Disable Java NOW, users told, as 0-day exploit hits web

[Twilight_guy]

That's nice. Course it depends on you visiting a fishy webpage, and fishy webpages were already dangerous to start with. I'm not going to stop using Java because it has a vulnerability. I can't even imagine what would happen if this story was about flash, everyone would be tears.

 

[Imat]

The Java Plugin for Firefox has two possible locations.
The actual plugin, and the innate scripting language that comes installed with Firefox.

To disable Java, check for both under the Tools menu.

Tools->Addons->Plugins
\-Find Javascript and turn it off. Restart Firefox.

Tools-> Options -> Content
\-"Enable Javascript" (uncheck) Restart Firefox (may not be necessary, but do so to be sure.)

Vista users will have to use method 1, and Win7 users Method 2.
Linux users should check both. I don't use Apple so...sorry. :\

That won't fix it, however, as Java =/= JavaScript. Disabling the actual Java plugin will work. Disabling the JavaScript plugin will cause 99.99% of websites to fail and still won't fix the problem.

It seems to me they'd make an exception to their patching rule if the security risk were truly this huge. I'm thinking they're already working on it, and will release a patch as soon as it has tested working.

 

[Canadamus Prime]

No I'm not disabling Java. Even if this threat is real it's most likely intended to to target large corporations, not home users.

 

[White-Death]

For Opera users go to Tools-Advanced-Plug Ins, then disable java from the list.
I use noscript,and I recommend you download it too, I think someone already posted a link.
http://noscript.net/

 

[ProtoChimp]

Okay, so how do I disable Java?

I second this. Also, how do I even check what version of Java I have? And does this affect iPads also?

I searched on my PC and I don't think I even have Java.

 

[DoPo]

What would disabling java do? What wouldn't work anymore? Please tell me, I can't sleep until I know.

You wouldn't actually miss anything. Or at least it's extremely unlikely that you're visiting any websites that have Java applets. It's mostly used for interactive things on the webpage, however, Flash has largely overtaken that. There are still very few places that do have Java stuff on there, such as games (I know I've seen one website) but, as I said, it's sort of not common.

At any rate, you will notice if something is missing.

OT: Meh, I've had Java disabled for over a year now. As I said above, it's not like it's very common. And there was exactly one website that made me disable it - visiting always launched the JVM for some reason and it slowed stuff down. Aside from it, I've seen another 3-5 websites that I needed Java for but since I had QuckJava for Firefox, I can enable and disable Java (along with JavaScript, Flash, Silverlight, cookies, images, etc) with the press of a button. I'd suggest that addon or similar (Web Developer also has it), since it's just faster to toggle things on/off.

No I'm not disabling Java. Even if this threat is real it's most likely intended to to target large corporations, not home users.

Yes, I'm sure malicious users would have the presence of mind to add
if (homeUser == true) {
System.exit(0)
} else {
// do damage
}

to any attack they try.

 

[Canadamus Prime]

No I'm not disabling Java. Even if this threat is real it's most likely intended to to target large corporations, not home users.

Yes, I'm sure malicious users would have the presence of mind to add
if (homeUser == true) {
System.exit(0)
} else {
// do damage
}

to any attack they try.

Yeah yeah point taken, but I'm still not going to freak out every time some piece of fear-mongering news comes floating across the web.

 

[FEichinger]

And here I am, proud to be a Linux user who doesn't have to give a flying about M$-executables and a plugin I only use in a development environment anyways! Wheeeeee =D

That said, I see I was ninja'd to "Java != JavaScript" already? ... Damn you, Internet.

 

[nathan-dts]

Firefox automatically disabled it.

https://addons.mozilla.org/en-US/firefox/blocked/p125

 

[UNHchabo]

And here I am, proud to be a Linux user who doesn't have to give a flying about M$-executables and a plugin I only use in a development environment anyways! Wheeeeee =D

In case you missed it:

But the hackers behind the Metasploit penetration testing software say they have studied the exploit and found that it could just as easily be used to attack machines running Linux or Mac OS X, given the appropriate payload.

 

[Atmos Duality]

That won't fix it, however, as Java =/= JavaScript. Disabling the actual Java plugin will work. Disabling the JavaScript plugin will cause 99.99% of websites to fail and still won't fix the problem.

It seems to me they'd make an exception to their patching rule if the security risk were truly this huge. I'm thinking they're already working on it, and will release a patch as soon as it has tested working.

In my previous experiences with Java and Jscript, disabling the script alone in my browser did not prevent arbitrary code execution using Java.

For my first semester of math at university, we needed to use a plugin for the learning/homework platform (MyMathLab) that used Java but not Jscript, and I was compromised by it through Java despite it being disabled.

If this exploit is only known for Jscript, then fine. Turn off Jscript.

Following that experience, I prefer to err on the side of caution with widespread exploits, especially when those who are responsible for patching it haven't said anything about the exploit or a possible fix.

 

[DoPo]

No I'm not disabling Java. Even if this threat is real it's most likely intended to to target large corporations, not home users.

Yes, I'm sure malicious users would have the presence of mind to add
if (homeUser == true) {
System.exit(0)
} else {
// do damage
}

to any attack they try.

Yeah yeah point taken, but I'm still not going to freak out every time some piece of fear-mongering news comes floating across the web.

To be fair, it's not like you are immediately and always a target if you have Java. You do have to visit a specific website, at least that's what the news says. It's more of a "you are potentially in danger, beware", so by being careful, you should be safe.

 

[FEichinger]

And here I am, proud to be a Linux user who doesn't have to give a flying about M$-executables and a plugin I only use in a development environment anyways! Wheeeeee =D

In case you missed it:

But the hackers behind the Metasploit penetration testing software say they have studied the exploit and found that it could just as easily be used to attack machines running Linux or Mac OS X, given the appropriate payload.

I didn't
I only use Java within a secluded development environment. On the very off chance that a Linux payload would be delivered, I still don't need to give a flying. Chances of me blowing up my own PC with code errors are higher than screwing it up with that loophole.

That won't fix it, however, as Java =/= JavaScript. Disabling the actual Java plugin will work. Disabling the JavaScript plugin will cause 99.99% of websites to fail and still won't fix the problem.

It seems to me they'd make an exception to their patching rule if the security risk were truly this huge. I'm thinking they're already working on it, and will release a patch as soon as it has tested working.

In my previous experiences with Java and Jscript, disabling the script alone in my browser did not prevent arbitrary code execution using Java.

For my first semester of math at university, we needed to use a plugin for the learning/homework platform (MyMathLab) that used Java but not Jscript, and I was compromised by it through Java despite it being disabled.

If this exploit is only known for Jscript, then fine. Turn off Jscript.

Following that experience, I prefer to err on the side of caution with widespread exploits, especially when those who are responsible for patching it haven't said anything about the exploit or a possible fix.

It's a Java exploit, not a JavaScript exploit. Simple as that.
Doesn't mean JS isn't as prone to exploits, however, given the fact that most browsers run their plugins on JavaScript ...

 

[Mr F.]

Not updated Java in a long long time. Mainly because I am on shitty 3g internet from O2 and I do not want to eat any of the paltry 3gb monthly limit on downloading things when I could be spending my time on the escapist!

Heh.

 

[Imperioratorex Caprae]

Does this affect Chrome users as well? I'm not well versed in Java and all and I don't use FireFox cuz it was bought by Google anyway.

 

[2fish]

And my laziness when it comes to installing updates has paid off; I'm still on 1.6 XD

Brother! We art the same on that lazy updates. Safe from the future by failing to update the present. I have not updates my white blood cells for years.

 

[Nikolaj Bilgrau]

And my laziness when it comes to installing updates has paid off; I'm still on 1.6 XD

The article stated that it was ill-adviced to use older versions. As they may contain other bugs or exploitable weaknesses.

 

[Rad Party God]

For those of you worried to play Minecraft, or any Java game for that matter, it won't effect anything if you don't play it directly from your browser, so if you play Minecraft, just download the .exe file and play from there (it's much better IMO).

Disable Java and keep playing your non-browser Java games without any worry.

(Goodbye Runescape, see you till october )

 

[kasperbbs]

I have nothing to steal and it turns out that i don't even have java installed..