Zero-day Java exploit in the wild - first attempted patch still vulnerable

momgamer wrote:

The only thing I use Java for is playing Minecraft. I'm going to have to think about this.

Minecraft was the first thing to come to mind for me, I think I'll risk it.

Lovely. Didn't we just go through this with 1.6.29?

How would I add exceptions to the Chrome list?

Like this?

facebook.com
gamerswithjobs.com

(It's amazing how many sites run JavaScript)

edit: in the address bar, there's an icon (scroll crossed in red) you can click to allow Java Script for that site.

Remember that Javascript and Java aren't the same thing. Disabling Javascript is never a bad idea, exactly, but I'm not aware of any Javascript vulnerabilities for a long time, and many sites won't work well if you disable it, anymore. Java, on the other hand, has been rather so-so security-wise, and you very rarely actually need it for anything in the browser.

They're named similarly for marketing reasons... Javascript was just a quick and dirty scripting project that some guy threw together in a few days for an early Netscape browser, and somehow, Netscape managed to convince Sun to let them use the Java name for it. It's one of the all time dumb computing names. It's really ECMAScript, and Java is just, well, Java.

Correct. That Chrome option I showed above is for blocking/whitelisting Java and Flash, not JavaScript.

NotScripts is the Chrome counterpart to Firefox's NoScript for script blocking/whitelisting.

NotScripts is the first thing I install on Chrome, but it's more for things like privacy than security (all those info-aggregating analytics engines never get whitelisted, so they don't get to "track" me) and just to eliminate some of the annoyance of randomly browsing to a heavily script-infested site (many of which are more tolerable when you selectively enable only the main domain's scripting, and not all the other crap they try and pull in). Script blocking like this is a bit further than the average user needs to go, though.

The plugin blocking function in Chrome, however, should be an automatic enable for anyone that's not hopelessly tech-illiterate. If you're the kind of person that reads a Java zero-day exploit thread like this one, you're the kind of person that should have this turned on.

but I'm not aware of any Javascript vulnerabilities for a long time

They still pop up, but they are aggressively patched, especially in Chrome/V8.

The rapid release cycle of Chrome and now Firefox has really done wonders in keeping a large section of the web browsing population safe from vulnerabilities in browsers, except of course for those plugins that are beyond the control of the browser makers.

Thanks for the clarifications, guys. Know that, I did not.

Turns out I never installed Java runtime on my new PC, so I'm in the clear.

Yeah, definitely one of those times when the marketroids screw everyone up for decades. We'll probably still be talking about Javascript when that moron is dead.

Suns screwup with not nipping that in the bud is a classic textbook example used in trademark law.

I understood that it was done with Sun's explicit permission.

Malor wrote:

I understood that it was done with Sun's explicit permission.

Yes, exactly. They had three choices: ignore it, grant permission, or fight it and they chose poorly. It has and will haunt them forever.

What if a car company tried to name themselves Fordspeed?

ibdoomed wrote:
Malor wrote:

I understood that it was done with Sun's explicit permission.

Yes, exactly. They had three choices: ignore it, grant permission, or fight it and they chose poorly. It has and will haunt them forever.

What if a car company tried to name themselves Fordspeed?

The company and Ford settle it with a multiplayer match of Gran Turismo.

Yay.

http://www.theregister.co.uk/2012/09...

The Register wrote:

Closer inspection of the infection revealed deep network penetration that the installed antivirus applications were completely unable to cope with. The chief financial officer of the company relies on cloudy applications that require Java-in-the-web-browser. Contrary to early reports that we should only fear Java 7, this beauty crawled in through a fully up-to-date Java 6 browser plugin and installed some friends.

At work I have to use an in-browser Java app to submit sensitive data to a government body. I wonder if anybody over there is paying attention to this.

Had two users get spyware over the long weekend. To put that into perspective, the last time I had to remove spyware from a work system was almost 6 months ago and because our fiscal year is closing soon, everyone was doing heavy time and expense entry this weekend. I detest that our time entry system requires Java. I'm now drafting a bulletin e-mail telling everyone to update but the best part? About 50% of the time, updating Java breaks the installation of our time entry system and you have to do several steps multiple menus in depth in order to fix it. This is going to be a fun few days for my boss and I.

*Legion* wrote:

NotScripts is the first thing I install on Chrome, but it's more for things like privacy than security (all those info-aggregating analytics engines never get whitelisted, so they don't get to "track" me) and just to eliminate some of the annoyance of randomly browsing to a heavily script-infested site (many of which are more tolerable when you selectively enable only the main domain's scripting, and not all the other crap they try and pull in). Script blocking like this is a bit further than the average user needs to go, though.

Have you considered using Ghostery instead of NotScripts? Ghostery handles the analytics blocking, but if you are still looking to block 3rd party scripts on a site, then it's still NotScripts only. I used NotScripts for a while, but eventually stopped using it when I found myself constantly having to select "Allow all temporarily" to get sites working as expected.

avggeek wrote:

I used NotScripts for a while, but eventually stopped using it when I found myself constantly having to select "Allow all temporarily" to get sites working as expected.

In Firefox/NoScript, I have mine set to allow base 2nd level domains and 99% of my browsing 'just works', although I'll admit I've been using it a while and my browsing routine has probably sorted out my allow/block lists a good while ago.

Scratched wrote:
avggeek wrote:

I used NotScripts for a while, but eventually stopped using it when I found myself constantly having to select "Allow all temporarily" to get sites working as expected.

In Firefox/NoScript, I have mine set to allow base 2nd level domains and 99% of my browsing 'just works', although I'll admit I've been using it a while and my browsing routine has probably sorted out my allow/block lists a good while ago.

Isn't the purpose of auto-block and white-listing that you're consciously adding websites, thus being more safe against popups, accidental clicks, ... ?

avggeek wrote:

Have you considered using Ghostery instead of NotScripts? Ghostery handles the analytics blocking, but if you are still looking to block 3rd party scripts on a site, then it's still NotScripts only.

I definitely want more than just analytics blocking. But Ghostery is good.

I used NotScripts for a while, but eventually stopped using it when I found myself constantly having to select "Allow all temporarily" to get sites working as expected.

See, I never click that. A lot of sites pull scripts from similar 3rd party places (CDNs, etc). Once you whitelist those places, the only thing you typically need to whitelist on new sites is the domain itself.

I fully admit that other solutions are better for people who don't insist on such finely-grained control.

Another one apparently, affecting JavaSE, 5, 6, and 7 and can be used through the browser plugin: http://developers.slashdot.org/story...

I have the Java plugins disabled on my browser. However sometimes I will mouse over something on a webpage and the link preview will say "javascript________" etc. NoScript blocks them and if I allow scripts on the page using NoScript these links and objects work again.

That's a little confusing. How does java stuff run on Firefox if the plugins are deactivated? Do I need to uninstall Java completetly?

I don't think you've disabled it properly. In Tools/Addons, I've got the 'Java Deployment Toolkit' disabled, and am also running Noscript. If I go to www.java.com, and click on Do I Have Java?, I see a placeholder applet, as is usual for NoScript. But then if I click on that applet, I get "Something is wrong, Java is not working."

Tamren wrote:

I have the Java plugins disabled on my browser. However sometimes I will mouse over something on a webpage and the link preview will say "javascript________" etc. NoScript blocks them and if I allow scripts on the page using NoScript these links and objects work again.

That's a little confusing. How does java stuff run on Firefox if the plugins are deactivated? Do I need to uninstall Java completetly?

You've fallen victim to the classic Java/Javascript confusion.

Wikipedia[/url]]Developed under the name Mocha, LiveScript was the official name for the language when it first shipped in beta releases of Netscape Navigator 2.0 in September 1995, but it was renamed JavaScript when it was deployed in the Netscape browser version 2.0B3.

The change of name from LiveScript to JavaScript roughly coincided with Netscape adding support for Java technology in its Netscape Navigator web browser. The final choice of name caused confusion, giving the impression that the language was a spin-off of the Java programming language, and the choice has been characterized by many as a marketing ploy by Netscape to give JavaScript the cachet of what was then the hot new web programming language.[12][13] It has also been claimed that the language's name is the result of a co-marketing deal between Netscape and Sun, in exchange for Netscape bundling Sun's Java runtime with its then-dominant browser.

TL;DR: Javascript is not the same as Java, and you need it enabled for most webpages to function. (Such as the quote link here on the forums)

Yay! Let's get the year started off on the right foot: Java is still borked. See also: the Ars story

Yeah, I'd say it's kinda bad: Homeland Security warns to disable Java amid zero-day flaw

Found that when reading this: Zero-day flaw prompts Apple to block Java 7 from OS X

I know FireFox has also flagged it and won auto run it either.

Fun times :/

It burns my IT soul every day to know that our time entry system requires that every machine in our company have Java installed. Thankfully, it's a stand-alone application and not something that runs in browser so I am going to advise everyone to disable Java for their browsers. What a joke this has become since Oracle took it over.

when ever I see something like this I go and uninstall java... and then some silly program makes me reinstall it... and so the cycle continues.

The really talented programmers of the world mostly don't want to work for such a nasty outfit, so software that transfers to them tends to bitrot.

trueheart78 wrote:

t.co

Please don't use url shorteners, you're on a forum that allows links as long as you like, especially when you're linking to something security oriented where it would be nice to know I'm not being diverted somewhere malicious.

Oracle emergency Java release

You should be good for a few hours...