Showing posts with label Java. Show all posts
Showing posts with label Java. Show all posts

Jan 21, 2013

How to Disabled Java from the Browser

Below are instructions for disabling Java from whatever Web browser you may use to surf the Web. These instructions were originally posted as a how-to in response to this piece: Zero-Day Java Exploit Debuts in Crimeware.


Update, Jan 10, 10:35 a.m. ET: The latest version of Java 7 (Update 10) includes a feature that makes it simpler to unplug Java from the browser. Oracle has posted instructions on how to use this feature on Windows here. Also, KrebsOnSecurity just published a comprehensive Q&A that seeks to answer some of the most frequently asked questions about the scope of this vulnerability, and steps that users can take to protect themselves.

Original post:

For Windows users:

Mozilla Firefox: From the main menu select Add-ons, and then disable any plugins with the word “Java” in them. Restart the browser.

Google Chrome: Click the wrench icon in the upper right corner of the browser window, then select Settings. In the search results box to the right in the next screen, type “Java”. A box labeled “Content settings” should be highlighted. Click that, and then scroll down to the Plug-ins section. Click the “Disable individual plug-ins” link, find Java in the list, and click the disable link next to it.

Internet Explorer:

Apparently, getting Java unplugged from Internet Explorer is not straightforward. The U.S. Computer Emergency Response Team (USCERT) lists the following steps, which may or may not completely remove Java from IE:

In the Windows Control panel, open the Java item. Select the “Java” tab and click the “View” button. Uncheck “enabled” for any JRE version listed. Note that this method may not work on Vista or newer systems. As an alternative, you may use one of the following techniques:

Click the start key and type “regedit” in the search box. Double-click the regedit program file when it appears.

- Change the HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\\UseJava2IExplorer registry value to 0, where is any version of Java on your system. 10.6.2, for example.

If you are running a 32-bit version of Java on a 64-bit platform, you should set the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in\\UseJava2IExplorer registry value to 0.

- Run javacpl.exe as administrator, click the “Advanced” tab, select “Microsoft Internet Explorer” in the “Default Java for browsers” section, and press the space bar to uncheck it. This will properly set the above registry value, despite the option being greyed out.

US-CERT has some additional suggestions for removing Java from IE if the above steps do not do the trick. See their advisory for more details.

For Mac users:

Safari: Click Preferences, and then the Security tab (uncheck “Enable Java”).

Google Chrome: Open Preferences, and then type “Java” in the search box. Scroll down to the Plug-ins section, and click the link that says “Disable individual plug-ins.” If you have Java installed, you should see a “disable” link underneath its listing.

Firefox: Click Tools, Add-ons, and disable the Java plugin(s). - source

50% of all website exploited due to Java's vulnerable

Oracle Corp. said Monday it has released a fix for the flaw in its Java software that raised an alarm from the U.S. Department of Homeland Security last week. Even after the patch was issued, the federal agency continued to recommend that users disable Java in their Web browsers.


"This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered," DHS said Monday in an updated alert published on the website of its Computer Emergency Readiness Team. "To defend against this and future Java vulnerabilities, consider disabling Java in Web browsers until adequate updates are available."

The alert follows on the department's warning late Thursday. Java allows programs to run within websites and powers some advertising networks. Users who disable Java may not be able to see portions of websites that display real-time data such as stock prices, graphical menus, weather updates and ads.

Vulnerability in the latest version, Java 7, was "being actively exploited," the department said.

Java 7 was released in 2011. Oracle said installing its "Update 11" will fix the problem.

Security experts said that special code to take advantage of the weakness is being sold on the black market through so-called "Web exploit packs" to Internet abusers who can use it to steal credit card data, personal information or cause other harm.

The packs, sold for upwards of $1,500 apiece, make complex hacker codes available to relative amateurs. This particular flaw even enables hackers to compromise legitimate websites by taking over ad networks. The result: users are redirected to malicious sites where damaging software can be loaded onto their computers.

The sale of the packs means malware exploiting the security gap is "going to be spread across the Internet very quickly," said Liam O'Murchu, a researcher with Symantec Corp. "If you have the opportunity to turn it off, you should."

Oracle said it released two patches — to address the flaw highlighted by the government, as well as another flaw that the government said was "different but equally severe."

As well, the patches set Java's default security level to "high" so that users will automatically be shown a prompt and given a chance to decline malicious software before it loads onto their computers.

Disabling Java completely in browsers has a similar effect, however. When websites appear without crucial functions, users can click a button to turn Java back on.

Making users aware when Java programs are about to be installed gives users a 50/50 chance of avoiding malware, said Kurt Baumgartner, a senior security researcher with Kaspersky Lab.

Many programmers are avoiding Java altogether, and its use in Web browsers is on the decline, he said.

Kaspersky Lab estimated that last year 50 percent of all website exploitations were due to vulnerabilities in Java. Adobe's Acrobat Reader accounted for another 28 percent of vulnerabilities. - source

New Java exploit sells for $5000 at black web

For Oracle, it's deja vu all over again.

Just days after it released a patch for a serious security flaw discovered last week in its Java programming language, the software is making headlines again because another previously unpublicized flaw in the program threatens the security of millions of PCs that may still have the application running on it.


Oracle released a fix Sunday for a Java flaw so serious that the U.S. Department of Homeland Security recommended that computer users disable the software unless using it was "absolutely necessary."

That advice was repeated Monday by the department's Computer Emergency Readiness Team (US-CERT) even after the patch was made available to users.

Vulnerablity for sale

Now it's being reported that an enterprising Black Hat is peddling a new Zero Day vulnerability for the latest version of Java (version 7, update 11) to up to two buyers for $5000 each.


Both weaponized and source code versions of the vulnerability were being offered by the seller, according to security blogger Brian Krebs, who discovered the offer on an exclusive cybercrime forum.

Since Krebs discovered the offer, he said, it has been removed from the crime forum, suggesting the seller found his buyers for the exploit.

"To my mind, this should dispel any illusions that people may harbor about the safety and security of having Java installed on an end-user PC without taking careful steps to isolate the program," Krebs wrote.

This latest Java exploit is worse than the last one because no one knows what it is, according to Bogdan Botezatu, senior e-threat analyst with anti-virus software maker Bitdefender.

In the flaw patched Sunday, he explained, the exploit code was identified by security researchers in some popular malware kits. With the latest flaw, it's only known to the seller.

"The current method of exploitation will likely remain unknown for a bigger timeframe, which will also increase the attackers' windows of opportunity," Botezatu said in an email.

Earlier this week, Botezatu noted in a blog that despite the patch pushed by Oracle on Sunday, cyber criminals continued to exploit the vulnerability on unpatched machines to install ransomware on them.

Oracle's security moves

In addition to addressing the Zero Day vulnerability in Sunday's patch, Oracle also boosted Java's security setting to "high" by default. "That means that right now the user has to authorize the execution of Java applets that are not signed with a valid certificate," explained Jaimie Blasco, manager of AlienVault Labs, in an email.

While that move is a great step toward making Java more secure on a browser, Blasco noted, it is far from a panacea for Java's problems.

"In the past, we have seen that the attackers were able to steal a valid certificate to sign malicious code so it won't surprise me if we see this technique being used," he said.

Because Java appears to be riddled with vulnerabilities, Bitdefender's Botezatu recommends Oracle identify the core components of the software and rewrite it from scratch.

No doubt, more than a little rewriting of the software will be done when Oracle releases the next version of Java scheduled for September. - source