[SOLVED] Java plugin alert

kikinovak · 09-08-2012, 12:29 AM

Hi,

When browsing the web - using Seamonkey or Firefox - I get a Security alert about the installed JRE plugin, and a notification that this plugin will be deactivated.

How serious is the security threat? What's the best remedy to the problem? Is there a patch somewhere to fix this?

kikinovak · 09-08-2012, 12:55 AM

's OK. After googling some more, I found the answer to my question. In another thread on LQ.

tronayne · 09-08-2012, 06:55 AM

If you are using Oracle Java (as I am) be aware that there are other problems; from Java Still Not Safe, Security Experts Say (http://www.informationweek.com/secur...-say/240006876:

Quote:

Last week, Oracle released emergency updates to fix zero-day vulnerabilities in Java 7 and Java 6. But in the case of the Java 7 fix, the new version allows an existing flaw--spotted by security researchers and disclosed to Oracle earlier this year--to be exploited to bypass the Java sandbox. In other words, while fixing some flaws, Oracle opened the door to another one.

In light of that situation, multiple security experts said that businesses should continue to temporarily disable all Java use, whenever possible. "There are still not-yet-addressed, serious security issues that affect the most recent version of Java 7," said Adam Gowdiak, CEO and founder of Poland-based Security Explorations, which initially disclosed the exploited vulnerabilities to Oracle in April. "In that context, disabling Java until proper patches are available seems to be an adequate solution," he said via email.

Essentially, keep an eye on news reports and http://www.oracle.com/technetwork/java/index.html until things get fixed.

Hope this helps some.

kikinovak · 09-15-2012, 02:08 AM

Now I know that in theory, there's no security threat involved in letting the plugin activated, I wonder if there's a way to disable the security alert from popping up at seemingly random intervals. I'm thinking about my users, who will not hesitate to phone me at 7 AM on a Sunday to whine into the phone : "I HAVE A SECURITY ALERT !?! DID I CATCH A VIRUS ?!? BUT YOU SAID YOUR LINUX THINK WAS IMMUNE TO VIRUSES !?! WHAT DO I HAVE TO DO NOW ?!?"

tronayne · 09-15-2012, 08:24 AM

I'm not sure that you actually can disable the security alert in, say, Firefox or Seamonkey (unless you went into the source code and did it there?). It pops up every so often because Firefox and Seamonkey check plugins and add-on periodically.

Might not be a bad idea to notify users, perhaps by having them read the US-CERT article at http://www.kb.cert.org/vuls/id/636312 or include the instructions from that article about how to disable the plug-in (with the links).

Probably better than calls at 0700 Sunday, eh?

Hope this helps some.

kikinovak · 09-15-2012, 11:05 AM

Quote:

Originally Posted by tronayne

I'm not sure that you actually can disable the security alert in, say, Firefox or Seamonkey (unless you went into the source code and did it there?). It pops up every so often because Firefox and Seamonkey check plugins and add-on periodically.

Might not be a bad idea to notify users, perhaps by having them read the US-CERT article at http://www.kb.cert.org/vuls/id/636312 or include the instructions from that article about how to disable the plug-in (with the links).

Probably better than calls at 0700 Sunday, eh?

Hope this helps some.

Isn't there even one single option in the ocean of about:config that tells Seamonkey/Firefox to just STFU about this? The question is: which one?

AlleyTrotter · 09-15-2012, 01:45 PM

kikinovak
Be proactive send all your customers an email stating:
"We have already repaired the security flaw described in the notification for java you are receiving in your browser, please ignore it.
We at (insert company name here) are always looking out for your best interest
We are current developing a fix for the Firefox alert"

LOL
john

kikinovak · 09-15-2012, 02:10 PM

Quote:

Originally Posted by AlleyTrotter

kikinovak
Be proactive send all your customers an email stating:
"We have already repaired the security flaw described in the notification for java you are receiving in your browser, please ignore it.
We at (insert company name here) are always looking out for your best interest
We are current developing a fix for the Firefox alert"

LOL
john

The problem is: my users are mostly students, and I don't have their every single mail address. Nah, deactivate the security check it must be.

T3slider · 09-15-2012, 03:30 PM

See here and here. From the first link:

Quote:

" I solved it. Proceed at your own risk

Open new Tab
Navigate to about:config
Accept security warning
Change extensions.blocklist.enabled to false
Restart browser

This prevents firefox from checking the blocklist you have configured at extensions.blocklist.detailsURL "

I would personally be wary about doing this...at least it would require more vigilance in monitoring your plugins manually for potential vulnerabilities (though I understand why, in your situation, it may be desirable).

brianL · 09-15-2012, 03:42 PM

Try Eric's OpenJRE and iced-tea packages, mentioned here:
http://alien.slackbook.org/blog/open...es-more-flaws/

kikinovak · 09-15-2012, 04:17 PM

Quote:

Originally Posted by T3slider

See here and here. From the first link:

I would personally be wary about doing this...at least it would require more vigilance in monitoring your plugins manually for potential vulnerabilities (though I understand why, in your situation, it may be desirable).

T3slider, you're a star! That's exactly what I've been looking for.