Heads Up - JAVA Exploit

[Ethre]

Just a warning to everyone on here - there's a new JAVA exploit that looks like it could be bad. Be extra careful when browsing the web in the coming days.

 

JAVA Exploit

 

Take care.

[Pushkatu]

So is it safe to click on that link? :blink:

[DarkeWolf]

Ew. This is nasty. This is really nasty, if they start doing this to cell phones with java browsers.

[Pronam]

Hm, this is truly annoyin as it indeed..just released it latest patch. Everyone is still vulnerable till its fixed, almost everyone has java.

[DarkWarrior45]

Yes, the link is safe to go to, but the target site does have ads in place.

 

Just checked the US-CERT site, the java vulnerability has been confirmed: http://www.kb.cert.org/vuls/id/886582

 

This is what's called a zero-day exploit, meaning that right now there is no fix for it. The vulnerability is only with Firefox and Internet Explorer, so cell phones should be safe. The vulnerability basically allows for an attacker to execute an arbitrary JAR file, meaning that they can execute any kind of code they want as long as it's Java (Firefox is built off of JAR files).

 

You can be protected (but not completely) by disabling the Java Deployment Toolkit ActiveX control until a security is released.

[DarkeWolf]

well, one solution might be to run the browser thru a sandbox app, like sandboxie. Apps run inside a 'box arent supposed to be able to affect anything that's not in the box. And then afterwards just delete the sandbox and poof...it's all gone.

I may have to try this out I keep putting it off, but yeah now sounds like a good time to start trying it.

 

Ummm well, it kinda depends on the phone, and what browser it uses. Iphones should be ok, since they are based off of linux. A lot of smartphones use either opera or internet explorer (mobile) tho. And many many of the media phone's operations are based on JAVA.

[Ethre]

Yeah, the link's safe Pushkatu. Sorry if I wasn't clear. :wink:

 

Regarding alternatives to disabling the toolkit -

 

A sandbox app should work I think.

Ex: Portable Firefox + Sandboxie

 

A simpler possibility might be using Noscript to block Javascript expect for sites you know to be good (ie, TES, Google, etc).

(fyi - in my opinion, you should be running Noscript anyway).

 

Can someone else verify that these ideas should work?

[Thor.]

Note for you people running firefox, make sure ad block is up to date and you're running flash block.

[Fifoo]

I'll confirm that, Ethre and Thor, another excellent security tool : NoScript, once this plugin installed, it blocks JAR files, you can configure it to block Java, Adobe Flash, Microsoft Silverlight, etc... and you have a lot of options for your best internet security against java scripts and exploits even those unknowned.

 

Added with Adblock Plus, these both are a must have for Firefox, and they are easy to use!

 

Note that it will deactivate some options allowed to your best Nexus Forum Full Editor : emoticons and tools, but on the bottom of your browser, click on NoScript's Option, then Authorise scripts temporarily or permanently (you have even the possibility to reset your choices) to reactivate them if you want, that's it.

[LHammonds]

It should be noted that the affected versions of Java are as follows:

 

Java 6 Update 10 through Update 19

 

The latest version (Java 6 Update 20) fixes this issue.

 

Here is the Java JRE download page: http://www.java.com/en/download/manual.jsp

 

LHammonds