LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 09-08-2012, 12:29 AM   #1
kikinovak
MLED Founder
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: CentOS, OpenSUSE
Posts: 3,453

Rep: Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154
Java plugin alert


Hi,

When browsing the web - using Seamonkey or Firefox - I get a Security alert about the installed JRE plugin, and a notification that this plugin will be deactivated.

How serious is the security threat? What's the best remedy to the problem? Is there a patch somewhere to fix this?
 
Old 09-08-2012, 12:55 AM   #2
kikinovak
MLED Founder
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: CentOS, OpenSUSE
Posts: 3,453

Original Poster
Rep: Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154
's OK. After googling some more, I found the answer to my question. In another thread on LQ.
 
Old 09-08-2012, 06:55 AM   #3
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541

Rep: Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065
If you are using Oracle Java (as I am) be aware that there are other problems; from Java Still Not Safe, Security Experts Say (http://www.informationweek.com/secur...-say/240006876:
Quote:
Last week, Oracle released emergency updates to fix zero-day vulnerabilities in Java 7 and Java 6. But in the case of the Java 7 fix, the new version allows an existing flaw--spotted by security researchers and disclosed to Oracle earlier this year--to be exploited to bypass the Java sandbox. In other words, while fixing some flaws, Oracle opened the door to another one.

In light of that situation, multiple security experts said that businesses should continue to temporarily disable all Java use, whenever possible. "There are still not-yet-addressed, serious security issues that affect the most recent version of Java 7," said Adam Gowdiak, CEO and founder of Poland-based Security Explorations, which initially disclosed the exploited vulnerabilities to Oracle in April. "In that context, disabling Java until proper patches are available seems to be an adequate solution," he said via email.
Essentially, keep an eye on news reports and http://www.oracle.com/technetwork/java/index.html until things get fixed.

Hope this helps some.
 
1 members found this post helpful.
Old 09-15-2012, 02:08 AM   #4
kikinovak
MLED Founder
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: CentOS, OpenSUSE
Posts: 3,453

Original Poster
Rep: Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154
Now I know that in theory, there's no security threat involved in letting the plugin activated, I wonder if there's a way to disable the security alert from popping up at seemingly random intervals. I'm thinking about my users, who will not hesitate to phone me at 7 AM on a Sunday to whine into the phone : "I HAVE A SECURITY ALERT !?! DID I CATCH A VIRUS ?!? BUT YOU SAID YOUR LINUX THINK WAS IMMUNE TO VIRUSES !?! WHAT DO I HAVE TO DO NOW ?!?"
 
Old 09-15-2012, 08:24 AM   #5
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541

Rep: Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065
I'm not sure that you actually can disable the security alert in, say, Firefox or Seamonkey (unless you went into the source code and did it there?). It pops up every so often because Firefox and Seamonkey check plugins and add-on periodically.

Might not be a bad idea to notify users, perhaps by having them read the US-CERT article at http://www.kb.cert.org/vuls/id/636312 or include the instructions from that article about how to disable the plug-in (with the links).

Probably better than calls at 0700 Sunday, eh?

Hope this helps some.

Last edited by tronayne; 09-15-2012 at 08:26 AM.
 
Old 09-15-2012, 11:05 AM   #6
kikinovak
MLED Founder
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: CentOS, OpenSUSE
Posts: 3,453

Original Poster
Rep: Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154
Quote:
Originally Posted by tronayne View Post
I'm not sure that you actually can disable the security alert in, say, Firefox or Seamonkey (unless you went into the source code and did it there?). It pops up every so often because Firefox and Seamonkey check plugins and add-on periodically.

Might not be a bad idea to notify users, perhaps by having them read the US-CERT article at http://www.kb.cert.org/vuls/id/636312 or include the instructions from that article about how to disable the plug-in (with the links).

Probably better than calls at 0700 Sunday, eh?

Hope this helps some.
Isn't there even one single option in the ocean of about:config that tells Seamonkey/Firefox to just STFU about this? The question is: which one?
 
Old 09-15-2012, 01:45 PM   #7
AlleyTrotter
Member
 
Registered: Jun 2002
Location: Coal Township PA
Distribution: Slackware64-15.0
Posts: 780

Rep: Reputation: 476Reputation: 476Reputation: 476Reputation: 476Reputation: 476
Proactive

kikinovak
Be proactive send all your customers an email stating:
"We have already repaired the security flaw described in the notification for java you are receiving in your browser, please ignore it.
We at (insert company name here) are always looking out for your best interest
We are current developing a fix for the Firefox alert"

LOL
john
 
Old 09-15-2012, 02:10 PM   #8
kikinovak
MLED Founder
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: CentOS, OpenSUSE
Posts: 3,453

Original Poster
Rep: Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154
Quote:
Originally Posted by AlleyTrotter View Post
kikinovak
Be proactive send all your customers an email stating:
"We have already repaired the security flaw described in the notification for java you are receiving in your browser, please ignore it.
We at (insert company name here) are always looking out for your best interest
We are current developing a fix for the Firefox alert"

LOL
john
The problem is: my users are mostly students, and I don't have their every single mail address. Nah, deactivate the security check it must be.
 
Old 09-15-2012, 03:30 PM   #9
T3slider
Senior Member
 
Registered: Jul 2007
Distribution: Slackware64-14.1
Posts: 2,367

Rep: Reputation: 843Reputation: 843Reputation: 843Reputation: 843Reputation: 843Reputation: 843Reputation: 843
See here and here. From the first link:
Quote:
" I solved it. Proceed at your own risk

Open new Tab
Navigate to about:config
Accept security warning
Change extensions.blocklist.enabled to false
Restart browser

This prevents firefox from checking the blocklist you have configured at extensions.blocklist.detailsURL "
I would personally be wary about doing this...at least it would require more vigilance in monitoring your plugins manually for potential vulnerabilities (though I understand why, in your situation, it may be desirable).
 
1 members found this post helpful.
Old 09-15-2012, 03:42 PM   #10
brianL
LQ 5k Club
 
Registered: Jan 2006
Location: Oldham, Lancs, England
Distribution: Slackware64 15; Slackware64-current (VM); Debian 12 (VM)
Posts: 8,290
Blog Entries: 61

Rep: Reputation: Disabled
Try Eric's OpenJRE and iced-tea packages, mentioned here:
http://alien.slackbook.org/blog/open...es-more-flaws/
 
Old 09-15-2012, 04:17 PM   #11
kikinovak
MLED Founder
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: CentOS, OpenSUSE
Posts: 3,453

Original Poster
Rep: Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154
Quote:
Originally Posted by T3slider View Post
See here and here. From the first link:

I would personally be wary about doing this...at least it would require more vigilance in monitoring your plugins manually for potential vulnerabilities (though I understand why, in your situation, it may be desirable).
T3slider, you're a star! That's exactly what I've been looking for.
 
  


Reply

Tags
java, jre, plugin, seamonkey, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Java 6 <18 security alert regdub Slackware 3 05-09-2010 08:19 AM
Java plugin installed correctly for Firefox but not able to view any java applet tvn Linux - Software 10 04-15-2010 02:13 AM
Iceweasel Java plugin using the Apt version of Sun Java? Zaskar Debian 3 10-03-2008 07:35 AM
Firefox refuses to load Java jnlp files - plugin and java ok Melsync Linux - Software 1 06-25-2006 04:09 PM
java alert in firefox... questionasker Programming 1 05-04-2005 02:24 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 06:12 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration