How is JAVA-in-the-browser being remotely disabled?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Within the past 2 days, I've performed some maintainence on a handful of
PC's (some running XP, some running 7) where I've discovered that
Firefox's JAVA plugin had been disabled - and NOT by the owner of the
system.

Is Mozilla doing this - or Oracle?

And how?

ps:  Oracle has released version 7 Update 11 patch.

Re: How is JAVA-in-the-browser being remotely disabled?

Virus Guy formulated on Monday :
Quoted text here. Click to load it

IMO it would *have* to be Mozilla and through some update mechanism.



Re: How is JAVA-in-the-browser being remotely disabled?

FromTheRafters wrote:
 
Quoted text here. Click to load it

This discussion seems to be talking about this:

http://blog.mozilla.org/security/2013/01/11/protecting-users-against-java-vulnerability/

But it's not clear to me that it's being clearly spelled out that
Mozilla is somehow performing remote-disable of Java add-on within the
past 2 days - unless it's part of the "Click to Play" function.

One of the comments:

=========
Oracle’s advisory indicates that java 6, 5, and 4 are not affected,
although all updates of Java 7 through update 10 are, and the just
released update 11 provides a temporary patch similar to Mozilla’s
plugin blocking function.

The CERT advisory and vulnerability note only specify Oracle Java with a
new feature from version 7...
=========

So anyone running the newest updates for version 6 are not affected.

And apparently java 6 update 38 can be installed on win-98 if you
perform some custom updates to some kernelEx stub files.

How is JAVA-in-the-browser being remotely disabled?

+ User FidoNet address: 1:3634/12.42
 VG> Is Mozilla doing this - or Oracle?

ummm... how's about going to the firefox button and clicking on addons to go to
the addons manager... then click on the plugins tab and finally on the link at
the top to verify if all plugins are up to date...

barring that, a quick perusal and search of the mozilla site will easily tell
you this without having to resort to writing in a newsgroup and waiting for
another human to tell you that which you could easily find out yourself ;)

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Re: How is JAVA-in-the-browser being remotely disabled?

mark lewis wrote on 1/14/2013 :
Quoted text here. Click to load it

http://www.informationweek.com/security/attacks/another-java-zero-day-vulnerability-hits/240146416



How is JAVA-in-the-browser being remotely disabled?

+ User FidoNet address: 1:3634/12.42
Quoted text here. Click to load it

 F> http://www.informationweek.com/security/attacks/another-java-zero-da
 F> y-vulnerability-hits/240146416

java 7U11 is out now ;)

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Re: How is JAVA-in-the-browser being remotely disabled?

mark lewis has brought this to us :
Quoted text here. Click to load it

Were you unable to read that link?

Here's another.

http://arstechnica.com/security/2013/01/5000-will-buy-you-access-to-another-new-critical-java-vulnerability /



How is JAVA-in-the-browser being remotely disabled?

+ User FidoNet address: 1:3634/12.42
Quoted text here. Click to load it

 F> Were you unable to read that link?

i didn't even try... i have many security related emails to go thru every day
;)

 F> Here's another.

 F> http://arstechnica.com/security/2013/01/5000-will-buy-you-access-to -
 F> another-new-critical-java-vulnerability/

yeah, i've already seen that the other day when it was first posted... the
blackhats have been selling zero-day exploits for a long time... $5000 is
pretty cheap, too... especially when one might rake in over $1000000 from it :?

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Re: How is JAVA-in-the-browser being remotely disabled?

+ User FidoNet address: 1:3634/12.42
Quoted text here. Click to load it
 F> That wasn't the point, but that's okay.

sorry... what was the point you wanted to make?

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Re: How is JAVA-in-the-browser being remotely disabled?

It happens that mark lewis formulated :
Quoted text here. Click to load it

This *new* vulnerability was because of the somewhat rushed update 11
retrograding the level and giving new life to an older flaw.

My supposition that a rushed patch may not have actually addressed the
vulnerability and left us with update 11 *not* addressing the
vulnerabiity (by addressing only the currently ITW exploit instead) did
not actually come to fruition, but another somewhat often problem of
retrogaded patch level did.

No amount of my doing my own research (as you suggested) would have
answered my original question regarding whether or not update 11
actually meant I was no longer susceptible to CVE-2013-0422. As it
turns out, it did indeed address *that* flaw, created another
vulnerability in the process.

The best thing to do IMO is to have your Java plug-in for your browser
"prompt" the user and have the user deny launching it unless absolutely
necessary. One shouldn't assume that an out-of-band patch has been
thoroughly vetted.



Re: How is JAVA-in-the-browser being remotely disabled?

Virus Guy wrote :
Quoted text here. Click to load it

Not necessarily.

No, you just *want* to see it that way.



Re: How is JAVA-in-the-browser being remotely disabled?

FromTheRafters wrote:
 
Quoted text here. Click to load it

No - I'm under the impression that the JRE vulnerability that came to
light a few days ago has been authoritatively stated to *not* be present
in JRE 6 update 38 and possible *any* version of JRE 6.

And since you (or others) seem to now be talking about a *new*
vulnerability in JRE 7 update 11 (because in the rush to patch update
10, update 11 was not properly designed) then again I think I'm on solid
ground pointing out the seemingly higher level of "invunlerability" of
JRE 6 update 38 vs *any* version of JRE 7.

Re: How is JAVA-in-the-browser being remotely disabled?

Virus Guy explained :
Quoted text here. Click to load it

It's the same kind of 'logic' that you use to assert Win98 is 'better'
securitywise than any NT version - which logic is, IMO, flawed.



Re: How is JAVA-in-the-browser being remotely disabled?

I wrote:

Quoted text here. Click to load it

FromTheRafters made an ass of himself by responding:

Quoted text here. Click to load it
 
I them replied:

Quoted text here. Click to load it


FromTheRafters continued to be an ass, and flushed any resemblence of a
reputation he might have had down the toilet by responding:

Quoted text here. Click to load it

Here's why you're full of shit (as usual):

http://www.infoworld.com/d/security/researchers-find-critical-vulnerabilities-in-java-7-update-11-211150

==========
Researchers from Security Explorations, a Poland-based vulnerability
research firm, claim to have found two new vulnerabilities in Java 7
Update 11 that can be exploited to bypass the software's security
sandbox and execute arbitrary code on computers.

Researchers from security firm Immunity who analyzed the exploit being
used by cybercriminals since last week concluded that it also combined
two vulnerabilities to achieve a Java sandbox escape. However, they
later said in a blog post that Java 7 Update 11 only addressed one of
them and warned that if attackers find another vulnerability to replace
the patched one, a new exploit can be created.

The vulnerabilities discovered by Security Explorations are separate
from the one left unpatched by Oracle in Java 7 Update 11, Gowdiak said
Friday via email.

Also see
http://news.softpedia.com/news/Java-7-Update-11-Zero-Day-Exploit-Sold-for-5-000-on-Underground-Market-321702.shtml .

Malware hackers have also released an exploit that looks like an update
to Java7 Update 10.
==========

And there's more, Rafterhead:

==========
Oracle Security Alert for CVE-2013-0422

Description

This Security Alert addresses security issues CVE-2013-0422 (US-CERT
Alert TA13-010A - Oracle Java 7 Security Manager Bypass Vulnerability)
and another vulnerability affecting Java running in web browsers. These
vulnerabilities are not applicable to Java running on servers,
standalone Java desktop applications or embedded Java applications. They
also do not affect Oracle server-based software.

The fixes in this Alert include a change to the default Java Security
Level setting from "Medium" to "High". With the "High" setting, the user
is always prompted before any unsigned Java applet or Java Web Start
application is run.

These vulnerabilities may be remotely exploitable without
authentication, i.e., they may be exploited over a network without the
need for a username and password. To be successfully exploited, an
unsuspecting user running an affected release in a browser will need to
visit a malicious web page that leverages these vulnerabilities.
Successful exploits can impact the availability, integrity, and
confidentiality of the user's system.

Due to the severity of these vulnerabilities, the public disclosure of
technical details and the reported exploitation of CVE-2013-0422 "in the
wild," Oracle strongly recommends that customers apply the updates
provided by this Security Alert as soon as possible.

Supported Products Affected

The security vulnerabilities addressed by this Security Alert affect the
products listed in the categories below.  Please click on the link in
the Patch Availability column or in the Patch Availability Table to
access the documentation for those patches.

Affected product releases and versions:

JDK and JRE 7 Update 10 and earlier

Note: JDK and JRE 6, 5.0 and 1.4.2, and Java SE Embedded JRE releases
are not affected.
===============

So I am right, and you're an ass.

Read the Note above.  See how Oracle itself is saying that JRE 6 does
not have this vulnerability.

Java version 6 Update 38 ->IS<- more secure (less vulnerable) to known
exploits than any 7 version (if the claims by Security Explorations is
true) and at the very least, version 6 update 38 (released Dec 2012) was
MORE secure than any 7 existing version previous to the recently
released update 11.

Now try to argue your way around that without putting your foot in your
mouth.

As for you Mark Lewis:

Quoted text here. Click to load it

Put the smiley away.

It looks like both you and RafterAss are unaware that Oracle is
maintaining / patching BOTH JRE version 6 and 7.  Which means JRE 6
update 38 is the most "secure" update to version 6, and has been patched
for all known CVE's.

Secunia has this list of advisories for Java 6 here:

http://secunia.com/advisories/product/12878/?task=advisories

26 total advisories for Java 6 from 2003 through 2013.  They list only
one advisory as being both "critical" and unpatched:

    Sun Java JRE Insecure Executable Loading Vulnerability

This vulnerability requires that an eploit applet be located on a remote
WebDAV or SMB share (which if you ask me is somewhat significant set of
conditions to impliment).  That, plus there is no CVE reference for that
advisory, indicates to me that it is not being leveraged in the wild.

Re: How is JAVA-in-the-browser being remotely disabled?

Virus Guy explained on 1/18/2013 :
Quoted text here. Click to load it
http://www.infoworld.com/d/security/researchers-find-critical-vulnerabilities-in-java-7-update-11-211150
Quoted text here. Click to load it
http://news.softpedia.com/news/Java-7-Update-11-Zero-Day-Exploit-Sold-for-5-000-on-Underground-Market-321702.shtml .
Quoted text here. Click to load it

I already posted that you dolt. No surprise, you *still* don't get it.



Re: How is JAVA-in-the-browser being remotely disabled?

FromTheRafters used improper usenet message compostion style by
unnecessarily full-quoting:
 
Quoted text here. Click to load it

Of the dozen or so pieces of information that I posted (and that you
full-quoted) - which of them exactly did you "already post" ?

Quoted text here. Click to load it

No surprise that you are backing out of this conversation with a
clear-as-mud response.

I said that Java 6 was not vulnerable to the current exploit(s).   You
either did not believe that, or you depreciated that fact (but you do
not / will not say why).

I said that Java 6 update 38 is currently a better alternative to any
version of Java 7.  You say no - but you won't clearly explain why.

Re: How is JAVA-in-the-browser being remotely disabled?

Virus Guy wrote :
Quoted text here. Click to load it

I posted two URLs that covered the points that you mentioned, so there
was no need for you to post them to me as if I didn't already have
those facts at hand.
Quoted text here. Click to load it

Your inability to follow along is not my concern.
Quoted text here. Click to load it

I said neither, all I said (and I said the same of your so-called logic
about the security of W98 vs. NT versions) was that your stated means
of determining that level of security was wrong-headed. All your silly
conting of known patched or unpatched vulnerabilities does is show that
you don't understand the subject matter.
Quoted text here. Click to load it

Where did I say that it wasn't? What I said was that your "logic" was
flawed.

Get it yet?



Re: How is JAVA-in-the-browser being remotely disabled?

FromTheRafters wrote:
 
Quoted text here. Click to load it

What a bizzare thing to say - that looking at the facts is not a valid
basis of comparison between options.

Quoted text here. Click to load it

I said this:

Quoted text here. Click to load it

And you responded by saying this:

Quoted text here. Click to load it

I said this:

Quoted text here. Click to load it

And you said this:

Quoted text here. Click to load it

Taken together, how can you possible argue that those two responses can
be interpreted in any way other than you don't agree with my statement
that "Java 6 update 38 is currently a better alternative to any version
of Java 7". ???

Quoted text here. Click to load it

You are being schizophrenic in this conversation.

You aren't clearly saying or explaining anything here.

I dare anyone else reading this conversation to weigh in with their
thoughts and comments about your responses.

Re: How is JAVA-in-the-browser being remotely disabled?

Virus Guy submitted this idea :
Quoted text here. Click to load it

That's not what I said either.
Quoted text here. Click to load it

Right. All that means is it may or may not be right. I haven't said
that it is or that it isn't - only that your statement that it *is* may
be in error because of the method that you used (and often use) to come
to that conclusion.
Quoted text here. Click to load it

You asked "isin't [sic] it obvious..." and I do indeed disagree with
that statement. Not only that, but I disagree with the comparison
itself because I believe that minor versions don't differ all that much
and the *next* exploit may very well affect both versions.
Quoted text here. Click to load it

You are being your usual self.
Quoted text here. Click to load it

You aren't comprehending much of what I say, I accept that it might be
my fault.
Quoted text here. Click to load it

That should be fun.



How is JAVA-in-the-browser being remotely disabled?

+ User FidoNet address: 1:3634/12.42
Quoted text here. Click to load it

 VG> No - I'm under the impression that the JRE vulnerability that came
 VG> to light a few days ago has been authoritatively stated to *not* be
 VG> present in JRE 6 update 38 and possible *any* version of JRE 6.

that's that *one* flaw... what about the others in java6? ;)

 VG> And since you (or others) seem to now be talking about a *new*
 VG> vulnerability in JRE 7 update 11 (because in the rush to patch
 VG> update 10, update 11 was not properly designed) then again I think
 VG> I'm on solid ground pointing out the seemingly higher level of
 VG> "invunlerability" of JRE 6 update 38 vs *any* version of JRE 7.

do you have stats to back up this assertion?

)\/(ark
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ The FidoNet News Gate (Huntsville, AL - USA)        +
+ The views of this user are strictly his or her own. +
+ All data is scanned for malware by Avast! Antivirus +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Site Timeline