Java 0-day Exploit. All browsers(Chrome included) are vulnerable.

[Remember remember the 5th of November]

Not that this exploit targets bitcoin, but it can very well be used to steal coins or cause other damages.

http://www.theregister.co.uk/2012/08/27/disable_java_to_block_exploit/

[Gabi]

Ouch...

[sadpandatech]

good lookin' out.  Will be curious to see if Oracle pushes a patch out any time soon. And even then I wonder how many machines exists that don't auto update java properly due to pre existing malware or other misoncfigurations.

as for me, I always drive with the java key in the off position and only allow individual modules to load on a case by case basis...

for anyone else;

Java permissions in IE
http://support.microsoft.com/kb/315674

In Chrome;
chrome://chrome/settings/content
and tick the box for 'do not allow any site to run javascript'   To then enable it for a site you trust, you will see a small icon with a red x, at the far right side of the address bar. Just click it and select 'always allow javascript on this site'. Then refresh the page.

For firefox the addon 'NoScript' should do the trick. With it enabled all scripting is blocked in a site and you then enable the compenents you want to allow on a particular site by right clicking in the page or clicking the NoScript 'S' icon while on the page and allowing the site and or subsites you wish.

[Portnoy]

http://blog.markloiseau.com/2012/03/psa-disable-java-in-your-browser/

http://antivirus.about.com/od/securitytips/ht/How-To-Disable-Java-In-Internet-Explorer.htm

[vuce]

In Chrome;
chrome://chrome/settings/content
and tick the box for 'do not allow any site to run javascript'   To then enable it for a site you trust, you will see a small icon with a red x, at the far right side of the address bar. Just click it and select 'always allow javascript on this site'. Then refresh the page.

Java is not javascript. To disable Java click on Disable individual plug-ins... and disable Java there.

[acoindr]

Another reason we should be working on hardware wallets for non-tech savvy mainstream users, i.e., the majority of users.

[ShireSilver]

In Chrome;
chrome://chrome/settings/content
and tick the box for 'do not allow any site to run javascript'   To then enable it for a site you trust, you will see a small icon with a red x, at the far right side of the address bar. Just click it and select 'always allow javascript on this site'. Then refresh the page.

Java is not javascript. To disable Java click on Disable individual plug-ins... and disable Java there.

It took me a minute to find it. On my linux system the Java plugin is called iced tea. Hope that helps.

[kokojie]

I think you are confusing java with javascript. Javascript is quite safe and there's almost no security reason to turn it off. Mostly it could do
XSS and that is only if the site programmer implemented security poorly.

good lookin' out.  Will be curious to see if Oracle pushes a patch out any time soon. And even then I wonder how many machines exists that don't auto update java properly due to pre existing malware or other misoncfigurations.

as for me, I always drive with the java key in the off position and only allow individual modules to load on a case by case basis...

for anyone else;

Java permissions in IE
http://support.microsoft.com/kb/315674

In Chrome;
chrome://chrome/settings/content
and tick the box for 'do not allow any site to run javascript'   To then enable it for a site you trust, you will see a small icon with a red x, at the far right side of the address bar. Just click it and select 'always allow javascript on this site'. Then refresh the page.

For firefox the addon 'NoScript' should do the trick. With it enabled all scripting is blocked in a site and you then enable the compenents you want to allow on a particular site by right clicking in the page or clicking the NoScript 'S' icon while on the page and allowing the site and or subsites you wish.

[theymos]

JRE sucks. Someone should make a better alternative. Flash, too.

[deepceleron]

This exploit is based on a vulnerability that appears introduced in Java 1.7 (Java 7). Java 6 is still maintained, and it's latest release is from August 14, 6u34.

I would recommend that until a patch or updated release for Java 7 is issued, that one completely uninstall Java 7 from your operating system (or uninstall any older unmaintained Java 6). Restart your operating system.

Then install the Java SE Runtime Environment 6 u34 release for your operating system from this page:

http://www.oracle.com/technetwork/java/javase/downloads/jre6-downloads-1637595.html

It took me a minute to find it. On my linux system the Java plugin is called iced tea. Hope that helps.

This is an interesting case - although no exploit site mentions IcedTea, it is based on the OpenJDK Java 7 source code, and it would also be suspect unless proven otherwise.

[unclemantis]

I have the following installed

Java(TM) 7 Update 5 Installed On 7/3/2012
Java(TM) SE Development Kit 6 Update 24 Installed On 4/2/2011
Java(TM) SE Runtime Environment 6 Update 1 Installed On 8/4/2008
JavaFX 2.1.1 Installed On 7/3/2012

I am sure others have the above installed as well if they own an HP Desktop.

Is this above vulnerable? Should I uninstall all of the above, restart and install from current base as of today?

[deepceleron]

I have the following installed

Java(TM) 7 Update 5 Installed On 7/3/2012
Java(TM) SE Development Kit 6 Update 24 Installed On 4/2/2011
Java(TM) SE Runtime Environment 6 Update 1 Installed On 8/4/2008
JavaFX 2.1.1 Installed On 7/3/2012

I am sure others have the above installed as well if they own an HP Desktop.

Is this above vulnerable? Should I uninstall all of the above, restart and install from current base as of today?

Uninstall these in order from newest to oldest. The older ones are from upgrades that didn't properly remove the previous version or uninstaller option. Then restart, verify there is no Java left, and download and install Java(TM) SE Runtime 6 Update 34 (developer kit only if you are a Java programmer) from the link I provided.

All versions of Java 7 are vulnerable - Java 7 Update 6 is the latest, so your computer also wasn't keeping things up to date - update 5 has many other disclosed vulnerabilites. It is a good idea to go into the control panel, Java, and change the update frequency from monthly to weekly or daily (and don't update again to a version 7 until this vulnerability has been corrected).

[markm]

Doesn't java 6 also have vulnerabilities?

Most security sites seemed to be saying do NOT go back to older java...

-MarkM-

[unclemantis]

How about I just uninstall all versions of Java and not install Java at all until the coast is clear?

[glub0x]

Another reason we should be working on hardware wallets for non-tech savvy mainstream users, i.e., the majority of users.

+1

[doobadoo]

this is why i have disabled java, and haven't run it thru my browser in 10 years or so...

[rjk]

How about I just uninstall all versions of Java and not install Java at all until the coast is clear?

Excellent choice.

[mobile4ever]

Java is not javascript. To disable Java click on Disable individual plug-ins... and disable Java there.

+1

Great post.

In Firefox, disable Java in the "Add-ons manager". Get there by the "Tools" drop down menu, go to "Add-ons" and the Java console will be there. Disable it.