Author Topic: A New Java Flaw  (Read 13330 times)

0 Members and 1 Guest are viewing this topic.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 63493
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: A New Java Flaw
« Reply #15 on: April 15, 2010, 12:30:46 AM »
Short and meaningful... ;D
Win 8.1 [x64] - Avast PremSec 20.2.2400.Beta#3 [UI.501] - CC 5.65 - EEK - Firefox ESR 68.6 [NS/AOS/uBO/PB] - TB 68.6 - ASB/ASL.BC
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Jon_T

  • Full Member
  • ***
  • Posts: 129
Re: A New Java Flaw
« Reply #16 on: April 15, 2010, 05:58:34 AM »
How well will just disabling the Java browser plugins work given the bold portion (by me) of following statement from the article in the OP's post?

"... All versions since Java SE 6 update 10 for Microsoft Windows are believed to be affected by this vulnerability. Disabling the java plugin is not sufficient to prevent exploitation, as the toolkit is installed independently. ..."


Personally, not too concerned being that:

Use Fx with NoScript's Options > Embeddings have all the restrictions for untrusted sites enabled (see screen shot below).

Only use IE for a few sites that require IE to use/view properly. Hence I've added these sites to the Trusted Sites Zone, and the all the other Security Zones are settings set with all active content/scripting disabled.  Have IE secured mainly as a prevention from other various apps that use the IE engine/components.

Use a Win XP LUA account for browsing general use, and have Fx and IE set with avast!'s "Always run in sandbox".
Core2Duo E6300 • 2GB Ram • WinXP Pro SP3 (LUA) • avast! AIS 5.0.6077 (w/o FW/SF) • Online Armor Premium • MBAM (resident) • SAS Pro (on demand) • SpywareBlaster

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9443
Re: A New Java Flaw
« Reply #17 on: April 15, 2010, 10:53:38 AM »
question is what does noscript when java is allowed to run, temporarily, by the user...
w7 - ais7

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9443
Re: A New Java Flaw
« Reply #18 on: April 15, 2010, 11:33:04 AM »
w7 - ais7

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 63493
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: A New Java Flaw
« Reply #19 on: April 15, 2010, 11:44:45 AM »
Thanks for the update.. I already had these settings applied. :)
But it's clearer now, than just a 'yes it does'... ;)
Win 8.1 [x64] - Avast PremSec 20.2.2400.Beta#3 [UI.501] - CC 5.65 - EEK - Firefox ESR 68.6 [NS/AOS/uBO/PB] - TB 68.6 - ASB/ASL.BC
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9443
Re: A New Java Flaw
« Reply #20 on: April 15, 2010, 02:19:58 PM »
Java 1.6 update 20 is available >>> update from the control panel applet, otherwise that won't remove the 19 version (many java versions can be installed at the same time ::) ).

download here: http://www.java.com/en/ but again, better off with the integrated updater.
« Last Edit: April 15, 2010, 02:22:13 PM by Logos »
w7 - ais7

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9443
Re: A New Java Flaw
« Reply #21 on: April 15, 2010, 02:27:35 PM »
read this here:
http://blogs.zdnet.com/security/?p=6161&tag=content;col2

I'm really not sure that update 20 solves the problem. Secunia scan says it's OK but that doesn't mean anything because they probably haven't analysed the patch yet.
w7 - ais7

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9443
Re: A New Java Flaw
« Reply #22 on: April 15, 2010, 02:42:52 PM »
warning: I just found that update 19 plugins were still present in all browsers after the update to "20" >>> way out: remove Java completely and reinstall from scratch with the download  (yeah, that's the opposite of what I said before).
w7 - ais7

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9443
Re: A New Java Flaw
« Reply #23 on: April 15, 2010, 05:44:07 PM »
w7 - ais7

crofty59

  • Guest
Re: A New Java Flaw
« Reply #24 on: April 16, 2010, 07:54:34 AM »
warning: I just found that update 19 plugins were still present in all browsers after the update to "20" >>> way out: remove Java completely and reinstall from scratch with the download  (yeah, that's the opposite of what I said before).

Thanks Logos  ;)
That has removed the old update 19 plugins

Cheers

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 63493
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: A New Java Flaw
« Reply #25 on: April 16, 2010, 10:55:52 AM »
@Logos: Thanks for keeping us up to date on this...! :)
Win 8.1 [x64] - Avast PremSec 20.2.2400.Beta#3 [UI.501] - CC 5.65 - EEK - Firefox ESR 68.6 [NS/AOS/uBO/PB] - TB 68.6 - ASB/ASL.BC
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Jahn

  • Guest
Re: A New Java Flaw
« Reply #26 on: April 16, 2010, 08:30:27 PM »
Yes, thanks for keeping tabs on this, Logos. I re-enabled 6u19, uninstalled with Revo, and installed 6u20. All is well now. :)

Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9443
Re: A New Java Flaw
« Reply #27 on: April 16, 2010, 09:01:54 PM »
you're welcome people ;)
w7 - ais7

Offline Chris Thomas

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1936
  • Christian Geek - aka 'born again' Geek
Re: A New Java Flaw
« Reply #28 on: April 17, 2010, 11:41:31 AM »
I got this just now

Firefox has blocked this


Offline logos

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 9443
Re: A New Java Flaw
« Reply #29 on: April 17, 2010, 12:09:28 PM »
@ Chris Thomas: that's the whole point of this thread; uninstall Java from your system (you're running  vulnerable versions - 18&19 ;) and install the new one. Also, check your plugins folder in Mozilla program file folder and remove npdeployJava.dll as it will still be there after the uninstall of the old version (do that before installing the new one).
 Firefox blocked your old and unpatched Java after a plugins check.

edit: may be you actually already uninstalled the old version (s) and install the new one. Then the alert just comes from the fact that you didn't manually delete the old java deployment files in as said Firefox plugins folder.
« Last Edit: April 17, 2010, 12:14:27 PM by Logos »
w7 - ais7