More threads by David Baxter PhD

David Baxter PhD

Late Founder
Detecting and Removing Vulnerable Java Versions
by Dennis Fisher
August 28, 2012

As attacks on the new Java zero-day vulnerability continue and researchers look for ways to mitigate the flaw, they are encouraging users to disable Java in their browsers. There is now a site that users can visit that will detect whether their browser is running a vulnerable version of Java.

Security vendor Rapid 7 has set up a site that will detect the version of Java that is running in the user's browser and tell her whether it contains the newly discovered Java vulnerability. The flaw is in Java 7 and researchers have found ongoing attacks in the wild targeting the vulnerability. The attacks are in the form of drive-by downloads right now, with successful exploitation leading to the installation of the Poison Ivy remote-access tool on compromised machines. Poison Ivy is a well-known RAT and has been used in a number of attacks in recent years.

Java has become a major target for attackers in the last few years, as it offers a number of things that appeal to them: wide deployment, a long update cycle and lots of readily available bugs. Java vulnerabilities often are included in exploit packs and tend to be used in the kind of drive-by download attacks that often ensnare unsuspecting users.

Oracle has not released any statements on the new Java flaw, but the next scheduled patch release is not until mid-October. Oracle does not release emergency patches often, so the best course of action right now is to disable Java in any browser that you use regularly.

To disable Java in Google Chrome:

  • Go to the wrench in the upper right corner of the browser window
  • Click on settings and search for Java in the search box
  • Click on the highlighted Content Settings button and then scroll down to the Plug-ins entry
  • Select Disable Individual Plugins and then click on Disable Java

To disable Java in Mozilla Firefox:

  • Click on the Firefox tab in the top left corner and then click Add-ons
  • Select Plug-ins and then click Disable on Java

Disabling Java in Internet Explorer is a little more complex, for some reason. Brian Krebs has a description of a couple of different methods for removing Java from IE.
 

Retired

Member
Disabling Java in Internet Explorer is a little more complex, for some reason

Just did it on a Vista computer, and was able to do it using the simple method, thus avoiding the complex method of editing the registry.
 

Retired

Member
The current version of Java is version 7 update7 as of today's date.

It seems this latest version has just recently been posted for download; however the warning does not specify which version update is vulnerable, only the version number 7.

How can a user know when it is safe to download, install and use JAVA?

Is disabling enough or should it be uninstalled from the system?

What about online operations that require JAVA to run? eg I use LogMeinthat requires JAVA to allow remote control access to systems I maintain?
 

Retired

Member
More investigation on the topic of the current Java security vulnerabilities led me to this discussion on a Forum I frequent.

Summary:

Disable or uninstall JAVA version 7.

Version 6 seems OK for now, but version 7 appears to have vulnerabilities.

Current latest version 6 is 6.35 available HERE

Oracle just released update 7 for version 7, but it is not clear if update 7 addresses the required fixes. Reports should be forthcoming in the next few days.

Most systems don't require JAVA and when required, the system should notify. If absolutely necessary, try using version 6 until more is known.
 
Replying is not possible. This forum is only available as an archive.
Top