We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Java can't be disabled in Internet Explorer 9 - any clues?
RussJK
Posts: 2,359 Forumite
I was testing various browsers and their behaviour with Java. I wanted to know if an exploit kit could activate Java if the Java plugins had been disabled.
Surprisingly in Internet Explorer 9 - no amount of disabling prevents Java from loading using the test page (http://java.com/en/download/testjava.jsp). Try it yourself.
No matter what settings I do, I can't prevent Java from loading in Internet Explorer 9 - at least without severely crippling the browser.
In Firefox or Opera, one simply disables the two Java plugins and that is all that's required - but in Internet Explorer 9, Java behaves really badly and ignores user choice.
In the case of an exploit kit, IE9 allowed Java to be exploited with a trojan (using a vulnerable version of Java).
I'll go through the steps I took in my next post.
Surprisingly in Internet Explorer 9 - no amount of disabling prevents Java from loading using the test page (http://java.com/en/download/testjava.jsp). Try it yourself.
No matter what settings I do, I can't prevent Java from loading in Internet Explorer 9 - at least without severely crippling the browser.
In Firefox or Opera, one simply disables the two Java plugins and that is all that's required - but in Internet Explorer 9, Java behaves really badly and ignores user choice.
In the case of an exploit kit, IE9 allowed Java to be exploited with a trojan (using a vulnerable version of Java).
I'll go through the steps I took in my next post.
0
Comments
-
First I installed Java, doesn't matter if it's the latest or not (I'd tried both ways), and upon loading IE9 said 'don't enable plugins':
I have to then manually click Tools > Manage add-ons, then change the view to 'All add-ons' to see the three hidden Java activex controls, which I set to disabled:
Accessing the Java test page, Java is able to load without a problem:
and a new Java plugin is added to the add-ons list, set to Enable without even bothering to ask me.
I set 'Deployment Toolkit' to disabled, then reload the Java test page:
0 -
So once again Java has loaded without permission, and again it's added yet another plugin - also enabled without prompting:
So I disable isInstalled class, then confirm or make the following alterations:
When I return to the Java test page, I get prompted:
Despite selecting No, Java still loads: 0 -
Anyone have any clues how to disable Java in IE9, without completely destroying functionality with other plugins?
When I ran a vulnerable version of Java against an exploit kit, two trojan droppers (for Trojan Sinowal, a password stealing trojan) were downloaded and executed. This occured despite disabling Java with the above (ineffective) methods.
It's a big security risk that one can't disable Java without going to extraordinary lengths.0 -
Should you not be asking Microsoft and sun microsystems this?0
-
Pesky_toolbar wrote: »Should you not be asking Microsoft and sun microsystems this?
Reminds me of a Dilbert comic, when the boss is going on a trip and doesn't want to be contacted:
" I'm reachable in Africa. Just call Africa and ask for me."
"I told them to expect your call."0 -
Discovered a registry workaround that appears to work:
HKLM > Software > Javasoft > Java Plug-in > x.x.x_xx, then change 'UseJava2IExplorer to 0 (from 1).
Afterwards you get a 'plugin failed to load properly' message on the Java test page.
I'll test with another exploit kit, as the one I was using yesterday no longer is accessible (again).
Ridiculous that one needs to use a registry editor just to disable a common browser plugin.0 -
Not used IE for years mind but thats just stupid too difficult to bother with or are you just bored today?
Though it does amaze me how difficult they make it to be removed from a persons computer anyway.. Its never straight forward.."If you no longer go for a gap, you are no longer a racing driver" - Ayrton Senna0 -
Jeff_Bridges_hair wrote: »Not used IE for years mind but thats just stupid too difficult to bother with or are you just bored today?
Though it does amaze me how difficult they make it to be removed from a persons computer anyway.. Its never straight forward..
Just wanted to make sure I wasn't crazy, and I find it interesting
Before this, I might have told people they could at least reduce the risk of having Java by disabling it temporarily, or setting IE to 'prompt' before running Java - but there's no such ability without going to silly lengths. Even removing the Java BHOs with HijackThis didn't stop it running.
If Java is present, then exploit kits can run it no matter what browser settings are selected. This is grossly unsafe - just when I was starting to think Microsoft were making IE9 with security in mind.
Reasons to steer clear of both IE and Java really.0 -
Don't you just need to disable ' Scripting of Java applets' in the custom level options?0
-
Don't you just need to disable ' Scripting of Java applets' in the custom level options?
You'd think. Already tried it as 'prompt' as well as 'disabled', and Java still ran and was still able to be exploited.
None of the options in IE that I tried actually stopped Java. It's like monster in a bad horror flick.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.2K Banking & Borrowing
- 253.6K Reduce Debt & Boost Income
- 454.3K Spending & Discounts
- 245.2K Work, Benefits & Business
- 600.9K Mortgages, Homes & Bills
- 177.5K Life & Family
- 259.1K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards