Re: Java 7u10 vulnerability in browsers

[NoOp]

On 01/13/2013 04:42 PM, Philip TAYLOR wrote:
> Which analyst(s) say is still too risky to deploy :
> 
>   
> http://www.reuters.com/article/2013/01/13/us-java-oracle-security-idUSBRE90C0JB20130113
> 
> Personally I have deployed the upgrade but still
> left it disabled in my browsers.
> 
> Philip Taylor 
> Paul B. Gallagher wrote:
> 
>> Update: Oracle has released an update to close the door.
>>
>> 
> 

And the US Department Of Homeland Security:


Of course Reuters don't bother to provide a cite link, so I have:




Solution

Update to Java 7u11

Oracle Security Alert CVE-2013-0422 states that Java 7 Update 11
addresses this (CVE-2013-0422) and an equally severe vulnerability
(CVE-2012-3174). Immunity[1] has indicated that only the reflection
vulnerability has been fixed. Java 7u11 sets the default Java security
settings to "High" so that users will be prompted before running
unsigned or self-signed Java applets.

Unless it is absolutely necessary to run Java in web browsers, disable
it as described below, even after updating to 7u11. This will help
mitigate other Java vulnerabilities that may be discovered in the future.


Added note: Windows users - if you have javafx installed, you must
either uninstall it, or update it to the latest 2.2.4 version after you
update the Java7U11 in order for Firefox or SeaMonkey to recognize java.
Javafx update link is here:


If you absolutely have to run java in FF or SM, I highly recommend
installing Prefbar so that you can easily turn on/off java simply by
checking the Java box.

  

[1]



___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Java 7u10 vulnerability in browsers

[NoOp]

On 01/13/2013 05:01 PM, Mort wrote:
...
> 
> Hi,
> 
> Thanks for this post. I attempted to down-load the newest Java with the 
> security patch, and came to a dead end. I got an on-screen notice that 
> this only works through WIN-RAR, for which I must pay to subscribe. Is 
> there any other way to get this fix? (Oracle only supports CSI 
> customers, whatever that is.)
...

You downloaded the .tz ( tar zipped) file. Download the .exe file instead:



If you'd rather not redownload, then use 7-Zip to extract the .tz:





___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Java 7u10 vulnerability in browsers

[Lee]

On 1/13/13, Mort  wrote:
> Paul B. Gallagher wrote:
>> Update: Oracle has released an update to close the door.
>>
>> 
>>
>>
>
>
> Hi,
>
> Thanks for this post. I attempted to down-load the newest Java with the
> security patch, and came to a dead end. I got an on-screen notice that
> this only works through WIN-RAR, for which I must pay to subscribe. Is
> there any other way to get this fix? (Oracle only supports CSI
> customers, whatever that is.)

I'm curious - what URL did you use to download Java?

I just tried & it worked fine for me
http://www.java.com/en/download/manual.jsp
and click on 'Windows Offline (32 bit)'

I wish Oracle would be clear about which versions still have known
security problems.  I've seen some info saying it's a problem with new
functionality introduced in Java 7 & other vuln. notices saying all
versions.
It'd be nice to know if it was safe [er?] using Java 6 instead...

6u38 here  http://www.java.com/en/download/manual_v6.jsp

Lee
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Java 7u10 vulnerability in browsers

[Paul B. Gallagher]

Mort wrote:


Paul B. Gallagher wrote:

Update: Oracle has released an update to close the door.





Hi,

Thanks for this post. I attempted to down-load the newest Java with the
security patch, and came to a dead end. I got an on-screen notice that
this only works through WIN-RAR, for which I must pay to subscribe. Is
there any other way to get this fix? (Oracle only supports CSI
customers, whatever that is.)


Hard to say without knowing what OS and version you're running.

I went through the Java control panel in my Windows 7 Control Panel, and 
the update installed without incident.


As for Win-Rar, you can get a demo version without paying and use it for 
as long as you like. It will nag you to contribute each time it starts, 
but it runs fine after you dismiss the nag.



See also Philip Taylor's response to my post.

--
War doesn't determine who's right, just who's left.
--
Paul B. Gallagher
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Java 7u10 vulnerability in browsers

[Mort]

Paul B. Gallagher wrote:

Update: Oracle has released an update to close the door.







Hi,

Thanks for this post. I attempted to down-load the newest Java with the 
security patch, and came to a dead end. I got an on-screen notice that 
this only works through WIN-RAR, for which I must pay to subscribe. Is 
there any other way to get this fix? (Oracle only supports CSI 
customers, whatever that is.)


Thanks.

Mort Linder
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Java 7u10 vulnerability in browsers

[Philip TAYLOR]

Which analyst(s) say is still too risky to deploy :


http://www.reuters.com/article/2013/01/13/us-java-oracle-security-idUSBRE90C0JB20130113

Personally I have deployed the upgrade but still
left it disabled in my browsers.

Philip Taylor   
Paul B. Gallagher wrote:

> Update: Oracle has released an update to close the door.
>
> 
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Java 7u10 vulnerability in browsers

[Paul B. Gallagher]

Update: Oracle has released an update to close the door.



--
War doesn't determine who's right, just who's left.
--
Paul B. Gallagher

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Java 7u10 vulnerability in browsers

[cmcadams]

Mort wrote:

Paul B. Gallagher wrote:

question wrote:


Paul B. Gallagher wrote:

 From CNet:

...

Full story:







U.S. tells computer users to disable Java software



Yes, this is the recommendation in the original CNet article as well, if
you followed the link and read it all.



Hi,

Based on initial reports, I already deleted Java. How do I know when it will be 
safe
to re-install it? (Windows).

Thanks.

Mort Linder


Possibly never, considering Oracle's behavior. But it's not necessary to delete it, 
just tell Seamonkey to not use it. I keep my Java updated and active ONLY in Internet 
Explorer, for use on a couple of specific webpages that need it and I'm confident (or 
am willing to bet) are safe. And make sure, in Control Panel, that your Java settings 
haven't changed since the last time you looked. Yes, I got bitten that way, once.


Also, the latest Java has a new CP setting (under Security tab) to exclude it 
altogether from use by browsers. For running .jar files only.

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Java 7u10 vulnerability in browsers

[Mort]

Paul B. Gallagher wrote:

question wrote:


Paul B. Gallagher wrote:

 From CNet:

...

Full story:






U.S. tells computer users to disable Java software



Yes, this is the recommendation in the original CNet article as well, if
you followed the link and read it all.



Hi,

Based on initial reports, I already deleted Java. How do I know when it 
will be safe to re-install it? (Windows).


Thanks.

Mort Linder
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Java 7u10 vulnerability in browsers

[Paul B. Gallagher]

question wrote:


Paul B. Gallagher wrote:

 From CNet:

...

Full story:





U.S. tells computer users to disable Java software



Yes, this is the recommendation in the original CNet article as well, if 
you followed the link and read it all.


--
War doesn't determine who's right, just who's left.
--
Paul B. Gallagher

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Java 7u10 vulnerability in browsers

[Daniel]

Paul B. Gallagher wrote:

 From CNet:

New malware exploiting Java 7 in Windows and Unix systems
=



Gee, it must have been my downloading 7.10 last night that caused Oracle 
to start checking!! :-(


--
Daniel

Happy New Year and may 2013 be better for you than 2012 was!!


___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Java 7u10 vulnerability in browsers

[question]

Paul B. Gallagher wrote:

 From CNet:

New malware exploiting Java 7 in Windows and Unix systems
=
Mal/JavaJar-B is a cross-platform exploit of a new zero-day
vulnerability in the latest Java runtimes.
by Topher Kessler
January 11, 2013 1:32 PM PST

A new Trojan horse called Mal/JavaJar-B has been found that exploits a
vulnerability in Oracle's Java 7 and affects even the latest version of
the runtime (7u10).

The exploit has been described by Sophos as a zero-day attack since it
has been found being actively used in malware before developers have had
a chance to investigate and patch it. The exploit is currently under
review at the National Vulnerability Database and has been given an ID
number CVE-2013-0422, where it is still described as relatively unknown:

"Unspecified vulnerability in Oracle Java 7 Update 10 and earlier allows
remote attackers to execute arbitrary code via unknown vectors, possibly
related to "permissions of certain Java classes," as exploited in the
wild in January 2013, and as demonstrated by Blackhole and Nuclear Pack."

...

Full story:




U.S. tells computer users to disable Java software

Updated 9:00 p.m. ET

WASHINGTON The U.S. Department of Homeland Security is advising people 
to temporarily disable the Java software on their computers to avoid 
potential hacking attacks.


The recommendation came in an advisory issued late Thursday, following 
up on concerns raised by computer security experts.


Read the US-CERT release concerning Java

Experts believe hackers have found a flaw in Java's coding that creates 
an opening for criminal activity and other high-tech mischief.


CNET's Topher Kessler writes:

"The malware has currently been seen attacking Windows, Linux and 
Unix systems, and while so far has not focused on OS X, may be able to 
do so given OS X is largely similar to Unix and Java is cross-platform.


Even though the exploit has not been seen in OS X, Apple has taken 
steps to block it by issuing an update to its built-in XProtect system 
to block the current version of the Java 7 runtime and require users 
install an as of yet unreleased version of the Java runtime.


Luckily with the latest versions of Java, users who need to keep it 
active can change a couple of settings to help secure their systems. Go 
to the Java Control Panel that is installed along with the runtime, and 
in the Security section uncheck the option to "Enable Java content in 
the browser," which will disable the browser plug-in. This will prevent 
the inadvertent execution of exploits that may be stumbled upon when 
browsing the Web, and is a recommended setting for most people to do. If 
you need to see a Java applet on the Web, then you can always 
temporarily re-enable the plug-in.


The second setting is to increase the security level of the Java 
runtime, which can also be done in the same Security section of the Java 
Control Panel. The default security level is Medium, but you can 
increase this to High or Very High. At the High level, Java will prompt 
you for approval before running any unsigned Java code, and at the Very 
High level all Java code will require such approval, regardless of 
whether or not it is signed."


Java is a widely used technical language that allows computer 
programmers to write a wide variety of Internet applications and other 
software programs that can run on just about any computer's operating 
system.


Oracle Corp. bought Java as part of a $7.3 billion acquisition of the 
software's creator, Sun Microsystems, in 2010.


Oracle, which is based in Redwood Shores, Calif., had no immediate 
comment late Friday.

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Java 7u10 vulnerability in browsers

[NoOp]

On 01/11/2013 03:14 PM, Paul B. Gallagher wrote:
>  From CNet:
> 
> New malware exploiting Java 7 in Windows and Unix systems
> =
...
> Full story:
> 
> 

Thanks for that.

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Java 7u10 vulnerability in browsers

[Paul B. Gallagher]

From CNet:

New malware exploiting Java 7 in Windows and Unix systems
=
Mal/JavaJar-B is a cross-platform exploit of a new zero-day 
vulnerability in the latest Java runtimes.

by Topher Kessler
January 11, 2013 1:32 PM PST

A new Trojan horse called Mal/JavaJar-B has been found that exploits a 
vulnerability in Oracle's Java 7 and affects even the latest version of 
the runtime (7u10).


The exploit has been described by Sophos as a zero-day attack since it 
has been found being actively used in malware before developers have had 
a chance to investigate and patch it. The exploit is currently under 
review at the National Vulnerability Database and has been given an ID 
number CVE-2013-0422, where it is still described as relatively unknown:


"Unspecified vulnerability in Oracle Java 7 Update 10 and earlier allows 
remote attackers to execute arbitrary code via unknown vectors, possibly 
related to "permissions of certain Java classes," as exploited in the 
wild in January 2013, and as demonstrated by Blackhole and Nuclear Pack."


...

Full story:


--
War doesn't determine who's right, just who's left.
--
Paul B. Gallagher
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey