A New Java Flaw

The best workaround for this serious flaw, until Sun issues its patch is to not use Java, or Disable javaws/javaws.exe and disable Deployment Toolkit.

http://www.informationweek.com/blog/main/archives/2010/04/serious_java_fl.html (several redirects)

Or just uninstall Java until then.

I’ve disabled the Java Deployment Toolkit plugin in Firefox to reduce the attack surface. Aside from that it will be business as usual, i.e. allow the use of Java by only trusted programs and websites.

strange … nothing from Secunia so far (at least from PSI). There was something two weeks ago but I thought it was solved with “update 19”… so there’s something else now it seems, and Secunia is late.

that was the last thing I heard of:
http://secunia.com/advisories/37255

edit: oups, I see this was updated on the 8th of April…

More info @ DarkNet

Secunia is reporting it now:

http://secunia.com/blog/95
http://secunia.com/advisories/39260

yep

A vulnerability has been discovered in Sun Java, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an input sanitation error in the Java Deployment Toolkit browser plugin. This can be exploited to pass arbitrary arguments to javaw.exe and e.g. execute a JAR file placed on a network share in a privileged context.

Successful exploitation allows execution of arbitrary code by tricking a user into visiting a malicious web page.

The vulnerability is confirmed in JRE version 6 Update 19. Other versions may also be affected.

Logos, you haven’t disabled Java? I immediately disabled the plugins in each browser and blocked Java from running with CIS D+.

no I haven’t… I’m not that worried…There aren’t that many sites running Java and I’m usually warned when one wants to use it…in Firefox at least. I don’t use Internet Explorer.

edit: not sure yet, I might still block it :wink:

When will they patch this flaw?

Does Avast blocked this?

Yes, you should at least deactivate the Java Deployment Toolkit in firefox…!!! (until a fix is released)
Better to deactivate/block all Java Plugins/Add-Ons if you don’t need them. I read on a security site, that NoScript won’t protect you, am not sure about that, but just to be safe i disabled java for now.

@Jahn: Many thanks for posting the info to this forum!!! :slight_smile:

I disabled Java in IE, Chrome and Firefox a couple of hours ago just in case, thought it’s better after all…but I didn’t block Java completely (from def+ as suggested), as I still want java to check automatically for updates and get the patch when it’s there. This said I’m pretty sure NS would protect me in Firefox, but I use Chrome a lot atm…I’ll try to check what they say on NS forums…

OK posted here:
http://forums.informaction.com/viewtopic.php?f=8&t=4207&start=0

short answer ;D
http://forums.informaction.com/viewtopic.php?f=8&t=4207&p=17530#p17530

Hi Logos, thanks for posting on NS Forum & the info, good to hear. :slight_smile:
I already wondered, how it could bypass NS…
So we are rather safe even with java on with FF and NS! 8)
asyn

yeah, the answer from Maone was rather laconic though :smiley:

Short and meaningful… ;D

How well will just disabling the Java browser plugins work given the bold portion (by me) of following statement from the article in the OP’s post?

“… All versions since Java SE 6 update 10 for Microsoft Windows are believed to be affected by this vulnerability. Disabling the java plugin is not sufficient to prevent exploitation, as the toolkit is installed independently. …”

Personally, not too concerned being that:

Use Fx with NoScript’s Options > Embeddings have all the restrictions for untrusted sites enabled (see screen shot below).

Only use IE for a few sites that require IE to use/view properly. Hence I’ve added these sites to the Trusted Sites Zone, and the all the other Security Zones are settings set with all active content/scripting disabled. Have IE secured mainly as a prevention from other various apps that use the IE engine/components.

Use a Win XP LUA account for browsing general use, and have Fx and IE set with avast!'s “Always run in sandbox”.

question is what does noscript when java is allowed to run, temporarily, by the user…

NS & Java question thread updated:
http://forums.informaction.com/viewtopic.php?f=8&t=4207&p=17551#p17550

Thanks for the update… I already had these settings applied. :slight_smile:
But it’s clearer now, than just a ‘yes it does’… :wink: