Java plugin threat to OpenSuse 12.1?

Hello list, moderators!

I don’t see anything under Applications regarding the recent Oracle/Java plugin security chatter that’s on the web.

Should I do anything myself in response?

Some websites suggest uninstalliing java.

My Firefox is up to Vs 18.0. I see that I have five rpms installed with java in their title.

Is this “threat” something that OpenSuse 12.1 will deal with using updates?

Heboland

If you use Firefox you can use NoScript addon and block java content on all websites
i don’t know the exact component but some of the functionality of Libreoffice Java is required

The default is to use openjdk (or IcedTea), rather than the oracle version of java. You can maybe check which you have.

For me, it is openjdk. I also use “noscript” which should protect me against java being used from sites that I have not whitelisted in “noscript”.

If you are using the oracle java, then you can disable the plugin for firefox, which is easier than uninstalling and easier to reverse.

On 01/13/2013 05:16 AM, vazhavandan wrote:
>
> If you use Firefox you can use NoScript addon and block java content on
> all websites

NoScript blocks javascript only…which has nothing at all to do
with the security threat posed by Java…


dd http://goo.gl/PUjnL
http://tinyurl.com/DD-Caveat http://tinyurl.com/DD-Hardware
http://tinyurl.com/DD-Software

On 2013-01-13 12:25, dd wrote:
> On 01/13/2013 05:16 AM, vazhavandan wrote:
>>
>> If you use Firefox you can use NoScript addon and block java content on
>> all websites
>
> NoScript blocks javascript only…which has nothing at all to do
> with the security threat posed by Java…
>

And what is that security threat? with my limited internet I haven’t
read anything yet.

(argh… I don’t even have a spell checker in th now)


Cheers/Saludos
Carlos E. R. (12.1 test at Minas-Anor)

Am 13.01.2013 05:16, schrieb vazhavandan:
> i don’t know the exact component but some of the functionality of
> Libreoffice Java is required
>
Java desktop programs (or where it is part of desktop or cli programs)
has nothing and really absolutely nothing to do with security flaws when
used in browsers where it is supposed to run sandboxed.

Please don’t mix that, outside the browser plugins java is just another
programming language running on top of a small virtual machine like many
other programming languages (clang/llvm, clisp, python, ocaml …) and
has not more and no less security flaws than anything else (for most of
these the operating system and its helper programs will take care).


PC: oS 12.2 x86_64 | i7-2600@3.40GHz | 16GB | KDE 4.8.5 | GTX 650 Ti
ThinkPad E320: oS 12.2 x86_64 | i3@2.30GHz | 8GB | KDE 4.9.4 | HD 3000
eCAFE 800: oS 11.4 i586 | AMD Geode LX 800@500MHz | 512MB | lamp server

Actually, it was not that simple to find reference. Everyone talks about threats and nobody gives any reference.
This is CVE-2013-0422 (National Vulnerability Database (NVD) National Vulnerability Database (CVE-2013-0422)):

The MBeanInstantiator in Oracle Java Runtime Environment (JRE) 1.7 in Java 7 Update 10 and earlier allows remote attackers to execute arbitrary code via vectors related to unspecified classes that allow access to the class loader, as exploited in the wild in January 2013

and in CERT TA13-010A:

A vulnerability in the Java Security Manager allows a Java applet to grant itself permission to execute arbitrary code. An attacker could use social engineering techniques to entice a user to visit a link to a website hosting a malicious Java applet. An attacker could also compromise a legitimate web site and upload a malicious Java applet (a “drive-by download” attack).

On 01/13/2013 12:46 PM, Carlos E. R. wrote:
> And what is that security threat? with my limited internet I haven’t
> read anything yet.

there is a posting in nntp://opensuse.org.news.tech-news from Malcolm
yesterday giving a URL (below) which is an image heavy “TV news site” so
i’ll give some TEXT highlights first:

The U.S. Department of Homeland Security is advising people to
temporarily disable the Java software on their computers to avoid
potential hacking attacks. . . Experts believe hackers have found a flaw
in Java’s coding that creates an opening for criminal activity and other
high-tech mischief . . .The malware has currently been seen attacking
Windows, Linux and Unix systems . . . Apple has taken steps to block it
by issuing an update to its built-in XProtect system to block the
current version of the Java 7 runtime. . .
© 2013 CBS Interactive Inc. All Rights Reserved. This material may not
be published, broadcast, rewritten, or redistributed. The Associated
Press contributed to this report.

http://www.cbsnews.com/8301-205_162-57563619/u.s-tells-computer-users-to-disable-java-software/


dd

On 2013-01-13 13:35, dd wrote:
> On 01/13/2013 12:46 PM, Carlos E. R. wrote:
>> And what is that security threat? with my limited internet I haven’t
>> read anything yet.
>
> there is a posting in nntp://opensuse.org.news.tech-news from Malcolm
> yesterday giving a URL (below) which is an image heavy “TV news site” so
> i’ll give some TEXT highlights first:

Thanks, and also to arvidjaar.

It seems serious.

Well, it seems that it affects jave 7 only, I’m using the previous version.


Cheers/Saludos
Carlos E. R. (12.1 test at Minas-Anor)

I have not investigated in detail but does seem to have facility to block various plugins
Refer:- Screenshot SUSE Paste

I think almost all versions of JAVA in use are listed
National Vulnerability Database (NVD) National Vulnerability Database (CVE-2013-0422)

On 2013-01-13 14:26, vazhavandan wrote:
>
> robin_listas;2517910 Wrote:
>>
>> Well, it seems that it affects jave 7 only, I’m using the previous
>> version.
>>
> I think almost all versions of JAVA in use are listed
> ‘National Vulnerability Database (NVD) National Vulnerability Database
> (CVE-2013-0422)’
> (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422)

Oh :frowning:


Cheers/Saludos
Carlos E. R. (12.1 test at Minas-Anor)

Wrong!

Check “noscript” options, the “Embeddings” tab. There you can block java, flash, silverlight, other plugins, frame, iframe - for untrusted sites. Actually, you can block for trusted sites too, and then individually enable.

On 01/13/2013 03:16 PM, nrickert wrote:
>
> Wrong!

you are right! i thought NoScript was true to its name (and blocked
javascript)…i believe that was the way it started out, years ago and
am happy to see it has expanded its capability to also block Java (which
has nothing to do with javascript)

good! now we all know how to block the browser’s Java, while waiting on
the vulnerabilities to be fixed…

yipee!


dd

yes the “NoScript” name is misleading . It should say “NoEverything”. It can block many plugins along with blocking ECMAScript (JavaScript)

On 01/14/2013 04:26 AM, vazhavandan wrote:
> yes the “NoScript” name is misleading

as i recall, it started life true to its name…and, now has apparently
morphed into ‘NoEverything’…which is ok, just i hadn’t noticed…


dd

I’m the OP on this thread – my thanks to all of you for your responses!

Looking further into my 12.1 updated firefox (Vs 18.0), I see that this FF has an IcedTea-Web plugin 1.3.1 (suse-17.1-i386).

If I have this 18.0 FF search plugins for NoScript, Vs 2.6.4.2 is what would install.

After reading all the replies to this thread, I’m not sure if I need NoScript with the IcedTea or not.

For now I’m going to pass on the NoScript install and see if I get any advice regarding the wisdom of doing that install.

Heboland.

@op- feel free to disable the plugin in firefox
Also Oracle seems to have patched the product. Please expect and upgrade soon :slight_smile:
Oracle patches widespread Java zero-day bug in three days (Updated) | Ars Technica

Thank you vazhavandan!

If I interpreted your comment correctly, I disabled the IcedTea and did not install noscript.

When new java plugins are available, should I expect that I have to manually enable them?

Heboland.

You are welcome. If you use multiple browsers then you may need to disable them in all of them too. For example in opera you can go to opera:plugins and disable the relevant plugins

If you want to feel safe you may disable it. Disabling plugin will not affect Libreoffice or any other desktop application which requires Java

You can keep it disabled until you need to run an applet (or) need to run jnlp.