|
Hex Darkstar posted:I believe http://www.cvedetails.com/version-list/5/1526/2/SUN-JRE.html?sha=3a6b2de2034bc3de0333cb8118a36d81e49eadbf&order=1&trc=431 has them all cataloged by version# as well as Update#. Not sure which update version you're looking for but it should be in there somewhere Number of Vulnerabilities 148 What.
|
# ? Aug 30, 2012 00:07 |
|
|
# ? Jun 7, 2024 08:25 |
|
Biowarfare posted:Number of Vulnerabilities Hey now, only 21 of them execute code!
|
# ? Aug 30, 2012 00:13 |
|
http://arstechnica.com/security/2012/08/critical-java-bugs-reported-4-months-ago/quote:According to IDG News, two of the 19 vulnerabilities Security Explorations reported in April are those now under attack. By combining them, hackers are able to completely bypass security protections built into Java that are supposed to isolate Java applications from sensitive operating system functions. Neither of those were fixed during the most recent critical patch update for Java in June, although it did address three other issues the Polish firm reported. Oracle's next regular update isn't scheduled until the mid-October. The flawed Java components violate many of Oracle's own Secure Coding Guidelines for the Java Programming Language, Security Explorations said. Really? Not sure what to say about that, there are no words.
|
# ? Aug 30, 2012 01:29 |
|
Why hasn't something replaced java yet?
|
# ? Aug 30, 2012 01:53 |
|
pixaal posted:Why hasn't something replaced java yet? I've stopped putting in the base install of client machines, and it's only a few hold out programs on servers that need it installed. For day-to-day web use, it isn't needed at all. Just uninstall that poo poo heap. Hopefully with iOS and now Android driving the "No Flash" thing into people, I'll be able to remove the other fetid program from base installs within a year or so too.
|
# ? Aug 30, 2012 02:40 |
|
pixaal posted:Why hasn't something replaced java yet?
|
# ? Aug 30, 2012 03:07 |
|
I came in here to find out about this new dangerous Java exploit thing, and to be quite honest I don't actually know what Java is, let alone what it's for. I'm just going to uninstall it.
|
# ? Aug 30, 2012 03:09 |
|
YggiDee posted:I came in here to find out about this new dangerous Java exploit thing, and to be quite honest I don't actually know what Java is, let alone what it's for. I'm just going to uninstall it. The corpse of Steve Jobs just got an erection.
|
# ? Aug 30, 2012 03:14 |
|
YggiDee posted:I came in here to find out about this new dangerous Java exploit thing, and to be quite honest I don't actually know what Java is, let alone what it's for. I'm just going to uninstall it. Its for a ton of stuff you probably have installed, that now will not run!
|
# ? Aug 30, 2012 03:33 |
|
pixaal posted:Its for a ton of stuff you probably have installed, that now will not run! ...Actually, by the look of things, I haven't have Java at all since I forgot to install it when I reformatted a month ago
|
# ? Aug 30, 2012 03:45 |
|
I reinstalled Win 7 3 months ago onto my new SSD and never installed Java. I haven't ran into a single site or application that absolutely required it. Uninstall it, you'll be fine. It's a security hole the size of Texas, and every infected-to-hell machine I have to work on has Java on it, because I see that goddamn orange icon in the taskbar telling me it needs to be updated. I saw someone on the last page had problems getting TDSSkiller to run. Try renaming the TDSS executable.
|
# ? Aug 30, 2012 14:08 |
|
reg:quote:A potent Java security vulnerability that first appeared earlier this week actually leverages two zero-day flaws. The revelation comes as it emerged Oracle knew about the holes as early as April.
|
# ? Aug 30, 2012 14:57 |
|
Gweenz posted:
Doesn't work, I tried & usually do try that or changing the extension to another executable type but whatever method that SST uses to detect and terminate TDSSKiller & aswMBR is really solid at blocking them from running despite name, location, user executed as etc... The only thing I use Java for right now is PS3 Media Server because it requires it to run I just run it inside of a VM on my host machine that way I keep the poo poo that is Java segregated from my main machine not that I do much browsing with the VM so it's pretty safe. Hex Darkstar fucked around with this message at 15:40 on Aug 30, 2012 |
# ? Aug 30, 2012 14:58 |
|
Okay, at this time I am uninstalling Java from my machine. It's not worth the risk, man.
|
# ? Aug 30, 2012 14:59 |
|
tjl posted:It's still the environment of choice for "write once, run anywhere" programming Where "anywhere" means a specific version of Internet Explorer, running on a specific version of Windows, with a specific service pack gone soon
|
# ? Aug 30, 2012 19:09 |
|
Hex Darkstar posted:Doesn't work, I tried & usually do try that or changing the extension to another executable type but whatever method that SST uses to detect and terminate TDSSKiller & aswMBR is really solid at blocking them from running despite name, location, user executed as etc... drat, sounds like they are getting pretty smart about blocking AV tools. Have you tried a Kaspersky cd? I've been having good luck lately removing the nastiest of the nasties using their rescue disk.
|
# ? Aug 30, 2012 19:23 |
|
If you're really serious about removing infections you need to do it with either another machine it a boot cd
|
# ? Aug 30, 2012 20:01 |
|
Yea, I tested out the Windows Defender Offline bootable USB drive against it which removed the rootkit (it identified as Alureon but that is because SST is based off Alureon/TDL's code) the main issue I had with that was it removed the infected bootrecord and then it made the machine unbootable. I thought maybe this was a one off issue but yesterday I was testing out Endpoint Protection 2012 (Forefront's new name) against ZeroAccess that was x64 compatible in our lab and it rendered the test machine unbootable too after cleanup. Just to be safe I repeated the same steps and it resulted in the same issue. System restore via recovery console was the only way to restore the system to a working state. Due to that i'm kind of fearful that MS anti-malware products might leave infected systems unbootable post cleanup if we begin using them going forward and ZeroAccess infects one of them. Physical presence in front of the machine was basically the only way I could get rid of the infection at the time, I had to use a Win 7 CD and do a bootrec.exe /fixmbr and bootrec.exe /fixboot to restore the machine to a bootable state.
|
# ? Aug 30, 2012 21:14 |
|
Oracle has released an update for JRE 7 that fixes the vulnerabilities http://www.oracle.com/technetwork/java/javase/downloads/jre7u7-downloads-1836441.html Edit: Articles regarding it here: http://www.theregister.co.uk/2012/08/30/oracle_issues_java_0day_patch/ http://arstechnica.com/security/2012/08/oracle-patches-critical-java-bugs/ http://isc.sans.edu/diary/Oracle+Releases+Java+Security+Updates/14008
|
# ? Aug 30, 2012 22:45 |
But I need Java for my Minecraft
|
|
# ? Aug 31, 2012 00:51 |
|
I too have always been terrified that Minecraft is going to one day bite me in the rear end.
|
# ? Aug 31, 2012 01:25 |
|
Hasn't anyone rolled the update to a server? I'm thinking I'll test it on my dev server (Win2k8R2 64x) but I've actually got a prospective client app on there because I don't run Java on my real production server.
|
# ? Aug 31, 2012 01:29 |
|
EvilMuppet posted:But I need Java for my Minecraft
|
# ? Aug 31, 2012 01:37 |
|
Armourking posted:Not as 100% as uninstalling Java entirely, but you could always disable Java in IE/FF etc. At least cuts out a big chunk of attack area. I thought it was Chrome/FF? And what about Hex's post, isn't the probably resolved for the moment?
|
# ? Aug 31, 2012 01:45 |
|
syscall girl posted:isn't the probably resolved for the moment? Yea but what other nuggets of joy lay within this version? It's like a box of chocolates, you never know what you're going to get...except all the chocolates are really poo poo
|
# ? Aug 31, 2012 02:21 |
|
So going into Firefox's content menu in options and unchecking Enable Javascript is going to protect me from this right?
|
# ? Aug 31, 2012 06:33 |
|
syscall girl posted:I thought it was Chrome/FF? This may be resolved, but the other unknown(to us) exploits are not.
|
# ? Aug 31, 2012 06:39 |
|
Tardcore posted:So going into Firefox's content menu in options and unchecking Enable Javascript is going to protect me from this right? No. Java and JavaScript are two seperate things. You need to update (but preferably uninstall) Java to be completely safe.
|
# ? Aug 31, 2012 07:02 |
|
Tardcore posted:So going into Firefox's content menu in options and unchecking Enable Javascript is going to protect me from this right? http://www.ghacks.net/2012/08/30/how-to-disable-java-in-your-web-browser/ Is one of the guides that have just sprung up on how to do so.
|
# ? Aug 31, 2012 07:04 |
|
Alright, thanks for the link, got that poo poo disabled now.
|
# ? Aug 31, 2012 07:42 |
|
http://arstechnica.com/security/2012/08/critical-bug-discovered-in-newest-java/ Well that didn't take long, newest version of Java also has a vulnerability that allows for bypassing the JRE sandbox and taking control of a users machine. The same firm that reported the other two vulnerabilities that prompted yesterdays patch found them within 2-3 hours of researching into it and have already disclosed this one to Oracle. But this time they also disclosed that it exists (but not any PoC code as that would be irresponsible) to online news outlets so Oracle can't sit on this one for another 4 months.
|
# ? Aug 31, 2012 20:30 |
|
To anyone who was curious I ran the patch on that Win2k8R2 server I was talking about. Nothing broken so far (knocks laminate), and I've got quite a few java server apps on there so it's probably good.
|
# ? Aug 31, 2012 21:10 |
|
Hmm, my last Java version was SE 7 U5 10.5.1.255, that's probably safe, but should I disable it and Java Deployment Toolkit just in case?
|
# ? Sep 1, 2012 00:29 |
|
pixaal posted:Why hasn't something replaced java yet? The real question is why browsers execute Java-scripts (the common attack vector for attacking Java) from any source without asking. You can rant at people to just loving use no-script already, but the majority will expect an up-to-date browser to "do security" for them. Java is actually pretty cool, it's just implemented in the most insecure manner imaginable by browsers. e: The other answer, is whatever replaces Java would be the next thing attacked, just like there were no OSX viruses when no one used it. Khablam fucked around with this message at 13:11 on Sep 1, 2012 |
# ? Sep 1, 2012 13:07 |
|
Khablam posted:The real question is why browsers execute Java-scripts (the common attack vector for attacking Java) from any source without asking. Java and JavaScript despite their names are totally different.
|
# ? Sep 1, 2012 14:38 |
|
Although NoScript actually blocks java and flash by default and displays a placeholder. It's very nice.
|
# ? Sep 1, 2012 15:22 |
|
Critical flaw found in just-patched Java posted:Security Explorations, the Polish security startup that discovered the Java SE 7 vulnerabilities that have been the targets of recent web-based exploits, has spotted a new flaw that affects the patched version of Java released this Thursday. What the gently caress, Oracle. Why do people still use java? Impotence fucked around with this message at 15:58 on Sep 1, 2012 |
# ? Sep 1, 2012 15:50 |
|
Hex Darkstar posted:Doesn't work, I tried & usually do try that or changing the extension to another executable type but whatever method that SST uses to detect and terminate TDSSKiller & aswMBR is really solid at blocking them from running despite name, location, user executed as etc... In regards to this, it's almost always (in my experience) a hidden, primary malicious partition that is booted to first and then Windows is loaded from there. Grab yourself a copy of GParted or your favourite partitioning tool and get rid of that sucker.
|
# ? Sep 1, 2012 16:20 |
|
TwoKnives posted:Java and JavaScript despite their names are totally different.
|
# ? Sep 1, 2012 16:42 |
|
|
# ? Jun 7, 2024 08:25 |
|
Any word on whether this latest flaw also affects Java 6? I'm just going to assume that Java 6 is also affected. I don't even want to think about trying to downgrade again given how much of a massive pain it was to get Java 6 to work after previously having Java 7 installed.
|
# ? Sep 1, 2012 16:46 |