Have you disabled your Java?

[TheVrolok]

Disabled by default, and I'm running version 6 anyway.

 

[PeeluckyDuckee]

My dlink web cam uses java and neither of the app under windows/osx work at the moment. My only access right now is through android app on my GNexus.

Safari runs like crap right now, not sure if it's related to Java at all, but I've never experienced such slow down prior to this week.

 

[Cerb]

Disabled in all browsers on all PCs, except Chrome variants (click to play, which, IMO, should be the default, for security reasons). The Java plugin serves no better purpose than as an attack vector.

 

[clamum]

Already was disabled in Firefox (looks like I have version 6 there anyway). That's good, cause the Security tab in the Java Control Panel only has a "Certificates" button, lulz.

 

[JEDIYoda]

I cannot do without my cup of java in the morning.....

 

[Wyndru]

So for this to actually be a risk, you have to have version 7 of Java installed and hit a website that has malicious code in it that will trigger java (not javascript), created by someone that has already started abusing this exploit discovered by a security firm on Friday?

Is this firm handing out the code to hackers or something?

Oh, nevermind, I read the metaslpoit post. I love how when this stuff hits the news, the exploit immediately becomes widely available, with screenshots and instructions on how to use it.

 

[mechBgon]

So for this to actually be a risk, you have to have version 7 of Java installed and hit a website that has malicious code in it that will trigger java (not javascript), created by someone that has already started abusing this exploit discovered by a security firm on Friday?

Is this firm handing out the code to hackers or something?

Oh, nevermind, I read the metaslpoit post. I love how when this stuff hits the news, the exploit immediately becomes widely available, with screenshots and instructions on how to use it.

Kaspersky Lab said it's been in the wild since mid-December: http://www.securelist.com/en/blog/208194070/Java_0day_Mass_Exploit_Distribution

There appears to be multiple ad networks redirecting to Blackhole sites, amplifying the mass exploitation problem. We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course, adult sites.

According to Immunity, version 6r10 and later are also affected, not just JRE 7: https://partners.immunityinc.com/idocs/Java MBeanInstantiator.findClass 0day Analysis.pdf (PDF).

My dlink web cam uses java

Thanks for mentioning this, I will make sure nevar to buy a D-Link webcam without first making sure it's free of the Java prerequisite.

 

[John Connor]

I have an add-on for Firefox called Quickjava and it allows me to disable Java when I'm not using it. I never keep it on unless I need it and that need is only for pingtest.net. I also use Noscript which not only will block Javascript, but Java unless I approve of it.

 

[WT]

We spent a lot of time at work this week fixing a broken Java 7.10 deployment on teacher's laptops - its what runs the gradebook app. As of Friday it worked, and then I get home only to read that Java is now disabled within the supported browser.

Monday will be no fun at all I am sure ... this could get messy.

 

[Svnla]

Thanks to lxs and mech (especially the link to check if the programs are up to date or not). <thumb up>

 

[GrumpyMan]

Haven't read the rest of this thread but I have not disabled my java, I like it with 2 sugars and 1 cream. I couldn't do without it in the morning.

 

[RossMAN]

My dlink web cam uses java and neither of the app under windows/osx work at the moment. My only access right now is through android app on my GNexus.

Any idea if Foscam uses Java or not?

 

[disappoint]

Java doesn't kill people, people kill Java.

 

[FelixDeCat]

Scottrade requires JAVA for steaming quotes so its enabled for IE. All other sites are browsed with FF.

To be safe, its uninstalled for now until the update is available on Tuesday. I oversee several dollars and need access to Java so I can manipulate governments and people to serve my Machiavellian interests.

()

 

[disappoint]

Scottrade requires JAVA for steaming quotes so its enabled for IE. All other sites are browsed with FF.

To be safe, its uninstalled for now until the update is available on Tuesday. I oversee several dollars and need access to Java so I can manipulate governments and people to serve my Machiavellian interests.

()

 

[biostud]

I have an add-on for Firefox called Quickjava and it allows me to disable Java when I'm not using it. I never keep it on unless I need it and that need is only for pingtest.net. I also use Noscript which not only will block Javascript, but Java unless I approve of it.

Thanks for QuickJava

 

[biostud]

well, the fix is up now 7.11

 

[hclarkjr]

well, the fix is up now 7.11

http://java.com/en/download/index.jsp

 

[FelixDeCat]

http://java.com/en/download/index.jsp

Great. Now I can get steaming quotes on Monday to serve my New World Order Fund.

 

[Dumac]

Disabled it in browser, yeah.

See no need to remove it from my computer, though.

 

[John Connor]

Thanks for QuickJava

No problem.

 

[paulney]

Can't run GoToMeeting without Java, and that's what I use daily, so kept it enabled.

 

[hclarkjr]

http://news.softpedia.com/news/Java...-for-5-000-on-Underground-Market-321702.shtml

Less than a week has passed since Oracle patched the vulnerability in Java 7 Update 10 and another zero-day exploit &#8211; which is said to work on Java 7 Update 11 &#8211; is already being sold on the cybercriminal underground market.

Brian Krebs, who came across an ad for the exploit on a hacker forum on Monday, reveals that the author had offered to sell it to two people for the price of $5,000 (3,750 EUR). The buyers were promised an &#8220;encrypted&#8221; and &#8220;weaponized&#8221; version of the exploit.

In the ad he posted, the seller claimed that the exploit was not integrated into any known crime kits, not even in the expensive Cool Exploit Kit.

According to Krebs, the cybercriminal most likely found buyers since the post was removed from the forum.

This shows that the US Department of Homeland Security is right to advise users to uninstall Java if they don&#8217;t need it for their everyday tasks.

In its advisory, the DHS has warned that Oracle might have addressed one issue, but some old vulnerabilities are still unfixed and security holes are identified in Java all the time.

 

[Fritzo]

 

[John Connor]

That looks goooood. I want some! My damn espresso machine quit working for me the other day too. Off to eBay to find a replacement.