A New Java Flaw

[Asyn]

Short and meaningful...

[Jon_T]

How well will just disabling the Java browser plugins work given the bold portion (by me) of following statement from the article in the OP's post?

"... All versions since Java SE 6 update 10 for Microsoft Windows are believed to be affected by this vulnerability. Disabling the java plugin is not sufficient to prevent exploitation, as the toolkit is installed independently. ..."


Personally, not too concerned being that:

Use Fx with NoScript's Options > Embeddings have all the restrictions for untrusted sites enabled (see screen shot below).

Only use IE for a few sites that require IE to use/view properly. Hence I've added these sites to the Trusted Sites Zone, and the all the other Security Zones are settings set with all active content/scripting disabled.  Have IE secured mainly as a prevention from other various apps that use the IE engine/components.

Use a Win XP LUA account for browsing general use, and have Fx and IE set with avast!'s "Always run in sandbox".

[Hermite15]

question is what does noscript when java is allowed to run, temporarily, by the user...

[Hermite15]

NS & Java question thread updated:
http://forums.informaction.com/viewtopic.php?f=8&t=4207&p=17551#p17550

[Asyn]

Thanks for the update.. I already had these settings applied.
But it's clearer now, than just a 'yes it does'...

[Hermite15]

Java 1.6 update 20 is available >>> update from the control panel applet, otherwise that won't remove the 19 version (many java versions can be installed at the same time ).

download here: http://www.java.com/en/ but again, better off with the integrated updater.

[Hermite15]

read this here:
http://blogs.zdnet.com/security/?p=6161&tag=content;col2

I'm really not sure that update 20 solves the problem. Secunia scan says it's OK but that doesn't mean anything because they probably haven't analysed the patch yet.

[Hermite15]

warning: I just found that update 19 plugins were still present in all browsers after the update to "20" >>> way out: remove Java completely and reinstall from scratch with the download  (yeah, that's the opposite of what I said before).

[Hermite15]

update 20 details here:
http://java.sun.com/javase/6/webnotes/6u20.html

[crofty59]

warning: I just found that update 19 plugins were still present in all browsers after the update to "20" >>> way out: remove Java completely and reinstall from scratch with the download  (yeah, that's the opposite of what I said before).

Thanks Logos 
That has removed the old update 19 plugins

Cheers

[Asyn]

@Logos: Thanks for keeping us up to date on this...!

[Jahn]

Yes, thanks for keeping tabs on this, Logos. I re-enabled 6u19, uninstalled with Revo, and installed 6u20. All is well now.

[Hermite15]

you're welcome people

[Chris Thomas]

I got this just now

Firefox has blocked this

[Hermite15]

@ Chris Thomas: that's the whole point of this thread; uninstall Java from your system (you're running  vulnerable versions - 18&19 and install the new one. Also, check your plugins folder in Mozilla program file folder and remove npdeployJava.dll as it will still be there after the uninstall of the old version (do that before installing the new one).
 Firefox blocked your old and unpatched Java after a plugins check.

edit: may be you actually already uninstalled the old version (s) and install the new one. Then the alert just comes from the fact that you didn't manually delete the old java deployment files in as said Firefox plugins folder.