SECURITY WARNINGS & Notices - Please post them here

[Asyn]

Microsoft "Fix it" available for Internet Explorer 6, 7, and 8
http://blogs.technet.com/b/srd/

Researchers Bypass Microsoft Fix It for IE Zero Day
http://threatpost.com/en_us/blogs/researchers-bypass-microsoft-fix-it-ie-zero-day-010413
http://blog.exodusintel.com/2013/01/04/bypassing-microsofts-internet-explorer-0day-fix-it-patch-for-cve-2012-4792/
http://forum.avast.com/index.php?msg=881171

Advance Notification for Update to Address Security Advisory 2794220
http://blogs.technet.com/b/msrc/archive/2013/01/13/advance-notification-for-update-to-address-security-advisory-2794220.aspx

[Pondus]

Oracle patches latest zero-day vulnerabilities in Java
http://www.computerworld.com/s/article/9235696/Oracle_patches_latest_zero_day_vulnerabilities_in_Java

[essexboy]

The patch is to change the security setting from medium to high... So now the user has to confirm that he wants the script to run..  Now how foolproof is that

[bob3160]

The patch is to change the security setting from medium to high... So now the user has to confirm that he wants the script to run..  Now how foolproof is that

Now you can put the blame on the user for the infection and hold Oracle blameless. 

[polonus]

The attack code abusing the vulnerability, has been added to exploit-kits like Blackhole, Nuclear Pack en Cool Exploit Kit and also to Gong Da / Gondad Exploit Pack, read: http://eromang.zataz.com/2013/01/13/gong-da-gondad-exploit-pack-add-java-cve-2013-0422-support/ (link article author eric romang)

polonus

[mchain]

The patch is to change the security setting from medium to high... So now the user has to confirm that he wants the script to run..  Now how foolproof is that

The patch is to change the security setting from medium to high... So now the user has to confirm that he wants the script to run..  Now how foolproof is that

Now you can put the blame on the user for the infection and hold Oracle blameless. 

We can do better than that.  All we have to do is remove java completely and avoid this issue entirely.  Shame on Oracle for resorting to "fixing" a known exploit that is now being actively exploited in the wild in this way.

This is a "fix" I could have done by myself, no help needed from Oracle.  Problem is, do noobies know what to do with the alerts?  Probably not.      More work for IT staff anyways.

[Asyn]

The patch is to change the security setting from medium to high... So now the user has to confirm that he wants the script to run..  Now how foolproof is that

The patch is to change the security setting from medium to high... So now the user has to confirm that he wants the script to run..  Now how foolproof is that

Now you can put the blame on the user for the infection and hold Oracle blameless. 

We can do better than that.  All we have to do is remove java completely and avoid this issue entirely.  Shame on Oracle for resorting to "fixing" a known exploit that is now being actively exploited in the wild in this way.

This is a "fix" I could have done by myself, no help needed from Oracle.  Problem is, do noobies know what to do with the alerts?  Probably not.      More work for IT staff anyways.

Confirmed: Java only fixed one of the two bugs
http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html

[Asyn]

Security Advisory for ColdFusion
http://www.adobe.com/support/security/advisories/apsa13-01.html

Security update: Hotfix available for ColdFusion
http://www.adobe.com/support/security/bulletins/apsb13-03.html
http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-03.html

[essexboy]

Another Java breach .. Uninstall guys http://krebsonsecurity.com/2013/01/new-java-exploit-fetches-5000-per-buyer/

[mchain]

Malware Infecting US Power Plant SCADA Systems

http://www.hotforsecurity.com/blog/malware-infecting-us-power-plant-scada-systems-5050.html

It's already happening here.

BTW,  FF has a setting in Tools>Options>Content where one can disable JavaScript within the browser.  See essexboy's post above. 

Anyone realize that the icons for url and others in the text reply box are java-script based, and will not work or be present when JavaScript is turned off in the browser?

[Asyn]

BTW,  FF has a setting in Tools>Options>Content where one can disable JavaScript within the browser.  See essexboy's post above. 

Java and JavaScript are two different things..!!

[bob3160]

BTW,  FF has a setting in Tools>Options>Content where one can disable JavaScript within the browser.  See essexboy's post above. 

Java and JavaScript are two different things..!!

You can also check the following thread for full removal details:
http://forum.avast.com/index.php?topic=19387.msg884597#msg884597

[mchain]

BTW,  FF has a setting in Tools>Options>Content where one can disable JavaScript within the browser.  See essexboy's post above. 

Java and JavaScript are two different things..!!

You can also check the following thread for full removal details:
http://forum.avast.com/index.php?topic=19387.msg884597#msg884597

Sorry, guys.

Some things I have yet to learn.  Reason I noted javascript in the browser is because without it running, then things such as accessing webmail is not possible unless one uses an older version of it that does not require it, c|net member logon not doable without it, even mediafire will not work without it, Avast text reply box is missing the common icons for text and link enhancement, and so on.  Since it is the java plugin from Oracle that is 99% of the problem, have been testing running the browser without javascript and finding it seems to be used in everything everywhere I go.

Do not have java anything installed atm, just so you know.  It is apparent that FF, at least, provides their own version of java in the form of a FF javascript and one still needs that to view normal web content within the browser.  Just experimenting.

[bob3160]

BTW,  FF has a setting in Tools>Options>Content where one can disable JavaScript within the browser.  See essexboy's post above. 

Java and JavaScript are two different things..!!

You can also check the following thread for full removal details:
http://forum.avast.com/index.php?topic=19387.msg884597#msg884597

Sorry, guys.

Some things I have yet to learn.  Reason I noted javascript in the browser is because without it running, then things such as accessing webmail is not possible unless one uses an older version of it that does not require it, c|net member logon not doable without it, even mediafire will not work without it, Avast text reply box is missing the common icons for text and link enhancement, and so on.  Since it is the java plugin from Oracle that is 99% of the problem, have been testing running the browser without javascript and finding it seems to be used in everything everywhere I go.

Do not have java anything installed atm, just so you know.  It is apparent that FF, at least, provides their own version of java in the form of a FF javascript and one still needs that to view normal web content within the browser.  Just experimenting.

You want to get rid of Java not java script. They aren't the same. If you get rid of java script, then you'll find that many things will not work.
In Firefox, use NoScript in Chrome, use FlashControl. both of these browser add-ons give you the option to either allow or not allow the scrip for a page that needs it.

[Pondus]

Microsoft bombs another security test
http://reviews.cnet.com/8301-3667_7-57564385/microsoft-bombs-another-security-test/?ttag=fbwp