Thread: Java browser malware - Ship Café runs Java Board: Oblivion / Ship of Fools.


To visit this thread, use this URL:
http://forum.ship-of-fools.com/cgi-bin/ultimatebb.cgi?ubb=get_topic;f=70;t=024310
Posted by no prophet (# 15560) on :
 
Java is used to run the Ship's café chat application. Suggest the Ship admin check with their computer tech person further.

Some links:

Oracle Java 7 Security Manager Bypass Vulnerability - USA gov't warning

The U.S. Department of Homeland Security is advising people to temporarily disable the Java software on their computers to avoid potential hacking attacks.

New malware exploiting Java 7 in Windows and Unix systems
 
Posted by lilBuddha (# 14333) on :
 
As far as the Ship, more than the cafe is affected by disabling java. The helpful coding buttons below the reply entry field do not work. Nor does preview post.
 
Posted by lilBuddha (# 14333) on :
 
Java just released update 11, but some are still recommending disabling Java.
Several features do not work here with java disabled. Post dates disappear, I am going to guess that PM notifications likely do as well. Going to be a lot of annoyances if one does disable java. What I am doing is allowing Java, but running no-script Firefox add-on. Still a pain.
 
Posted by Niteowl (# 15841) on :
 
If one chooses to install Java 7 Update 11, please be sure to uninstall ANY other instances of Java listed under programs. Malicious code can be executed under those previous codes even if you have Update 11 installed.
 
Posted by Amorya (# 2652) on :
 
quote:
Originally posted by lilBuddha:
As far as the Ship, more than the cafe is affected by disabling java. The helpful coding buttons below the reply entry field do not work. Nor does preview post.
The coding buttons and preview post use JavaScript, not Java. Despite the similarity in naming, the two things aren't related: I believe at some point in the 90s, Java was the Next Big Thing™, and the writers of JavaScript picked that name to try and ride on the back of the publicity.

The security hole only affects Java, so you can safely leave JavaScript turned on.
 
Posted by Niteowl (# 15841) on :
 
This will either kill Java or finally give us a decent, safe version. According to this article on ZDnet, "First came the discovery of chinks in the computer language's armor last week, after researcher "kafeine" pointed out a number of websites that were using a zero-day security vulnerability within Java 7 Update 10, which could result in the installation of malware, identity theft or used to rope personal computers in to becoming unauthorized botnets -- which can then be used in denial-of-service attacks against other sites.

The problem was severe enough for the firm to release an emergency patch -- Java 7 Update 11 -- over the weekend." However, it's much, much worse: "Security researcher Adam Gowdiak from Security Explorations has been keeping an eye on the software flaws in Java over the past year. Once Gowdiak analyzed the latest update to Java, he found that the patch still leaves a number of "critical security flaws," according to Reuters. This statement, mirrored by AlienVault Labs' Jaime Blasco who branded Oracle's offering as a "mess," was later reinforced by the firm's recommendation against using the software."

Unfortunately, Java is essential to using a lot of corporate software, doing online banking and a whole slew of other items. Not sure about how deeply Java is embedded into the ship, but it's a mess and a very big risk to use it.

Thanks a lot Sun and Oracle.
 
Posted by pease (# 6) on :
 
On the ship it's just the café chat client that uses java.

As to the question of whether there's currently a safe / secure way of running java on your computer, the answer appears to be "Do you feel lucky?".
 
Posted by The Rhythm Methodist (# 17064) on :
 
As a technologically-challenged person, I'm wondering if any of you good people could tell me if I need to do anything about Java on my PC? I've got two of their programmes on my machine - Java 7 update 9, and Java 6 update 23. Thanks!
 
Posted by Amorya (# 2652) on :
 
quote:
Originally posted by pease:
As to the question of whether there's currently a safe / secure way of running java on your computer, the answer appears to be "Do you feel lucky?".
You're a darn sight more secure if you just don't let your web browser anywhere near it (i.e. disable the ability to run Java applets). That way you can still run software that uses Java, but web sites can't run stuff for you. (Doing that would of course still block the ship's Café.) This website shows you how to do it.

I'm not promising this would be perfectly secure (I'm not a security researcher and can't promise that), but it's the level of security I've chosen for myself, and it definitely protects you from the exploit that's in the news at the moment.

(As I mentioned above, Java is not the same as JavaScript: the latter doesn't have huge known security holes and you can safely leave it turned on).
 
Posted by Niteowl (# 15841) on :
 
quote:
Originally posted by The Rhythm Methodist:
As a technologically-challenged person, I'm wondering if any of you good people could tell me if I need to do anything about Java on my PC? I've got two of their programmes on my machine - Java 7 update 9, and Java 6 update 23. Thanks!
You do need to uninstall both of the above versions whether or not you decide to install Java 7 Update 11 or not. Sadly, Java doesn't configure their install/update programs to automatically uninstall previous versions so you are still vulnerable to any security problems those versions have. Go to the Control Panel and uninstall both programs one at a time.
 
Posted by The Rhythm Methodist (# 17064) on :
 
Many thanks, Niteowl - I'll get right on it.
 
Posted by Jengie Jon (# 273) on :
 
For those using Firefox it is automatically disabling Java at present. Both my work and home machine it is disabled within Firefox and you can't simply restart it with it enabled.

I know this as I had to do a horrible download yesterday from the IBM site that is normally controlled by a JAVA app.

Jengie
 
Posted by the giant cheeseburger (# 10942) on :
 
quote:
Originally posted by Jengie Jon:
For those using Firefox it is automatically disabling Java at present. Both my work and home machine it is disabled within Firefox and you can't simply restart it with it enabled.

I know this as I had to do a horrible download yesterday from the IBM site that is normally controlled by a JAVA app.

Jengie
Same with Safari, it's blocked until you get the newest version of Java downloaded.

Hopefully this fiasco will be the beginning of the end of Java's common use on the internet, just as Flash is finally on the way out.
 


© Ship of Fools 2016

Powered by Infopop Corporation
UBB.classicTM 6.5.0