SitePoint Sponsor

User Tag List

Page 1 of 2 12 LastLast
Results 1 to 25 of 26
  1. #1
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,764
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Homeland Security urges computer users to disable Java

    What do our security gurus out there think about this article...

    Homeland Security urges computer users to disable Java


    Debbie

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,809
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Unless you specifically have applications installed that need Java there is no reason to have it. At the very least you could completely disable it in your web browser as web pages that use Java applets are extremely rare. Turning it off in the browser would not affect pages running Java on the server to generate the pages as that Java is not running on your computer.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  3. #3
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,764
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    Unless you specifically have applications installed that need Java there is no reason to have it. At the very least you could completely disable it in your web browser as web pages that use Java applets are extremely rare. Turning it off in the browser would not affect pages running Java on the server to generate the pages as that Java is not running on your computer.
    So you make it sound like there is little to lose by disabling the Java Plug-In in my Browser (FireFox in my case) and a lot to gain as far as security...


    Debbie

  4. #4
    SitePoint Wizard bronze trophy PicnicTutorials's Avatar
    Join Date
    Dec 2007
    Location
    Carlsbad, California, United States
    Posts
    3,656
    Mentioned
    15 Post(s)
    Tagged
    0 Thread(s)
    I got webroot. Hasn't failed me yet

  5. #5
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,764
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by EricWatson View Post
    I got webroot. Hasn't failed me yet
    What's that?


    Debbie

  6. #6
    SitePoint Wizard bronze trophy PicnicTutorials's Avatar
    Join Date
    Dec 2007
    Location
    Carlsbad, California, United States
    Posts
    3,656
    Mentioned
    15 Post(s)
    Tagged
    0 Thread(s)
    Webroot antivirus. Works well - works in the background - quarantines things without even asking. It's user friendly basically.

  7. #7
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,809
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    I just saw a report that claims that there are major security holes in the latest version of Java that ARE being exploited to break into people's computers - that report recommends for EVERYONE to as a minimum to disable Java in their browser.

    I just made a blog post at http://felgall.net/?p=3466 that provides step by step instructions on how to do this in IE, Firefox, Chrome and Opera.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  8. #8
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,764
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    I just saw a report that claims that there are major security holes in the latest version of Java that ARE being exploited to break into people's computers - that report recommends for EVERYONE to as a minimum to disable Java in their browser.

    I just made a blog post at http://felgall.net/?p=3466 that provides step by step instructions on how to do this in IE, Firefox, Chrome and Opera.

    Here is what I did for my laptop and FireFox...

    How to turn off Java applets


    Debbie

  9. #9
    SitePoint Enthusiast scout1idf's Avatar
    Join Date
    Nov 2009
    Location
    Ohio
    Posts
    83
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    I just saw a report that claims that there are major security holes in the latest version of Java that ARE being exploited to break into people's computers - that report recommends for EVERYONE to as a minimum to disable Java in their browser.

    I just made a blog post at http://felgall.net/?p=3466 that provides step by step instructions on how to do this in IE, Firefox, Chrome and Opera.
    Thanks for the instructions.

    Firefox, Chrome and Opera were all already turned off. IE had 5 listed with 3 still turned on. They're off now.....

  10. #10
    Robert Wellock silver trophybronze trophy xhtmlcoder's Avatar
    Join Date
    Apr 2002
    Location
    A Maze of Twisty Little Passages
    Posts
    6,316
    Mentioned
    60 Post(s)
    Tagged
    0 Thread(s)
    Brian Krebs, usually is fairly good at reporting Java, Adobe or Microsoft vulnerabilities: http://krebsonsecurity.com/ he covered this particular exploit quite a while back.

    Like was mentioned if you don't require Java uninstall it. Yes, disabling the plugins in Firefox works for firefox (like on Stephen's article). As would disabling Java 7 (Update 10) via the Java control panel: http://krebsonsecurity.com/how-to-un...m-the-browser/ One or two specific security sites I visit require Java though I only enable it when I visit those specific sites and only when needed.

    However, a lot of people still have fragments of Java 6 installation on their machines, which should also be thoroughly removed as the standard uninstallers sometimes leave vulnerable crumbs.
    Last edited by cpradio; Jan 12, 2013 at 13:27. Reason: Updated spelling of Brian Krebs

  11. #11
    SitePoint Zealot
    Join Date
    Oct 2012
    Posts
    137
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Homeland Security advises disabling Java?

    Is this potential hacking threat through Javascript old or new?

    Department of Homeland Security advises computer users to disable Java because of security bug
    http://news.yahoo.com/department-hom...084354696.html

    Are there things that we website managers and builders should fix?

  12. #12
    Robert Wellock silver trophybronze trophy xhtmlcoder's Avatar
    Join Date
    Apr 2002
    Location
    A Maze of Twisty Little Passages
    Posts
    6,316
    Mentioned
    60 Post(s)
    Tagged
    0 Thread(s)
    Java vulnerabilities aren't new and usually a few times per year you'll get major Java zero-day attacks.

    Are you confusing Java with JavaScript?

    In either case you can get malicious JavaScript but that's a different topic, this thread is discussing (CVE-2013-0422) http://web.nvd.nist.gov/view/vuln/de...=CVE-2013-0422 or how to disable Java web browser plugins.
    Last edited by cpradio; Jan 12, 2013 at 13:27. Reason: Added "you"

  13. #13
    Gre aus'm Pott gold trophysilver trophybronze trophy
    Pullo's Avatar
    Join Date
    Jun 2007
    Location
    Germany
    Posts
    5,938
    Mentioned
    214 Post(s)
    Tagged
    12 Thread(s)
    Quote Originally Posted by Greg Baka View Post
    Is this potential hacking threat through Javascript old or new?
    Just to clarify Greg, the problem is in Java, not JavaScript.
    These are two completely separate programming languages.

    Quote Originally Posted by Greg Baka View Post
    Are there things that we website managers and builders should fix?
    As a web master there is nothing you need to do.
    However, if you have Java installed on your PC/Mac and you don't absolutely need it, I would uninstall it, at least for the time being.
    Felgall's blog post tells you how.

    Edit: xhtmlcoder beat me to it

  14. #14
    Robert Wellock silver trophybronze trophy xhtmlcoder's Avatar
    Join Date
    Apr 2002
    Location
    A Maze of Twisty Little Passages
    Posts
    6,316
    Mentioned
    60 Post(s)
    Tagged
    0 Thread(s)
    Off Topic:

    Pullo, good SPF Mentors are lighting-fast...

  15. #15
    SitePoint Member joshuagnizak's Avatar
    Join Date
    Jan 2013
    Location
    Berlin
    Posts
    10
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Java disabled: check.
    Date: many months ago.

  16. #16
    SitePoint Enthusiast scout1idf's Avatar
    Join Date
    Nov 2009
    Location
    Ohio
    Posts
    83
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This might sound dumb, but how do you know if you "need" Java on your computer (other than uninstalling it to see)?

    What runs on Java?

  17. #17
    Robert Wellock silver trophybronze trophy xhtmlcoder's Avatar
    Join Date
    Apr 2002
    Location
    A Maze of Twisty Little Passages
    Posts
    6,316
    Mentioned
    60 Post(s)
    Tagged
    0 Thread(s)
    You'll most typically see it used in Java Applets on some websites like: http://secunia.com/vulnerability_scanning/online/ the browser or website may alert you that you have a missing Java plugin, etc. Normally you don't require it.

  18. #18
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,629
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    For long and involved reasons, I ended up redoing all of my mobile computers near the end of 2012. I haven't installed java on a thing there. Only issues I had were hooking up to Cisco AnyConnect VPNs and a certain active trading system I use. Now have a dedicated VM for said active trading system; I found the anyconnect client through other means.

    So, in most cases, you don't actually need java installed . . . .

  19. #19
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,606
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by felgall View Post
    I just saw a report that claims that there are major security holes in the latest version of Java that ARE being exploited to break into people's computers - that report recommends for EVERYONE to as a minimum to disable Java in their browser.
    Java has *always* been insecure. I don't know why this is such big news all of a sudden.

    Quote Originally Posted by scout1idf View Post
    What runs on Java?
    Lots of stuff. Various remote presentation apps/services, software such as OpenOffice/LibreOffice, Eclipse, and NetBeans.
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  20. #20
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,764
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Force Flow View Post
    Java has *always* been insecure. I don't know why this is such big news all of a sudden.
    I thought Java was "the next coming"?!



    Lots of stuff. Various remote presentation apps/services, software such as OpenOffice/LibreOffice, Eclipse, and NetBeans.
    If it is so inherently insecure, then why is it so popular?


    Also, aren't there similar flaws with other languages/platforms like .Net?


    Debbie

  21. #21
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,809
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Force Flow View Post
    Java has *always* been insecure. I don't know why this is such big news all of a sudden.
    Possibly because there are currently people actively exploiting known holes when Java is running in a web browser. The holes weren't as important when they were not being actively exploited.

    It also isn't so much of a problem for applications running on the local computer outside of the browser where actually gaining access from the internet can be much harder and since that's where most Java runs the latest problems provide a good time to promote disabling it in the web browser - which will assist in improving security overall.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  22. #22
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,764
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    Possibly because there are currently people actively exploiting known holes when Java is running in a web browser. The holes weren't as important when they were not being actively exploited.

    It also isn't so much of a problem for applications running on the local computer outside of the browser where actually gaining access from the internet can be much harder and since that's where most Java runs the latest problems provide a good time to promote disabling it in the web browser - which will assist in improving security overall.
    So the insecurities exist with browser-based, client-side Java, specifically, and not necessarily with client-side Java or server-side Java?



    Debbie

    P.S. Who is the new guy in the photo?!

  23. #23
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,809
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    So the insecurities exist with browser-based, client-side Java, specifically, and not necessarily with client-side Java or server-side Java?
    Whatever holes exist in Java the hacker has to have acces to the environment it is running in to be able to exploit them. It is far easier to access Java running in a web browser than it is to access Java running elsewhere (whether on the server or on your local computer) as the browser provides them the access to Java where other security measures will normally block their access to Java running in other locations. They can't exploit a security hole in Java if a firewall )or other security measures) prevents them accessing it.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  24. #24
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2006
    Location
    Augusta, Georgia, United States
    Posts
    4,147
    Mentioned
    16 Post(s)
    Tagged
    3 Thread(s)
    Here we go with all the confusion between Java and javaScript – yippie!!!

    That article should explicitly state that this does not mean turning off JavaScript because I'm sure that is what about 100% or the none/semi- technical crowd interpret the solution as.

    Correct me if I'm wrong but any attempt to install software through Java applet would result in some type of prompt, right or no? I guess either way most people would probably click the prompt not thinking anything of it.
    The only code I hate more than my own is everyone else's.

  25. #25
    Gre aus'm Pott gold trophysilver trophybronze trophy
    Pullo's Avatar
    Join Date
    Jun 2007
    Location
    Germany
    Posts
    5,938
    Mentioned
    214 Post(s)
    Tagged
    12 Thread(s)
    Quote Originally Posted by oddz View Post
    I'm sure that is what about 100% or the none/semi- technical crowd interpret the solution as.
    Yup.
    Talked to someone last night who was surprised that AOL no longer worked when they turned off "Java"


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •