Avast WEBforum

Other => General Topics => Topic started by: Jahn on April 11, 2010, 09:50:15 PM

Title: A New Java Flaw
Post by: Jahn on April 11, 2010, 09:50:15 PM: Quote
The best workaround for this serious flaw, until Sun issues its patch is to not use Java, or Disable javaws/javaws.exe and disable Deployment Toolkit.

http://www.informationweek.com/blog/main/archives/2010/04/serious_java_fl.html (several redirects)
Title: Re: A New Java Flaw
Post by: Jtaylor83 on April 11, 2010, 10:36:39 PM: Or just uninstall Java until then.
Title: Re: A New Java Flaw
Post by: Alan Baxter on April 11, 2010, 11:26:31 PM: I've disabled the Java Deployment Toolkit plugin in Firefox to reduce the attack surface. Aside from that it will be business as usual, i.e. allow the use of Java by only trusted programs and websites.
Title: Re: A New Java Flaw
Post by: Hermite15 on April 11, 2010, 11:38:07 PM: strange ... nothing from Secunia so far (at least from PSI). There was something two weeks ago but I thought it was solved with "update 19"... so there's something else now it seems, and Secunia is late.

that was the last thing I heard of:
http://secunia.com/advisories/37255

edit: oups, I see this was updated on the 8th of April...
Title: Re: A New Java Flaw
Post by: Jahn on April 14, 2010, 12:32:21 AM: More info @ DarkNet (http://www.darknet.org.uk/2010/04/serious-java-bug-exposes-users-to-code-execution/)

Secunia is reporting it now:

http://secunia.com/blog/95
http://secunia.com/advisories/39260
Title: Re: A New Java Flaw
Post by: Hermite15 on April 14, 2010, 12:37:29 AM: yep

Quote
A vulnerability has been discovered in Sun Java, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an input sanitation error in the Java Deployment Toolkit browser plugin. This can be exploited to pass arbitrary arguments to javaw.exe and e.g. execute a JAR file placed on a network share in a privileged context.

Successful exploitation allows execution of arbitrary code by tricking a user into visiting a malicious web page.

The vulnerability is confirmed in JRE version 6 Update 19. Other versions may also be affected.
Title: Re: A New Java Flaw
Post by: Jahn on April 14, 2010, 12:53:35 AM: Logos, you haven't disabled Java? I immediately disabled the plugins in each browser and blocked Java from running with CIS D+.
Title: Re: A New Java Flaw
Post by: Hermite15 on April 14, 2010, 11:33:12 AM: Quote from: Jahn on April 14, 2010, 12:53:35 AM
Logos, you haven't disabled Java? I immediately disabled the plugins in each browser and blocked Java from running with CIS D+.

no I haven't... I'm not that worried...There aren't that many sites running Java and I'm usually warned when one wants to use it...in Firefox at least. I don't use Internet Explorer.

edit: not sure yet, I might still block it ;)
Title: Re: A New Java Flaw
Post by: harman123 on April 14, 2010, 02:20:51 PM: When will they patch this flaw?

Does Avast blocked this?
Title: Re: A New Java Flaw
Post by: Asyn on April 14, 2010, 05:09:53 PM: Quote from: Logos on April 14, 2010, 11:33:12 AM
no I haven't... I'm not that worried...There aren't that many sites running Java and I'm usually warned when one wants to use it...in Firefox at least. I don't use Internet Explorer.
edit: not sure yet, I might still block it ;)

Yes, you should at least deactivate the Java Deployment Toolkit in firefox...!!! (until a fix is released)
Better to deactivate/block all Java Plugins/Add-Ons if you don't need them. I read on a security site, that NoScript won't protect you, am not sure about that, but just to be safe i disabled java for now.

@Jahn: Many thanks for posting the info to this forum!!! :)
Title: Re: A New Java Flaw
Post by: Hermite15 on April 14, 2010, 05:41:09 PM: I disabled Java in IE, Chrome and Firefox a couple of hours ago just in case, thought it's better after all...but I didn't block Java completely (from def+ as suggested), as I still want java to check automatically for updates and get the patch when it's there. This said I'm pretty sure NS would protect me in Firefox, but I use Chrome a lot atm...I'll try to check what they say on NS forums...
Title: Re: A New Java Flaw
Post by: Hermite15 on April 14, 2010, 05:51:55 PM: OK posted here:
http://forums.informaction.com/viewtopic.php?f=8&t=4207&start=0
Title: Re: A New Java Flaw
Post by: Hermite15 on April 14, 2010, 06:20:33 PM: short answer ;D
http://forums.informaction.com/viewtopic.php?f=8&t=4207&p=17530#p17530
Title: Re: A New Java Flaw
Post by: Asyn on April 15, 2010, 12:19:40 AM: Hi Logos, thanks for posting on NS Forum & the info, good to hear. :)
I already wondered, how it could bypass NS...
So we are rather safe even with java on with FF and NS! 8)
asyn
Title: Re: A New Java Flaw
Post by: Hermite15 on April 15, 2010, 12:22:54 AM: yeah, the answer from Maone was rather laconic though :D
Title: Re: A New Java Flaw
Post by: Asyn on April 15, 2010, 12:30:46 AM: Short and meaningful... ;D
Title: Re: A New Java Flaw
Post by: Jon_T on April 15, 2010, 05:58:34 AM: How well will just disabling the Java browser plugins work given the bold portion (by me) of following statement from the article in the OP's post?

"... All versions since Java SE 6 update 10 for Microsoft Windows are believed to be affected by this vulnerability. Disabling the java plugin is not sufficient to prevent exploitation, as the toolkit is installed independently. ..."

Personally, not too concerned being that:

Use Fx with NoScript's Options > Embeddings have all the restrictions for untrusted sites enabled (see screen shot below).

Only use IE for a few sites that require IE to use/view properly. Hence I've added these sites to the Trusted Sites Zone, and the all the other Security Zones are settings set with all active content/scripting disabled. Have IE secured mainly as a prevention from other various apps that use the IE engine/components.

Use a Win XP LUA account for browsing general use, and have Fx and IE set with avast!'s "Always run in sandbox".
Title: Re: A New Java Flaw
Post by: Hermite15 on April 15, 2010, 10:53:38 AM: question is what does noscript when java is allowed to run, temporarily, by the user...
Title: Re: A New Java Flaw
Post by: Hermite15 on April 15, 2010, 11:33:04 AM: NS & Java question thread updated:
http://forums.informaction.com/viewtopic.php?f=8&t=4207&p=17551#p17550
Title: Re: A New Java Flaw
Post by: Asyn on April 15, 2010, 11:44:45 AM: Thanks for the update.. I already had these settings applied. :)
But it's clearer now, than just a 'yes it does'... ;)
Title: Re: A New Java Flaw
Post by: Hermite15 on April 15, 2010, 02:19:58 PM: Java 1.6 update 20 is available >>> update from the control panel applet, otherwise that won't remove the 19 version (many java versions can be installed at the same time ::) ).

download here: http://www.java.com/en/ but again, better off with the integrated updater.
Title: Re: A New Java Flaw
Post by: Hermite15 on April 15, 2010, 02:27:35 PM: read this here:
http://blogs.zdnet.com/security/?p=6161&tag=content;col2

I'm really not sure that update 20 solves the problem. Secunia scan says it's OK but that doesn't mean anything because they probably haven't analysed the patch yet.
Title: Re: A New Java Flaw
Post by: Hermite15 on April 15, 2010, 02:42:52 PM: warning: I just found that update 19 plugins were still present in all browsers after the update to "20" >>> way out: remove Java completely and reinstall from scratch with the download (yeah, that's the opposite of what I said before).
Title: Re: A New Java Flaw
Post by: Hermite15 on April 15, 2010, 05:44:07 PM: update 20 details here:
http://java.sun.com/javase/6/webnotes/6u20.html
Title: Re: A New Java Flaw
Post by: crofty59 on April 16, 2010, 07:54:34 AM: Quote from: Logos on April 15, 2010, 02:42:52 PM
warning: I just found that update 19 plugins were still present in all browsers after the update to "20" >>> way out: remove Java completely and reinstall from scratch with the download (yeah, that's the opposite of what I said before).

Thanks Logos ;)
That has removed the old update 19 plugins

Cheers
Title: Re: A New Java Flaw
Post by: Asyn on April 16, 2010, 10:55:52 AM: @Logos: Thanks for keeping us up to date on this...! :)
Title: Re: A New Java Flaw
Post by: Jahn on April 16, 2010, 08:30:27 PM: Yes, thanks for keeping tabs on this, Logos. I re-enabled 6u19, uninstalled with Revo, and installed 6u20. All is well now. :)
Title: Re: A New Java Flaw
Post by: Hermite15 on April 16, 2010, 09:01:54 PM: you're welcome people ;)
Title: Re: A New Java Flaw
Post by: Chris Thomas on April 17, 2010, 11:41:31 AM: I got this just now

Firefox has blocked this

(http://i39.tinypic.com/33m5pqe.png)
Title: Re: A New Java Flaw
Post by: Hermite15 on April 17, 2010, 12:09:28 PM: @ Chris Thomas: that's the whole point of this thread; uninstall Java from your system (you're running vulnerable versions - 18&19 ;) and install the new one. Also, check your plugins folder in Mozilla program file folder and remove npdeployJava.dll as it will still be there after the uninstall of the old version (do that before installing the new one).
Firefox blocked your old and unpatched Java after a plugins check.

edit: may be you actually already uninstalled the old version (s) and install the new one. Then the alert just comes from the fact that you didn't manually delete the old java deployment files in as said Firefox plugins folder.
Title: Re: A New Java Flaw
Post by: YoKenny on April 17, 2010, 02:23:25 PM: I also use JavaRa
Quote
JavaRa is a simple tool that does a simple job: it removes old and redundant versions of the Java Runtime Environment (JRE). Simply select "Check for Updates" or "Remove Older Version" to begin. JavaRa is free under the GNU GPL version two.
http://raproducts.org/javara.html
Title: Re: A New Java Flaw
Post by: Chris Thomas on April 17, 2010, 03:27:31 PM: Quote from: Logos on April 17, 2010, 12:09:28 PM
@ Chris Thomas:

edit: may be you actually already uninstalled the old version (s) and install the new one. Then the alert just comes from the fact that you didn't manually delete the old java deployment files in as said Firefox plugins folder.

Fixed ;D
Title: Re: A New Java Flaw
Post by: DavidR on April 17, 2010, 03:51:31 PM: I never do an on-line install of JAVA, I always download the off-line installation file.

You don't have to uninstall the old version of JAVA, from some time ago the JAVA update removed the old version.

What you most certainly 'have to do' is to close all browsers before running the JAVA update/installation, I have done that for a while now and the old JAVA plug-in isn't seen in firefox, see image. A search for npdeployJava.dll also reveals file not found, so it is removing that if it was present.

So I don't know why this is happening to you
Title: Re: A New Java Flaw
Post by: Chris Thomas on April 17, 2010, 04:04:52 PM: @ David

I thought I had updated. But your above post made me recheck the version and it is was still 19. I was so careless to have believed that I updated to version 20. But I did an update from the inbuilt updater. But I don't know how come it is still version 19.

I did an offline install and it is now version 20

I also didn't quote Logos fully.

Now it is really fixed
Title: Re: A New Java Flaw
Post by: Hermite15 on April 17, 2010, 04:17:11 PM: Quote from: DavidR on April 17, 2010, 03:51:31 PM

So I don't know why this is happening to you

happened to me too, browsers closed ;) >>> after an online update, remnants of the old version were still there in program files as well as plugins in browsers. But you may be right about the behavior of the full install file. The issue is also that Java doesn't mind several versions installed at the same time. I don't know why they allow that, guessing here that any version is backward compatible with sites running older versions...just guessing.
Title: Re: A New Java Flaw
Post by: Asyn on April 17, 2010, 04:23:01 PM: Quote from: DavidR on April 17, 2010, 03:51:31 PM
a. I never do an on-line install of JAVA, I always download the off-line installation file.
b. You don't have to uninstall the old version of JAVA, from some time ago the JAVA update removed the old version.

a. I also use the downloaded installer, as i blocked all java updates at first.
b. True, but somehow seems not to work with the 6.20 update...
maybe because it's an out of order quick-fix..??
asyn
Title: Re: A New Java Flaw
Post by: Asyn on April 18, 2010, 10:47:10 AM: https://bugzilla.mozilla.org/show_bug.cgi?id=558584
Title: Re: A New Java Flaw
Post by: Sesame on April 18, 2010, 01:35:07 PM: Quote from: Asyn on April 17, 2010, 04:23:01 PM
a. I also use the downloaded installer, as i blocked all java updates at first.
b. True, but somehow seems not to work with the 6.20 update...
maybe because it's an out of order quick-fix..??
Check the version number of your Java Deployment Toolkit plugin for Firefox, which should be 6.0.200.2.
(http://img519.imageshack.us/img519/4715/firefoxplugins.th.gif) (http://img519.imageshack.us/i/firefoxplugins.gif/)

As in Chris Thomas' case, on one of our PCs, java failed to update itself properly. If you don't have the proper version, try uninstall/reinstalling the update manually or JavaRa, which should solve the problem.
Title: Re: A New Java Flaw
Post by: dan323 on April 21, 2010, 03:35:03 AM: I got hit with a java trojan on my other laptop. I bugger went right thru AVG and wiped out all the bookmarks in IE8 and FF3.6 . I just got Avast 5 pro and installed it on all 3 of my puters. Mine is Windows 7,the desktop is XP and the infected laptop is Vista. Once Avast was installed and updated I did a Boot scan and deleted the trojan. Now all the bookmarks are back in IE8. I have not checked FF3 but I assume there also back. Avast rocks. AVG let it right on thru. Oh well I guess you can't catch them all.