Homeland Security is advising people to temporarily disable Java???????

[gran2x2]

WASHINGTON
The U.S. Department of Homeland Security is advising people to temporarily disable the Java software on their computers to avoid potential hacking attacks.

The recommendation came in an advisory issued late Thursday, following up on concerns raised by computer security experts.

Read the US-CERT release concerning Java
http://www.us-cert.gov/cas/techalerts/TA13-010A.html

Experts believe hackers have found a flaw in Java's coding that creates an opening for criminal activity and other high-tech mischief.

CNET's Topher Kessler writes:

"The malware has currently been seen attacking Windows, Linux and Unix systems, and while so far has not focused on OS X, may be able to do so given OS X is largely similar to Unix and Java is cross-platform.

Even though the exploit has not been seen in OS X, Apple has taken steps to block it by issuing an update to its built-in XProtect system to block the current version of the Java 7 runtime and require users install an as of yet unreleased version of the Java runtime.

Luckily with the latest versions of Java, users who need to keep it active can change a couple of settings to help secure their systems. Go to the Java Control Panel that is installed along with the runtime, and in the Security section uncheck the option to "Enable Java content in the browser," which will disable the browser plug-in. This will prevent the inadvertent execution of exploits that may be stumbled upon when browsing the Web, and is a recommended setting for most people to do. If you need to see a Java applet on the Web, then you can always temporarily re-enable the plug-in.

The second setting is to increase the security level of the Java runtime, which can also be done in the same Security section of the Java Control Panel. The default security level is Medium, but you can increase this to High or Very High. At the High level, Java will prompt you for approval before running any unsigned Java code, and at the Very High level all Java code will require such approval, regardless of whether or not it is signed."

Java is a widely used technical language that allows computer programmers to write a wide variety of Internet applications and other software programs that can run on just about any computer's operating system.

Oracle Corp. bought Java as part of a $7.3 billion acquisition of the software's creator, Sun Microsystems, in 2010.

Oracle, which is based in Redwood Shores, Calif., had no immediate comment late Friday

[snap20]

A little more info here too:

http://arstechnica.com/security/2013/01/critical-java-vulnerability-made-possible-by-earlier-incomplete-patch/

I decided to just completely remove Java from my main system for now. Fix is (supposedly) going to be released on Tuesday.

[snap20]

A fix has been released. If you currently have Version 7 Update 10, definitely update your Java install.

http://www.oracle.com/technetwork/java/javase/downloads/index.html

[hotpinklovesofa]

 
No, Seriously, Just Disable Java in Your Browser Right Now
By Will Oremus
Posted Monday, Jan. 14, 2013, at 11:49 AM ET
   
The last time hackers found a hole in Java's browser plugin so bad that it sparked a warning from Homeland Security—which was less than five months ago, mind you—I wrote that you should "probably disable Java on your browser right now." If you read that post and took action, then you were free to breathe easy this past weekend, when yet another critical Java zero-day vulnerability left hundreds of millions of Internet users potentially vulnerable to malware attacks. If you didn't, well, now's your chance.

The latest security flaws, which were widely publicized last week, once again gave cyber-crooks the ability to use Java applications to take control of your computer if you visited a hacked website. Oracle—which inherited Java when it bought Sun Microsystems in 2010—issued an emergency update on Sunday that attempts to patch the holes.

That might sound like a prompt response, until you consider that security researchers allegedly notified the company about the bug months ago. Or that the patch apparently leaves in place weaknesses that criminals could still exploit. Or that this is just the latest in a long string of Java problems that have made the language the overwhelming top choice for software-based computer hacks. According to Reuters, the security firm Kaspersky Lab estimates that Java was used in 50 percent of all attacks in which hackers broke into computers by exploiting software bugs.

So while many media reports will direct you to the Oracle website to promptly install Java 7 update 11, there remains a far better option. Unless you're one of the few Web users who regularly uses an important site that requires Java, take the advice of security experts like Adam Gowdiak of Security Explorations and H.D. Moore of Rapid7 and just disable it in your browser already.

As noted before, disabling the Java plug-in on your Web browser doesn't require uninstalling it from your machine entirely, and it won't prevent you from Java-based software outside of your Web browser. It just means that you'll see an image like the screenshot above when you happen to visit one of the relatively few remaining websites that use Java applets. If you find you really need it for some sites, you can always disable it in your main browser but keep it enabled in a secondary browser that you use just for those sites.

Basic instructions for unplugging Java from your browser are below, and more comprehensive how-tos are available here and here. Note: Do not confuse Java with Javascript, which is unrelated and is essential to the proper functioning of far more websites. Disable Java, but leave Javascript enabled. If you have more questions, the blog Krebs on Security has an excellent FAQ here. (No, you aren't necessarily safe just because you don't visit sketchy websites, or because you're using Linux or a Mac.)

Lest you think disabling Java in your browser is too extreme a step, consider that both Apple and Mozilla responded to the latest vulnerability by essentially doing just that. You can do the same. It's easy. And next time everyone is freaking out about a new Java hack, the only decision you'll face is whether to nod sympathetically or smugly.

To unplug Java:

    In Firefox, select "Tools" from the main menu, then "Add-ons," then click the "Disable" button next to any Java plug-ins.
    In Safari, click "Safari" in the main menu bar, then "Preferences," then select the "Security" tab and uncheck the button next to "Enable Java."
    In Chrome, type or copy "Chrome://plugins" into your browser's address bar, then click the "Disable" button below any Java plug-ins.
    In Internet Explorer, follow these instructions for disabling Java in all browsers via the Control Panel. There is no way to completely disable Java specifically in IE.



For article with active links: http://www.slate.com/blogs/future_tense/2013/01/14/java_zero_day_exploit_don_t_patch_just_disable_java_in_your_browser.html

[snap20]

I agree that removing Java is the best thing (or at least disabling the plug-in as it tells you) but with all of us using pogo, a Java plug-in is required to play any of the games. There are options for anyone wishing to use a different browser just for pogo, of course, but most people are flat out too lazy to do that. You can sandbox a version of your browser even, if that's the route you want to take. Because of this, updating to Java 7.11 is advisable no matter what, if you still have Java installed. I've removed Java from one of my systems for the time being, and have updated the other to 7.11 and set it up to prompt me to accept Java to be run through the plug-in.

Internet security starts with the user first. If you take precautions on your internet behavior,  you can eliminate most threats. I've had Java installed since day one, and I've never had an exploit issue. That's because I use Firefox with add-ons, and because I don't go to shady sites or download things I'm not sure of. Blocking ads through Firefox is honestly, one of the best ways to prevent malware and exploit attacks on a regular basis. So many of those programs are delivered through ads, because of the number of ad companies and the ease it is for someone to slip an ad in there with malicious intent (if you think advertisers comb through every single ad they have before the serve them to the general public, you are sorely mistaken).

*steps off soapbox*

[hotpinklovesofa]

Not sure why people seem so defensive on this site lately. Wasn't trying to derail or diminish snap20's previous post but wanted to simply update the situation from last night. I hope it's obvious that the title of the article didn't come from me but from the author.

[snap20]

Not sure why people seem so defensive on this site lately. Wasn't trying to derail or diminish snap20's previous post but wanted to simply update the situation from last night. I hope it's obvious that the title of the article didn't come from me but from the author.

No, I know. It wasn't you, it was the story and the fact that I've seen numerous posts on other sites saying "just uninstall java and forget it!" which doesn't solve the problem for most people. Just kind of became a culmination thing.

Sorry if it seemed I was ranting about you/at you hotpink...that was not the case and not what I intended. :)

[snap20]

Numerous exploits have already been found in Version 7 update 11: http://news.softpedia.com/news/Java-7-Update-11-Zero-Day-Exploit-Sold-for-5-000-on-Underground-Market-321702.shtml

LOL. I wish Pogo would get rid of Java. That is literally the only site I go to that I need it for...as I'm sure it is for most of us here.

[C~M]

I wish Pogo would get rid of Java. That is literally the only site I go to that I need it for...as I'm sure it is for most of us here.

Actually there are alot of sites you go to every day that use Java. They don't have to be games. That is why there are billions of downloads of it every day. Your car uses it, smart phones use it, all kinds of things use it.

IF you don't believe me, uninstall all of your Java and start browsing the internet. I am sure you will encounter the old You must have Java to view this page/site.

Like a bunch of hackers got together and decided to hack into Java because no one uses it except  Pogo players, lol
They hacked it because it is the basis for most of the internet, how else do you think you would get the virus?

Just my

[snap20]

Actually there are alot of sites you go to every day that use Java. They don't have to be games. That is why there are billions of downloads of it every day. Your car uses it, smart phones use it, all kinds of things use it.

IF you don't believe me, uninstall all of your Java and start browsing the internet. I am sure you will encounter the old You must have Java to view this page/site.

I did uninstall Java from my main computer 3 days ago. I have yet to have an issue (pogo being the only site that now doesn't work). There's a big difference between Java and javascript, they are not the same thing at all. Most sites use javascript...very few use java itself. The exploits are within Java itself, not javascript (although there are numerous exploits for that too, but that's where an add-on like NoScript works great as a front line of defense with Firefox).

[hotpinklovesofa]

There's a big difference between Java and javascript, they are not the same thing at all. Most sites use javascript...very few use java itself.