Hasta La Gadget!

You’ve likely already heard of the Java security scandal, which was something Oracle looked to fix quickly with an update to the software. Even though Oracle says it has patched the issue, some entities disagree. The latest to add its name to the list of dissenters seems to be Apple, as it has decided to block the Java 7 browser plug-in, even after the update was delivered by Oracle.

According to MacGeneration and this thread on the Apple Support Communities site, Apple has blocked this latest version of Java using its Xprotect software. Apple uses Xprotect to keep malware out, and this is the same software it used to block Java earlier in the month. Just as it did before, Apple has made Xprotect block a version of Java that doesn’t yet exist, meaning all earlier versions (including the current one) are blocked as well.

Apple isn’t the only one taking issue with Oracle’s claim that the security concerns have been addressed. The Department of Homeland Security is still recommending that consumers refrain from using Java after the update, saying that all of the security flaws have not yet been fixed. The flaw could potentially allow unsigned applets to run without permission, which in turn means that some of the more undesirable people of the world could potentially take control of your computer.

So, with the Department of Homeland Security still warning against using Java, it may not be such a bad thing that Apple has restricted access to the browser plug-in. This will naturally prove to be headache for a lot of different Mac users considering that Java is everywhere these days, but until Oracle provides another update, there doesn’t seem to be much that can be done. Stay tuned, because we’ll probably be hearing more about this soon.

[via MacRumors]

Apple says no to Java 7, blocks browser plug-in is written by Eric Abent & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.

Welcome to Tuesday evening, everyone. The afternoon started off with something of a bang with Facebook’s big event, during which the company revealed the service’s new Graph Search and explained the difference between the new feature and traditional web search. It also announced that it was partnering with Bing for search results in Graph Search, while we used the latest installment of SlashGear 101 to give you all of the details about this new feature.

We heard from one Jefferies analyst that Apple might begin preliminary production on the iPhone 5S in March, while specs for the rumored Sony Xperia Tablet Z leaked out (we’re told to expect a full HD display, among other things). A ChangeWave study tells us that iPhone demand is down though the device still dominates the charts, and Acura revealed its 2015 NSX concept car at NAIAS 2013 today. We got an up close look at the rumored BlackBerry Z10 handset in a new video, and we learned that there might be Java-based iterations of the Red October cyberespionage attacks, which would explain why the Department of Homeland Security has been so insistent in its recommendation to stop using the software.

Tesla announced today that it will open 25 new stores this year, while 2K Games and Irrational delivered the PC requirements for the incoming BioShock Infinite. A US District Court has dismissed the case against Aaron Swartz after his tragic death, and it would appear that Samsung has a new phone called the Galaxy Pocket Plus on the way. Disney Infinity was announced today, and it’s looking to take a bite out of Skylanders’ massive audience, while United has become the first international US-based airline to offer WiFi on its flights.

AT&T is offering Nexus 7 owners a $100 credit on their bill if they sign up for a data plan with it, and NASA is telling us that Curiosity may have found its first potential rock sample target on the surface of Mars. 10 more games have moved through Steam Greenlight, Call of Duty Online has kicked off alpha testing in China, and finally tonight, Simple has brought its online banking app to Android. That does it for tonight’s Evening Wrap-Up, we hope you enjoy the rest of your night folks!

SlashGear Evening Wrap-Up: January 15, 2013 is written by Eric Abent & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.

Well that didn’t last very long: this morning Oracle released a fix for a Java vulnerability that had the government suggesting users turn off the software. As it turns out, The Department of Homeland Security is still saying that Java poses a risk, despite the fix. The Department said in an updated security note this afternoon that Java 7 Update 11 may not actually restrict access to privileged code.

That’s the whole reason we’re writing this post – in a zero day vulnerability, it was discovered that Java 7 update 10 was allowing unsigned applets and Web Start apps to run without permission, a potentially dangerous flaw that could give malicious folks access to your computer. That obviously isn’t good, but the patch delivered earlier this morning was intended to fix that by requiring unsigned or self-signed apps ask for permission before running.

In its note, Homeland Security explains, “Oracle Security Alert CVE-2013-0422 states that Java 7 Update 11 addresses this (CVE-2013-0422) and an equally severe vulnerability (CVE-2012-3174). Immunity has indicated that only CVE-2012-3174 is addressed with this update.” The department is recommending that unless absolutely necessary, users should refrain from running Java in their browsers, even if the update has been applied. A difficult task, considering that hundreds of millions of computers out there are running Java.

If you need help turning Java off, you’re in luck, because we’ve put together a guide for all of the popular browsers out there. So, it looks like we should still keep Java turned off on our computers since this vulnerability reamins present in at least some capacity. We’ll be keeping an eye on Homeland Security to see if it lifts its warning anytime soon, and will update if Oracle has anything to say about this renewed warning. Stay tuned.

[via ZDNet]

Homeland Security still warns against Java use despite fix is written by Eric Abent & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.

Oracle hasn’t had a great start to 2013. It’s barely into the new year, and Apple and Mozilla are already putting up roadblocks to some Java versions after discoveries of significant browser-based exploits. The company has been quick to respond, however, and already has a patched-up version ready to go. The Java update goes one step further to minimize repeat incidents, as well — it makes the “high” setting the default and asks permission before it lauches any applet that wasn’t officially signed. If you’ve been skittish about running a Java plugin ever since the latest exploits became public, hit the source to (potentially) calm your nerves.

[Thanks, Trevor]

Filed under: Internet, Software, Apple

Comments

Via: Reuters

Source: Oracle

Security advice for web users last week from the US Department of Homeland Security recommended that Java should be disabled, lest a growing number of exploits leave your computer open to hacking. “Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered” the US-CERT warned, and argued that users should “consider disabling Java in web browsers until adequate updates are available.” Read on past the cut for cross-browser details as to how to do that.

The simplest way – assuming you’re relatively up-to-date with your Java installation in the first place – is to disable Java runtimes from operating in the browser within the software’s own settings page. From Java 7 Update 10, there’s an option in the Security tab of the Settings page to “Enable Java content in the browser” which, when unchecked, stops any Java from running.

Firefox

If you’re running Firefox, you want to head to Add-Ons in the Tools menu. From the dialog that opens, choose Plugins: if you’re on Windows 8, you want to select “Java (TM) Platform” and then click the Disable button. If you’re on Mac OS X, choose either “Java Plug-in 2 for NPAPI Browsers” or “Java Applet Plugin” and click the Disable button. It’s also advised to disable the Java Development Toolkit plugin as well. Instructions for other OS versions can be found here.

Chrome

If you’re on Chrome, you can visit chrome://plugins/ to see if Java is installed. Click the Disable button under the entry, which automatically blocks both the Java and Java Development Toolkit plugins.

More details on managing Chrome plugins are here.

Safari

On Safari, there’s a single checkbox that controls Java. Go to the Preferences page and choose the Security tab; uncheck the box next to “Enable Java” to turn it off. More information can be found here.

It’s also worth noting that Apple removed Java from OS X by default, with an October software update uninstalling the software from Macs running either Lion or Mountain Lion.

Opera

In the Opera browser, setting Java to run only when given permission is handled in the Settings page. From there, choose Preferences and then click Advanced: choose “Enable plug-ins only on demand” to force Opera to ask permission to run. However, it’s worth noting that this will force all plugins loaded to request permission, which could prove frustrating.

Internet Explorer

Finally, there’s Internet Explorer, a process which is altogether more convoluted. The US-CERT gives manual instructions, but there’s also a specific registry editing file which, when installed, prevents any Java from being loaded. Performed manually, you need to create and load a .REG file with the following:

[HKEY_CLASSES_ROOT\JNLPFile]
@=”JNLP File”
“EditFlags”=hex:00,00,00,00

This changes Internet Explorer’s security settings to demand permission to run Java by default. Further disabling can be done by removing the file “jp2iexp.dll“; that is commonly located at the following locations:

C:\Program Files\Java\jdk{version}\jre\bin
C:\Program Files\Java\jre7\bin
C:\Program Files\Oracle\JavaFX {version} Runtime\bin

Secondly, locate and delete any instances of the “npjpi{version}.dll” file, where {version} is a string of numbers related to the version of Java installed (e.g. npjpi170_06.dll). That file is commonly located at the following locations:

C:\Program Files\Java\jdk{version}\jre\bin
C:\Program Files\Java\jre7\bin
C:\Program Files\Oracle\JavaFX {version} Runtime\bin

I want to get rid of Java altogether

The safest option of all, of course, is to uninstall Java completely. Instructions for doing that on Windows are here, while Mac instructions are here. In brief, Windows users should go to either the “Programs and Features” option or the “Add/Remote Programs” option, depending on which version of the OS they’re running, and uninstall Java from the list of installed applications.

For Mac users, it involves opening Finder and searching for “JavaAppletPlugin.plugin” then moving that to the Trash. Administrator privileges are required to do that.

Turn off Java, they warn… Here’s how you do it is written by Chris Davies & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.