U.S. Gov't advising PC users to disable Java - Attack

[BrandonBP]

Anyone know anything about this? Should we be concerned? How will I play FTB? :/

===============================================================

"The U.S. Department of Homeland Security urged computer users to disable Oracle Corp's Java software, amplifying security experts' prior warnings to hundreds of millions of consumers and businesses that use it to surf the Web."

http://www.nbcnews.com/technology/t...software-security-concerns-escalate-1B7938755

 

[Hydra]

The problem is the browserplugins. If you disable the plugin you're safe.

 

[Xadneil]

From what I can tell, as long as you disable the java plugin in your browsers, you should be safe (provided that you follow common sense precautions about downloaded programs) The warning seems to be about java applications that exploit a vulnerability to access your computer. With the browser plugin disabled, java apps from the internet cannot run without your permission. As for non-internet apps, you have to asses whether you trust the source. If you trust Mojang and the mod developers, you can play Minecraft and FTB.

Edit: ninja'd

 

[ShneekeyTheLost]

Or just don't run Windows...

 

[whythisname]

Or just don't run Windows...

Don't turn this into that discussion man... Not everyone likes to pay a huge premium for a nicely designed piece of shi...hardware, nor does everyone prefer open source OS's that don't support the software they need or run Windows in a virtual PC in order to use that software.

And yeah, as long as you have Java disabled for your browser there isn't any risk. In fact, I think only if you're going to sites you don't know you should look out, but most popular sites won't give trouble (unless they get hacked or something, but chances of that are pretty small). Also, Firefox by default disables Java because of the security risks it has.

 

[Strubinator]

Woot linux.

 

[SteveTech]

@ShneekeyTheLost and Strubinator
*sigh*
Any system that runs Java; Linux, Mac, Windows, random esoteric operating system that only one devoted person uses; Is vulnerable.

Don't start a flame war about OS's with your drivel. I hate certain things as much as the next guy but that doesn't mean I go out of my way to post nonsense in an arrogant attempt to misinform.

@Everyone else
On a helpful note, Xadneil is correct. It only affects the browser plug in and so there are no worries for the FTB launcher.
http://blogs.cisco.com/security/new-java-vulnerability-being-exploited-in-the-wild/

 

[Malkeus Diasporan]

NoScripts browser plugin.

 

[slay_mithos]

Yep, my answer is also NoScript, and it has been for years.

Seriously, Java flaws? why not talk about anything that runs in a browser?
Cookies, JavaScript, Java, Silverlight, flash. Heck, even with HTML, you can do shitty stuff.
And that's not even speaking about fishing and all that.

The only thing is to only enable the various script types with an "as needed" basis, and only on trusted sites.

Also, to the few people that think that virus and the likes only comes from pirated stuff and pron, rethink your approach.

The only way for your computer to be safe from pirates is to not have a computer at all, the second one being to only do everything by yourself on it, but then again, you can't be 100% certain that the hardware isn't bugged or pirated anyway, right?

Ah, US government, always have a joke for us to make the world think about insecurity on every thiing.

 

[Wabbit]

Or just don't run Windows...

Yes, running a brick is much better.

Don't bring that stupid crap here, dude.

 

[Toraxa]

It wouldn't be such a concern if the default response to javascript in most browsers wasn't just to invite it in and offer it coffee.

We shouldn't need plugins like noscript. The browser developers ought to realize that this stuff is consistantly used for malicious purposes, even outside of outright vulnerability exploits, and not have it automatically accept every script from every page.

 

[IBurn36360]

Please do not make the mistake with confusing this venerability in Java to vulnerabilities in javascript. Javascript is a powerful scripting languages specifically designed to be able to modify and control the HTML and CSS elements of a page to allow more interactivity with the end user. Javascript is capable of running and installing malicious code onto your computer from your browser from malicious sites and has been taken advantage of in the past. As of now, the general rule of thumb is to NOT use any javascript from sites that you do not trust.

As for the security hole in Java (The language that Minecraft is coded in and utilizes to run), There is an inherent vulnerability in the reflection API (invokeWithArguments) that can allow access to restricted Java classes from external execution. For the most part, many sites do not use java as a running environment, and it should be fairly unnoticeable if you disable the browser interactivity with Java. It is also worth mentioning that this vulnerability does not only affect Windows machines, but Linux and MacOS users as well. Apple's response has actually been not to update java for some time in light of some security holes in Java from the past til now.

Lastly, please do not let anything like this recent security hole scare you too much. They pop up all of the time and are an unavoidable part of running code from an external source. Your safest bet would be to limit your personal vulnerabilities by limiting Java interaction since it is seeing fewer and fewer uses in the web environment and take steps, such as using a secondary or tertiary browser to browse website wanting access to Java, to limit your chances of being exploited. Like I said, these warnings come around all of the time and will continue to happen as long as users run external code (Everything you do in the internet). The developers at Sun Microsystems and Sun are working on a fix, if they already haven't completed a fix awaiting the next update cycle.

 

[slay_mithos]

Well, first, JavaScript is not Java, nothing in common, apart from the name containing the same letters in a similar order.

Secondly, without JavaScript, say goodbye to pretty much anything that has animations and stuff that changes on the page itself (maybe except the flash/java/silverlight).

Well, I guess it is coming from someone with no or little knowledge about it, but JavaScript is one of the very basis of most sites today.
Just server-side stuff won't permit you to do everything, and you will need to reload the page everytime.

Plus, it would mark the comeback of the worst thing that HTML invented, namely iframes, that we mostly succeeded in rooting out in the past ten years, being one of the easiest ways to introduce malicious data in a page.

EDIT: ninja'd by a post way better constructed.

 

[Tabu]

. It is also worth mentioning that this vulnerability does not only affect Windows machines, but Linux and MacOS users as well. Apple's response has actually been not to update java for some time in light of some security holes in Java from the past til now.

This part made me smile, Linux and Mac users always have their noses in the air and think they can't be attacked. The truth is they are wrong.

 

[ShneekeyTheLost]

Yes, running a brick is much better.

Don't bring that stupid crap here, dude.

Actually, the reason I made my claim was that Linux doesn't USE Java, by default, in-browser. It uses IcedTea, which doesn't have the exploit vulnerability. Granted, you *CAN* put Java in your browser if you want, but it's not required.

 

[Vovk]

Or you could set up your system like a civilized person and separate out your root and user accounts. This vulnerability in java allows an unsigned applet to elevate its own rights to the rights of the user. It can be used for phishing and keylogging at the user level, but can only get deeply engrained in the system if you execute it as root/windows admin.

 

[GreenWolf13]

Or you could set up your system like a civilized person and separate out your root and user accounts. This vulnerability in java allows an unsigned applet to elevate its own rights to the rights of the user. It can be used for phishing and keylogging at the user level, but can only get deeply engrained in the system if you execute it as root/windows admin.

This. It's almost never a good idea to have your regular user account be the same as your admin account. That's just asking for trouble.

 

[ShneekeyTheLost]

Or you could set up your system like a civilized person and separate out your root and user accounts. This vulnerability in java allows an unsigned applet to elevate its own rights to the rights of the user. It can be used for phishing and keylogging at the user level, but can only get deeply engrained in the system if you execute it as root/windows admin.

That too, of course. However, I was addressing specifically why it wouldn't even work in the first place, not why it would never work even if someone was silly enough to use the java web browser addon to begin with.

 

[portablejim]

Actually, the reason I made my claim was that Linux doesn't USE Oracle Java, by default, in-browser. It uses IcedTea version of java, which doesn't have the exploit vulnerability. Granted, you *CAN* put Oracle Java in your browser if you want, but it's not required.

FTFY

The most popular distributions that come with java by default usually use Icedtea as the java. I am not sure how the vulnerabilities carry over.

This part made me smile, Linux and Mac users always have their noses in the air and think they can't be attacked. The truth is they are wrong.

I agree that the security advantages of the Unix architecture often get over stated and simplified. I still think that Linux (and OS X) is more secure than Windows (given knowledgeable users)

This. It's almost never a good idea to have your regular user account be the same as your admin account. That's just asking for trouble.

Are you talking about accounts with elevated privileges (i.e. root) or a user that can elevate certain apps. (i.e. user that can use sudo). If you mean the former, like Vovk was saying, then I agree.

 

[Ashzification]

Anyone know anything about this? Should we be concerned? How will I play FTB? :/

===============================================================

"The U.S. Department of Homeland Security urged computer users to disable Oracle Corp's Java software, amplifying security experts' prior warnings to hundreds of millions of consumers and businesses that use it to surf the Web."

http://www.nbcnews.com/technology/t...software-security-concerns-escalate-1B7938755

Back on track:
Java has always been a rather insecure program. According to several people I know (one of them works for a local security firm) Java is one of the easiest ways to learn how to hack.
Besides, every time there is a new update, there will be a new way to bypass that update, a new hole for the loop, a new way for the "bad guys" to get around it.

Easy ways to "Avoid getting hacked"(AKA, Identity protection)
1. Don't put personal information about yourself on the internet. If you use Facebook or Twitter, don't use your full name.
2. Run scans of your computer frequently. Not just a virus scan though, not all malware is a virus!
3. Check your credit report at least once a year.
4. Keep your bank on a tight leash, and keep in contact with them! If something is wrong on your account, speak up!

Or, live off the grid. Your choice.

This was a scare tactic. The Dept. of Homeland Security feels left out of all of the national headlines, so they tried to scare you.

Edit: if you want a secure computer, make sure your computer is secured. Windows has more "hackers" because it has the largest user base in the world. Therefore largest chance for a "big cash payout". By comparison, Mac and Linux are more used in the professional environment, on a significantly smaller scale.