# US-CERT: Disable Java



## SayWhat? (Jun 7, 2009)

> Vulnerability Note VU#625617
> Java 7 fails to restrict access to privileged code
> 
> Original Release date: 10 Jan 2013 | Last revised: 11 Jan 2013
> ...


http://www.kb.cert.org/vuls/id/625617


----------



## SayWhat? (Jun 7, 2009)

> Alert (TA13-010A)
> Oracle Java 7 Security Manager Bypass Vulnerability
> 
> Original release date: January 10, 2013 | Last revised: January 11, 2013
> ...


http://www.us-cert.gov/cas/techalerts/TA13-010A.html


----------



## davring (Jan 13, 2007)

.I put a short cut on my desk top to toggle it on/off as needed.


----------



## dpeters11 (May 30, 2007)

The problem is that this is just the vulnerability of the month. This is actually due to a partial fix they made in October.


----------



## jimmie57 (Jun 26, 2010)

If you run Fire Fox you can add a plug in called NoScript. You can selectively allow or temporarily allow or deny scripts on an individual website and all the add ins that come along for the ride.

*Edit: Java Scripts are Not the same as JAVA language. To fix the potential problem you must disable JAVA use in your browsers .*


----------



## dpeters11 (May 30, 2007)

Or NotScript for Chrome.


----------



## jimmie57 (Jun 26, 2010)

OK, I followed the instructions and UNCHECKED the box in the Java Settings that said to Run Java in Browsers.
I went to the Java site and it does not think I have Java installed.

So,

I have been to dozens of sites and all of them work like they are supposed to do.
I do run Open Office and it is Java based and it runs fine still.

Has anyone found anything that does not work with Java in the Browser disabled ?


----------



## dpeters11 (May 30, 2007)

I believe time.gov uses java by default for the animated clock.


----------



## TMan (Oct 31, 2007)

Are we confusing Java and JavaScript here?


----------



## jimmie57 (Jun 26, 2010)

TMan said:


> Are we confusing Java and JavaScript here?


No, those are 2 totally diferent things.

Edit: Having said that, the NoScripts I mentioned above is for Java Scripts and not for the language JAVA.

I have disabled the JAVA and the JS ( java scripts ) do still work in my browsers. Except of course if I am using Fire Fox with No Scripts active.


----------



## jimmie57 (Jun 26, 2010)

dpeters11 said:


> I believe time.gov uses java by default for the animated clock.


I went there and it wants to install an Active X control.
I did not install it.
I do not know if I let it install it, would it then have JAVA active again, or would I just have one more control installed on my machine ?


----------



## Cholly (Mar 22, 2004)

Strange - I find no Java folder on my computer. A search for javacpl.exe comes up empty.


----------



## Laxguy (Dec 2, 2010)

I am also in Java never-never land. The only time I am really aware I need it is going to chatroom. Last six tries said I needed to up date it, which I did four times. Quit browser and restarted, even rebooted. Still says out of date and won't load saying "broken plugin". Toggled Preferences on and off. Still no soap.


----------



## dpeters11 (May 30, 2007)

If you change your browser agent ID so that the chat room page thinks its an ipad, java isn't needed. Fewer features however.


----------



## jimmie57 (Jun 26, 2010)

Cholly said:


> Strange - *I find no Java folder on my computer*. A search for javacpl.exe comes up empty.


Open up your Windows Control Panel and it should be in there.


----------



## djnaldo (May 27, 2005)

Here's a link telling you how to disable it in IE, Firefox, Chrome, and Safari.

http://howto.cnet.com/8301-11310_39...disable-java-in-ie-firefox-chrome-and-safari/


----------



## jimmie57 (Jun 26, 2010)

I just got update 11 for Java and installed it and then removed the version 10.
It says that it fixed a security problem.


----------



## dpeters11 (May 30, 2007)

Don't worry, there's more where that came from.


----------



## Cholly (Mar 22, 2004)

jimmie57 said:


> Open up your Windows Control Panel and it should be in there.


Nope -- not there


djnaldo said:


> Here's a link telling you how to disable it in IE, Firefox, Chrome, and Safari.
> 
> http://howto.cnet.com/8301-11310_39...disable-java-in-ie-firefox-chrome-and-safari/


Not there either. Apparently, when I installed Windows 8 on my computer, I didn't install Java.


----------



## MysteryMan (May 17, 2010)

Laxguy said:


> I am also in Java never-never land. The only time I am really aware I need it is going to chatroom. Last six tries said I needed to up date it, which I did four times. Quit browser and restarted, even rebooted. Still says out of date and won't load saying "broken plugin". Toggled Preferences on and off. Still no soap.


Same here.


----------



## jimmie57 (Jun 26, 2010)

Cholly said:


> Nope -- not there
> 
> Not there either. Apparently, when I installed Windows 8 on my computer, I didn't install Java.


It is possible that you do not have it installed at all.

If you go to Java.com it checks to see if you have it as soon as you get to the site. If it tells you to Download it for free or similar then you do not have it.


----------



## wilbur_the_goose (Aug 16, 2006)

Oracle patched Java today - 7u11.


----------



## billsharpe (Jan 25, 2007)

Just pay attention when you install or update Java. On one computer it asked me if I wanted to install McAfee a/v. Had to uncheck to proceed without it. On a second computer it asked me if I wanted to have Ask as my search engine and ask.com as my home page. Again, I had to uncheck to proceed.

GoDaddy would not open their upload/download Java applet when I tried to update my web site. GoDaddy insisted my current Java was out of date.


----------



## dpeters11 (May 30, 2007)

wilbur_the_goose;3162270 said:


> Oracle patched Java today - 7u11.


Interesting that they changed the default setting to high. In your experience though, do people tend to just hit allow?


----------



## dpeters11 (May 30, 2007)

Oracle's fix was again incomplete. Exploit code has been sold that is able to compromise update 11.

http://krebsonsecurity.com/2013/01/new-java-exploit-fetches-5000-per-buyer/


----------



## heathramos (Dec 19, 2005)

do browsers that offer some type of sandboxing provide any protection from these types of exploits?

java updates don't seem to ever help for very long


----------



## wilbur_the_goose (Aug 16, 2006)

Unfortunately, yes, they normally just hit "allow".

For me (I'm a CISSP), the only safe Java is no Java.


----------



## dpeters11 (May 30, 2007)

Agreed, problem is that at my employer, there are a lot of sites, including at the Federal level (PACER, USPTO for patent filing etc) that require Java. We're working on a solution for USPTO, since they only support Java 6, using a Terminal Server. PACER is used by a very large portion of the firm.


----------



## houskamp (Sep 14, 2006)

GM uses java app for programing ecms on cars..


----------



## AntAltMike (Nov 21, 2004)

I just got this e-mail from [email protected]

**********************************************

You are protected 
against the latest 
Java vulnerability​
You may have recently seen some of the extensive news coverage, including statements from the United States Department of Homeland Security, regarding a vulnerability in Java. Java is both a language and a platform to run websites and programs used by many computer users, both on the PC and Mac operating systems. This vulnerability leaves millions of computers open to malware attacks and can lure online traffic to virus-infected websites.

Rest assured, because you have a Norton security software product installed on your computer, you're protected against the Java bug (CVE-2013-0422), as long as you have not disabled the automatic updates feature.

We also recommend that you apply Oracle's recently released security patch and make sure you are running the most updated version of Java.

Thank you for being a valued Norton customer.

Sincerely,
The Norton Team

Learn more about Java Zero-Day vulnerability

*************************************

I haven't clicked the red lettered links. Is this notice on the up-and-up, or is someone trying to sucker me? I have Apache OpenOffice installed, which I thought used to be Oracle Open Office.


----------



## SayWhat? (Jun 7, 2009)

^^

First, I wouldn't trust anything from Norton.

Second, I had heard that O-o wasn't happy under Oracle, so I just went and looked:



> Apache OpenOffice (AOO) is an open-source office productivity software suite ... It was formerly known as OpenOffice.org (OOo) under Sun, then Oracle ownership.


http://en.wikipedia.org/wiki/OpenOffice

Third, I wouldn't trust anything from Norton.


----------



## AntAltMike (Nov 21, 2004)

What I am trying to confirm is that the e-mail is really from Norton and that the clickable links are to the real Norton. I pay them $60 a year for whatever it is they do, so I am not averse to them doing it, but I just want to make sure that "they" are "them".


----------



## wingrider01 (Sep 9, 2005)

AntAltMike said:


> What I am trying to confirm is that the e-mail is really from Norton and that the clickable links are to the real Norton. I pay them $60 a year for whatever it is they do, so I am not averse to them doing it, but I just want to make sure that "they" are "them".


My first move would be to call them and ask, or go directly to their support site


----------



## jimmie57 (Jun 26, 2010)

AntAltMike said:


> What I am trying to confirm is that the e-mail is really from Norton and that the clickable links are to the real Norton. I pay them $60 a year for whatever it is they do, so I am not averse to them doing it, but I just want to make sure that "they" are "them".


I use Norton Internet Security and I got this email also.
It is just informing you that they have the problem handled in the security software.
They are also recommending that you go to the Java website and make sure you have the latest Java on your machine.

When the first announcement came out I disabled Java in my "Browsers" and have not needed it for one single website since then.
I do run Open Office and have since 2006. It runs on Java and I need it for that program only.

As a rule I never click on a link that tells me to go to somewhere, except from ads from stores that I shop at, to check anything.
Open your Norton product and go to the website from there to be sure you are going to the right place.

I have been running this software, Norton Internet Security, since I got my new HP machine, it was already installed on it , 3 years ago and have had no problems with it.


----------



## wilbur_the_goose (Aug 16, 2006)

In my opinion, as a certified IT security guy, Norton is a waste of money. Microsoft Security Essentials is more effective, has a smaller footprint, and is free.


----------



## dpeters11 (May 30, 2007)

Though didn't they lose certification from av-test?


----------



## jimmie57 (Jun 26, 2010)

wilbur_the_goose said:


> In my opinion, as a certified IT security guy, Norton is a waste of money. Microsoft Security Essentials is more effective, has a smaller footprint, and is free.


I ran Security Essentials for a couple of years.
After a full scan with it I would then run a full scan with MalwareBytes. It found several things most of the time that Security essentials missed.
I can do the same with Norton and MalwareBytes and the latter never finds anything.


----------



## wingrider01 (Sep 9, 2005)

dpeters11 said:


> Though didn't they lose certification from av-test?


Yes

http://www.av-test.org/en/tests/home-user/windows-7/novdec-2012/


----------



## FHSPSU67 (Jan 12, 2007)

I've also used MSE since it came out and love it - don't even know it's there, unlike McAfee which I used previously.


----------



## jimmie57 (Jun 26, 2010)

I don't know what Norton Internet Security is rated on the site you all are referencing but Security Essentials *is only rated 1.6* out of 6 for Protecction on that site.

AVG Free version is rated 5 out of 6 for Protection. I did run it for awhile and I did install it on several peoples coumputer a few years ago.

Edit: If you look at the ratings in May / June the Norton Internet Security is rate 5 out of 6 for Protection.


----------



## SayWhat? (Jun 7, 2009)

jimmie57 said:


> AVG Free version is rated 5 out of 6 for Protection.


I stopped using that after it turned into bloatware.

I also used AdAware and SpyBot for a long time, but stopped when they got too big.


----------



## dpeters11 (May 30, 2007)

We were considering Microsoft Corporate AV, but I didn't like some of the things said (bad reviews a conspiracy, no need for Microsoft security updates, av updates no more than 2 meg total.

Going to look at Kaspersky.


----------



## jimmie57 (Jun 26, 2010)

dpeters11 said:


> We were considering Microsoft Corporate AV, but I didn't like some of the things said (bad reviews a conspiracy, no need for Microsoft security updates, av updates no more than 2 meg total.
> 
> Going to look at Kaspersky.


For several years I used PC-Cillin by Trend Micro. The new software is Titanium. It is rated 6 on the protection level. The IT guy where I used to work had it installed for the company system and still does.

The reason I left them was that I used to let the subscription run out and pick it up the next month, trying to save money. It would work but would no longer update.
Well, when it came that time of year it stopped working without any notice whatsoever and left me totally exposed. I vowed that I would never buy it again.
It was very good however.


----------



## wilbur_the_goose (Aug 16, 2006)

dpeters - no signature updates? At work, mine updates every day.


----------



## dpeters11 (May 30, 2007)

No, they said that there were signature updates, but that an entire set, not the average delta, was only 2 meg, even though when I looked at the manual update file, it was 60 meg.


----------



## billsharpe (Jan 25, 2007)

wilbur_the_goose said:


> In my opinion, as a certified IT security guy, Norton is a waste of money. Microsoft Security Essentials is more effective, has a smaller footprint, and is free.


+1

I have MSE installed on all three of my computers.

I gave up on Norton several years ago after I kept getting "Norton has encountered a problem. Please reinstall."

Norton had great software when Peter Norton was still running the company.


----------



## satcrazy (Mar 16, 2011)

What is the general idea now, install latest version ? [ had to un-install mine as it didn't have the disable feature] or, as a tech friend suggested, run without it until you find you have to have it. [ hopefully a stable patch by then?]

He also said the same thing dpeters11 said, It's not the first or last for Java. Also, the best protection is always running your pc in user mode and password protect all accounts.

I use Bit defender [ 2011 version] myself, and Kaspersky would be my second choice.

I actually loaded MSE and found a bug that bit defender didn't, but it couldn't do anything with it. [ yeah, I'm second guessing BD now]

I had Norton many years ago but it missed infections and got too big.

I think there is no magic bullet as all the AV's are flawed, IMO.

So, do you re-load Java or not?


----------



## dpeters11 (May 30, 2007)

I don't install Java on my home systems. The only thing I used it for is the DBSTalk chatroom, and I can change my agent ID to make it use the iPad version.

Plus, I hate the fact that you have to deselect the ask.com toolbar everytime. Worse, I didn't realize this. If you aren't thinking, and miss the checkbox during an update, it tells you that you successfully installed Java and Ask. So you think to yourself, shoot, now I need to uninstall. Guess what? It's not in add/remove programs. The Ask.com installer pauses for 10 minutes, then installs.

http://www.zdnet.com/a-close-look-a...eptive-software-with-java-updates-7000010038/


----------



## satcrazy (Mar 16, 2011)

jeez,
I never noticed the ask.com checkbox during an update. Realy? Well, that's crap [you can't un-install it.] Revo works great for that [ not free, but a excellent program, I tried the trial version to eliminate a self installed program I could not get rid of, worked like a dream!

So, besides programming a car and the dbs chat room, why do we need java again?


----------



## dpeters11 (May 30, 2007)

Oh, you can uninstall it, you just have to wait 10 minutes after it says it was successfully installed.

At work, there are several things that require it, including the Federal court system, and the USPTO. While at the same time another government agency says to get rid of it.

Several programs run on Java outside of the browser, which isn't as big an issue. GoToMeeting, Minecraft etc. Blu-Ray players use it even. It's really mainly the use in the browser that is the big security issue.


----------



## dpeters11 (May 30, 2007)

Shocking, even set to very high in update 11, which does not allow unsigned apps to run, an unsigned app can run using a vulnerability:

http://seclists.org/fulldisclosure/2013/Jan/241


----------



## satcrazy (Mar 16, 2011)

Is it more vunerable in IE than Firefox? 

It isn't looking like I'm going to re-install soon.:eek2:


----------



## dpeters11 (May 30, 2007)

Java is not safe in any browser.

I also found Oracle has a head of Java security. I hope he was recently hired.


----------



## satcrazy (Mar 16, 2011)

O.K.

So you can install it for use outside of your browser, just disable it in the browser then?


----------



## dpeters11 (May 30, 2007)

Right, if you have apps that use it, like Minecraft, gotomeeting, etc. otherwise, don't bother with it at all.

Ok, I guess if you had to choose, Firefox would be safer with Click to Play. However, a lot of people will just click it without considering the ramifications. Plus, is it possible that there is a security hole that bypasses that? I'm still not going to risk it.


----------



## dpeters11 (May 30, 2007)

Java 7 update 13 is available, they skipped 12. Update if you have an older Java 7. Don't use Java if you don't need it 

Also, I'm going to give the head of Java security a pass. He was hired by Oracle in August. We'll give him a few months to correct 7+ years of issues.


----------



## phrelin (Jan 18, 2007)

To get the release 7-13 add-on to install correctly in Firefox it took a bit of undoing and redoing, I guess because I don't know what I'm doing. But it works. I have to use it as I have routine stuff I do using noaa.gov, bls.gov, and doleta.gov web sites. Unfortunately government web sites rely heavily on Java.

I'm assuming that by using the 13 release, the danger level is no worse than driving a car.


----------



## dpeters11 (May 30, 2007)

I agree, the government makes it hard. One agency tells you to get rid of it, others require it. We have the same issue at work. Federal Courts require it, Patent office requires version 6.

In that case, Firefox's click to run might help for someone that knows when to allow it to run or not. Problem is some will just click and enable.


----------

