about the PC running a vulnerable version of Java
and having it enabled in my primary browser.
- Robin
More information about the Link
mailing list