What do our security gurus out there think about this article...
Homeland Security urges computer users to disable Java
Debbie
| SitePoint Sponsor |
What do our security gurus out there think about this article...
Homeland Security urges computer users to disable Java
Debbie
Unless you specifically have applications installed that need Java there is no reason to have it. At the very least you could completely disable it in your web browser as web pages that use Java applets are extremely rare. Turning it off in the browser would not affect pages running Java on the server to generate the pages as that Java is not running on your computer.
Stephen J Chapman
javascriptexample.net, Book Reviews, follow me on Twitter
HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
<input name="html5" type="text" required pattern="^$">
So you make it sound like there is little to lose by disabling the Java Plug-In in my Browser (FireFox in my case) and a lot to gain as far as security...Originally Posted by felgall
Debbie
I got webroot. Hasn't failed me yet
What's that?
Debbie
Webroot antivirus. Works well - works in the background - quarantines things without even asking. It's user friendly basically.
I just saw a report that claims that there are major security holes in the latest version of Java that ARE being exploited to break into people's computers - that report recommends for EVERYONE to as a minimum to disable Java in their browser.
I just made a blog post at http://felgall.net/?p=3466 that provides step by step instructions on how to do this in IE, Firefox, Chrome and Opera.
Stephen J Chapman
javascriptexample.net, Book Reviews, follow me on Twitter
HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
<input name="html5" type="text" required pattern="^$">
Here is what I did for my laptop and FireFox...
How to turn off Java applets
Debbie
Thanks for the instructions.
Firefox, Chrome and Opera were all already turned off. IE had 5 listed with 3 still turned on. They're off now.....
Brian Krebs, usually is fairly good at reporting Java, Adobe or Microsoft vulnerabilities: http://krebsonsecurity.com/ he covered this particular exploit quite a while back.
Like was mentioned if you don't require Java uninstall it. Yes, disabling the plugins in Firefox works for firefox (like on Stephen's article). As would disabling Java 7 (Update 10) via the Java control panel: http://krebsonsecurity.com/how-to-un...m-the-browser/ One or two specific security sites I visit require Java though I only enable it when I visit those specific sites and only when needed.
However, a lot of people still have fragments of Java 6 installation on their machines, which should also be thoroughly removed as the standard uninstallers sometimes leave vulnerable crumbs.
Last edited by cpradio; Jan 12, 2013 at 13:27. Reason: Updated spelling of Brian Krebs
};-) http://www.xhtmlcoder.com/
Thinking Web: Voices of the Community
> March 2013 - SitePoint forums: Spot the Error 3: Calling all Sleuths! Winner Announced!... She knows how to spot simple <code> errors but do you?
Is this potential hacking threat through Javascript old or new?
Department of Homeland Security advises computer users to disable Java because of security bug
http://news.yahoo.com/department-hom...084354696.html
Are there things that we website managers and builders should fix?
Java vulnerabilities aren't new and usually a few times per year you'll get major Java zero-day attacks.
Are you confusing Java with JavaScript?
In either case you can get malicious JavaScript but that's a different topic, this thread is discussing (CVE-2013-0422) http://web.nvd.nist.gov/view/vuln/de...=CVE-2013-0422 or how to disable Java web browser plugins.
Last edited by cpradio; Jan 12, 2013 at 13:27. Reason: Added "you"
};-) http://www.xhtmlcoder.com/
Thinking Web: Voices of the Community
> March 2013 - SitePoint forums: Spot the Error 3: Calling all Sleuths! Winner Announced!... She knows how to spot simple <code> errors but do you?
Just to clarify Greg, the problem is in Java, not JavaScript.
These are two completely separate programming languages.
As a web master there is nothing you need to do.Are there things that we website managers and builders should fix?
However, if you have Java installed on your PC/Mac and you don't absolutely need it, I would uninstall it, at least for the time being.
Felgall's blog post tells you how.
Edit: xhtmlcoder beat me to it
How well do you know your JavaScript from your jQuery?
Check out SitePoint's latest JavaScript challenge
My blog
Off Topic:
Pullo, good SPF Mentors are lighting-fast...
};-) http://www.xhtmlcoder.com/
Thinking Web: Voices of the Community
> March 2013 - SitePoint forums: Spot the Error 3: Calling all Sleuths! Winner Announced!... She knows how to spot simple <code> errors but do you?
Java disabled: check.
Date: many months ago.
This might sound dumb, but how do you know if you "need" Java on your computer (other than uninstalling it to see)?
What runs on Java?
You'll most typically see it used in Java Applets on some websites like: http://secunia.com/vulnerability_scanning/online/ the browser or website may alert you that you have a missing Java plugin, etc. Normally you don't require it.
};-) http://www.xhtmlcoder.com/
Thinking Web: Voices of the Community
> March 2013 - SitePoint forums: Spot the Error 3: Calling all Sleuths! Winner Announced!... She knows how to spot simple <code> errors but do you?
For long and involved reasons, I ended up redoing all of my mobile computers near the end of 2012. I haven't installed java on a thing there. Only issues I had were hooking up to Cisco AnyConnect VPNs and a certain active trading system I use. Now have a dedicated VM for said active trading system; I found the anyconnect client through other means.
So, in most cases, you don't actually need java installed . . . .
Java has *always* been insecure. I don't know why this is such big news all of a sudden.
Lots of stuff. Various remote presentation apps/services, software such as OpenOffice/LibreOffice, Eclipse, and NetBeans.
Visit The Blog | Follow On Twitter
301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
Can be hosted on and utilize your own domain
I thought Java was "the next coming"?!
If it is so inherently insecure, then why is it so popular?Lots of stuff. Various remote presentation apps/services, software such as OpenOffice/LibreOffice, Eclipse, and NetBeans.
Also, aren't there similar flaws with other languages/platforms like .Net?
Debbie
Possibly because there are currently people actively exploiting known holes when Java is running in a web browser. The holes weren't as important when they were not being actively exploited.
It also isn't so much of a problem for applications running on the local computer outside of the browser where actually gaining access from the internet can be much harder and since that's where most Java runs the latest problems provide a good time to promote disabling it in the web browser - which will assist in improving security overall.
Stephen J Chapman
javascriptexample.net, Book Reviews, follow me on Twitter
HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
<input name="html5" type="text" required pattern="^$">
So the insecurities exist with browser-based, client-side Java, specifically, and not necessarily with client-side Java or server-side Java?
Debbie
P.S. Who is the new guy in the photo?!
Whatever holes exist in Java the hacker has to have acces to the environment it is running in to be able to exploit them. It is far easier to access Java running in a web browser than it is to access Java running elsewhere (whether on the server or on your local computer) as the browser provides them the access to Java where other security measures will normally block their access to Java running in other locations. They can't exploit a security hole in Java if a firewall )or other security measures) prevents them accessing it.
Stephen J Chapman
javascriptexample.net, Book Reviews, follow me on Twitter
HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
<input name="html5" type="text" required pattern="^$">
Here we go with all the confusion between Java and javaScript – yippie!!!
That article should explicitly state that this does not mean turning off JavaScript because I'm sure that is what about 100% or the none/semi- technical crowd interpret the solution as.
Correct me if I'm wrong but any attempt to install software through Java applet would result in some type of prompt, right or no? I guess either way most people would probably click the prompt not thinking anything of it.
The only code I hate more than my own is everyone else's.
Yup.
Talked to someone last night who was surprised that AOL no longer worked when they turned off "Java"
How well do you know your JavaScript from your jQuery?
Check out SitePoint's latest JavaScript challenge
My blog
Posting Permissions
Reply With Quote
Bookmarks