# Java threat?



## Mr. H. (Jan 11, 2013)

U.S. warns on Java software as security concerns escalate - Yahoo! News

This appears serious. Are we all supposed to disable/remove our Java programs???


----------



## Wonky Pundit (Jan 11, 2013)

Sounds like the ongoing arms race between hackers and Sun (now Oracle).


----------



## Mr. H. (Jan 11, 2013)

The only Java listed in my laptop's "Installed Programs" are two updates. 

I guess it's for folks doing programming?


----------



## Wonky Pundit (Jan 11, 2013)

Mr. H. said:


> The only Java listed in my laptop's "Installed Programs" are two updates.
> 
> I guess it's for folks doing programming?



Not necessarily. They're likely talking about the "Java Virtual Machine," which is part of every browser plugin, and is often used elsewhere, too.


----------



## Ringel05 (Jan 11, 2013)

* Java threat?*


----------



## Mr. H. (Jan 11, 2013)

Ok well it seems much ado about nuttin'. 
I'm still paranoid from having my email hacked last month.


----------



## Ringel05 (Jan 11, 2013)

Mr. H. said:


> Ok well it seems much ado about nuttin'.
> I'm still paranoid from having my email hacked last month.



Happened to my wife about a year and a half ago.  She was using Outlook Express.  I have her on gmail with multiple security layers in place.


----------



## Ringel05 (Jan 11, 2013)

Mr. H. said:


> U.S. warns on Java software as security concerns escalate - Yahoo! News
> 
> This appears serious. Are we all supposed to disable/remove our Java programs???



Critical Patch Updates and Security Alerts


----------



## waltky (Jan 11, 2013)

How do ya disable Java...

... till this thing is over?


----------



## MikeK (Jan 11, 2013)

Ringel05 said:


> * Java threat?*


I don't even know what Java is.  I think it has something to do with composition.  Lately a little box has been popping up in my task bar advising that updates to Java are available, but because my new Win/7 computer is finally working perfectly I'm inclined to leave well enough alone.  So I just X these pop-ups away.  

Also, past experience has made me rather paranoid about downloading anything I don't have good cause to trust.  So now I'm wondering if this news about a _threat_ might be related to those pop-up invitations.  

Ya think?


----------



## Ringel05 (Jan 11, 2013)

MikeK said:


> Ringel05 said:
> 
> 
> > * Java threat?*
> ...



Pop up invitations??


----------



## MikeK (Jan 12, 2013)

Ringel05 said:


> MikeK said:
> 
> 
> > Ringel05 said:
> ...


Yes.  A little box pops up from my taskbar telling me to click on it for Java updates.


----------



## Ringel05 (Jan 12, 2013)

MikeK said:


> Ringel05 said:
> 
> 
> > MikeK said:
> ...



Oh, okay.  Go to the link I posted, a few posts back, and update from there just in case.  Once updated then reboot, if the "invitations" (update notices) continue to pop up then you've probably been compromised.


----------



## Mr. H. (Jan 12, 2013)

I just installed an update after being notified. It dealt with security concerns. 

I rarely get notices, as opposed to a continual pop-up thing.


----------



## MikeK (Jan 12, 2013)

Here's what I've managed to learn about this Java threat:

It appears to be directed only to Java version 7.  So go here to find of what version you have:  Verify Java Version

I did that and found out I don't have Java.  I still don't know what it is or what it does, but if I don't have it and my computer is working just fine, what good is it?  Can anyone tell me?


----------



## Wonky Pundit (Jan 12, 2013)

MikeK said:


> Here's what I've managed to learn about this Java threat:
> 
> It appears to be directed only to Java version 7.  So go here to find of what version you have:  Verify Java Version
> 
> I did that and found out I don't have Java.  I still don't know what it is or what it does, but if I don't have it and my computer is working just fine, what good is it?  Can anyone tell me?



If you don't have other software that depends on having Java installed, then you don't need Java.


----------



## Flopper (Jan 12, 2013)

Mr. H. said:


> The only Java listed in my laptop's "Installed Programs" are two updates.
> 
> I guess it's for folks doing programming?


Only about .2% of the web sites us client java which runs on your computer.  However since there are over 300 million web sites, if you disable java you might find some things that don't work.  If you do you can always enable it.


----------



## waltky (Jan 12, 2013)

Thanks to MMC over at *Political Bullpen*...

*How to Disable Java*
_January 11, 2013 - Java is a handy, cross-platform language that's been mightily abused by hackers. With the discovery of a new Java vulnerability that affects even the most up-to-date version, many experts advise everyone to simply disable Java. Here's how._


> Java was once touted as the "write once, run anywhere" language. In theory, a single Java program could run on any Java-supporting platform. That dream never quite came to perfection, though, and these days Java is a favorite attack vector for hackers. The Flashback Trojan breached Macintosh computers via a Java vulnerability last year, for example. In August, researchers at FireEye reported another zero-day vulnerability in Java. The most recent Java vulnerability affects all versions of Java 7, including the most current version. Unless you absolutely need it, you should disable Java now.  Fortunately, Oracle offers a Web page with straightforward instructions on how to turn off Java.
> 
> Disable Java in All Browsers
> 
> ...


----------



## Mr. H. (Jan 12, 2013)

Wonky Pundit said:


> MikeK said:
> 
> 
> > Here's what I've managed to learn about this Java threat:
> ...



You and your double fucking negatives...


----------



## Foxfyre (Jan 13, 2013)

I came over here to start a thread on this and see that there is an active one going,

I saw this the other day when the CS Monitor ran a piece and it was in our local paper this morning too.  Apparently there is a vulnerability to malicious cyber crime/attacks that they can't patch and Homeland Security recommends we all disable our Java? Geez, how much stuff on your computer needs Java?   Occasionally I get a popup message that such and such Java component is not available when I try to access something.  All of Pogo games require Java to run and I'm sure a lot of other games do too.

How much of a threat is this and what should we expect if we get attacked?  I don't know how to disable Java other than uninstall it.


----------



## Foxfyre (Jan 13, 2013)

Just checked the list of stuff installed in the Control Panel and I don't think I have Java on this computer.


----------



## Mr. H. (Jan 13, 2013)

waltky said:


> _The only way to disable Java in Internet Explorer is through the Java Control Panel. Launch it as described above, click the Advanced tab and expand the item titled Default Java for browsers. Un-check the boxes for Microsoft Internet Explorer. You may need to click the item and press spacebar in order to clear the checkmarks._



Just now performed this task. 
There is also a tab under "advanced" labeled "security". I also expanded that. Some items are checked and some not. Didn't understand any of it, so left it as is. 

If you have Windows 7, open the search box (lower left) and type "java". Then click it to open that control panel.


----------



## Ringel05 (Jan 13, 2013)

Mr. H. said:


> waltky said:
> 
> 
> > _The only way to disable Java in Internet Explorer is through the Java Control Panel. Launch it as described above, click the Advanced tab and expand the item titled Default Java for browsers. Un-check the boxes for Microsoft Internet Explorer. You may need to click the item and press spacebar in order to clear the checkmarks._
> ...



Only works if you have Java 7 update 10, that control feature is not in the previous versions so the only option is updating then disabling or uninstalling Java entirely.


----------



## Foxfyre (Jan 13, 2013)

Don't you think though that since this warning has gone viral, that a patch will be forthcoming immediately?


----------



## Ringel05 (Jan 13, 2013)

Foxfyre said:


> Don't you think though that since this warning has gone viral, that a patch will be forthcoming immediately?



Not sure.  From what I've read this is a hole that is very difficult to plug because of it's primary function within Java.


----------



## Mr. H. (Jan 13, 2013)

Ringel05 said:


> Mr. H. said:
> 
> 
> > waltky said:
> ...


Sheesh. This gets more bizarre by the minute LOL.


----------



## waltky (Jan 13, 2013)

Dey workin' onna fix...

*Oracle Corp to fix Java security flaw "shortly"*
_12 Jan.`12 - Oracle Corp said it is preparing an update to address a flaw in its widely used Java software after the U.S. Department of Homeland Security urged computer users to disable the program in web browsers because criminal hackers are exploiting a security bug to attack PCs._


> "A fix will be available shortly," the company said in a statement released late on Friday.  Company officials could not be reached on Saturday to say how quickly the update would be available for the hundreds of millions of PCs that have Java installed.  The Department of Homeland Security and computer security experts said on Thursday that hackers figured out how to exploit the bug in a version of Java used with Internet browsers to install malicious software on PCs. That has enabled them to commit crimes from identity theft to making an infected computer part of an ad-hoc computer network that can be used to attack websites.
> 
> Java is a computer language that enables programmers to write software utilizing just one set of codes that will run on virtually any type of computer, including ones that use Microsoft Corp's Windows, Apple Inc's OS X and Linux, an operating system widely employed by corporations. It is installed in Internet browsers to access web content and also directly on PCs, server computers and other devices that use it to run a wide variety of computer programs.  Oracle said in its statement that the recently discovered flaw only affects Java 7, the program's most-recent version, and Java software designed to run on browsers.
> 
> ...


----------



## Foxfyre (Jan 13, 2013)

Well us untechie types will probably just wait for the fix rather than try to dismantle something in our computer that we'll turn out to need and won't remember how to get back to fix whatever we undo.


----------



## Flopper (Jan 13, 2013)

Foxfyre said:


> Don't you think though that since this warning has gone viral, that a patch will be forthcoming immediately?


The people at Oracle have been plugging security problems for years and hackers keep finding vulnerability.  Updating Java to the current release and turning it off for all browsers is very quick and easy.  It you click on something that requires Java, you will most likely get a message that tells you Java is required.  Then you just go to your control panel and the Java application and enable it and restart your browser.  I've done this and have had no problem since most web sites don't use client side java.

Most client side java is used when the selection on the web page requires a lot of computing.  So rather than do all that computing on the server they use java in your computer.  In other words they use your computer to do the work instead of theirs.  Since most web sites don't do a lot of heavy duty computing, they don't bother with Java client software. The only site I am familar with that uses a lot of Java is Morningstar which does a lot of mutual fund and stock analysis in their tools section.


----------



## Wonky Pundit (Jan 14, 2013)

Mr. H. said:


> Wonky Pundit said:
> 
> 
> > MikeK said:
> ...



That weren't no double negative. Those are things up with which I can't put.


----------



## Ringel05 (Jan 14, 2013)

Looks like Java has fixed the hole..... for now..... The latest emergency update is available.  Download and reinstall Java from the site.  Unless you are an Ask fan, unselect the Ask toolbar install option when it appears or spend a couple of hours trying to figure out how to get it off you computer.


----------



## Dante (Jan 14, 2013)

Mr. H. said:


> I just installed an update after being notified. It dealt with security concerns.
> 
> I rarely get notices, as opposed to a continual pop-up thing.



you have to delete programs and task bars and other unwanted crap that comes with things you downloads. some downloads have a box or boxes checked that end up adding shit to a browser


----------



## Mr. H. (Jan 14, 2013)

Thanks. I shall take that under advisement.


----------



## waltky (Jan 15, 2013)

Think I'll keep it disabled till the 'all clear' is sounded...

*Oracle says Java is fixed; feds maintain warning*
_Jan 14,`13  -- Oracle Corp. said Monday it has released a fix for the flaw in its Java software that raised an alarm from the U.S. Department of Homeland Security last week. Even after the patch was issued, the federal agency continued to recommend that users disable Java in their Web browsers._


> "This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered," DHS said Monday in an updated alert published on the website of its Computer Emergency Readiness Team. "To defend against this and future Java vulnerabilities, consider disabling Java in Web browsers until adequate updates are available."  The alert follows on the department's warning late Thursday. Java allows programs to run within websites and powers some advertising networks. Users who disable Java may not be able to see portions of websites that display real-time data such as stock prices, graphical menus, weather updates and ads.  Vulnerability in the latest version, Java 7, was "being actively exploited," the department said.
> 
> Java 7 was released in 2011. Oracle said installing its "Update 11" will fix the problem.  Security experts said that special code to take advantage of the weakness is being sold on the black market through so-called "Web exploit packs" to Internet abusers who can use it to steal credit card data, personal information or cause other harm.  The packs, sold for upwards of $1,500 apiece, make complex hacker codes available to relative amateurs. This particular flaw even enables hackers to compromise legitimate websites by taking over ad networks. The result: users are redirected to malicious sites where damaging software can be loaded onto their computers.
> 
> ...


----------

