[LINK] Security problems with Java in browsers

Robin Whittle rw at firstpr.com.au
Tue Sep 18 01:16:37 AEST 2012


It looks like it might be a good idea to turn off Java applets (not
javascript) in browsers, on Windows, Linux and Mac, due to a spate of
problems in recent weeks:


https://blog.mozilla.org/security/2012/08/28/protecting-users-against-java-security-vulnerability/

Here is how to disable Java for Firefox, Safari, Chrome, Opera and MSIE
(looks really complex):

  http://nakedsecurity.sophos.com/2012/08/30/how-turn-off-java-browser/

  http://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets

Unless there is a clear need for it, it may be easier to uninstall Java
from the computer entirely.

Oracle released a version which apparently fixes the vulnerability:


http://www.theregister.co.uk/2012/08/31/critical_flaw_found_in_patched_java/

  http://www.theregister.co.uk/2012/09/06/apple_java_update/

but was not clear to me whether or not the version installed on my
Windows XP machines here (1.6.0_35, via Control Panel > Java > Java >
View) fixes the vulnerability.  Since the vulnerability was reported to
Oracle in April, and only fixed in late August after it was widely
exploited:

  http://www.theregister.co.uk/2012/08/22/malware_crisis/

this doesn't inspire confidence in enabling Java at all in web browsers.
 How would I know when it is "safe" to enable it?  I haven't figured
this out.  It is never entirely safe, to run any Internet-capable
software.

Clicking the "Update Now" button in Control Panel > Java > Update told
me that I can use it to install Java 7 update 07.  But when I did so (I
only run Windows XP) the window identified itself as "Java 6 Update 33".
  Once this was done, the View button lead to a display of "1.7.0_07".
I guess this version fixes the vulnerability:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4681

which has caused the recent trouble.  When I rebooted Firefox, Tools >
Addons > Plugins indicated that "Java(TM) Platform SE 7 U7 10.7.2.11"
was enabled.  I disabled it in Firefox and other browsers I occasionally
use.  (I use Java on one machine for cross-platform shareware eBay
bidding program Jbidwatcher.)

Java vulnerability has been a hot topic in the last three weeks:

 http://www.google.com/search?q=%22disable+Java%22

 http://thenextweb.com/apps/2012/08/28/security-companies-you-disable-java-just-uninstall/


This is how difficult it can be to remove the Zeroaccess rootkit, which
is one of the items of malware being installed via the Java vulnerability.

 http://www.theregister.co.uk/2012/09/03/java_cleanup/

I guess these vulnerabilities may be beyond the capacity of anti-virus
programs.  I run a well-known commercial antivirus program not because I
think it offers complete protection, but because I guess it provides
more protection than I could achieve myself without devoting myself
full-time to computer security.  It frequently announces it is busy
doing things, and sometimes declares downloaded files as "safe", but it
hasn't made a bleat about the PC running a vulnerable version of Java
and having it enabled in my primary browser.

 - Robin




More information about the Link mailing list