brought to you by Oracle Corp.
Don't call now...
Larry is on a yacht in the middle of the Indian Ocean and can't be bothered.
Last Nail Into The Coffin
...of Browser-based Java.
I would have expected Larry to personally direct someone to fix this issue UNTIL NEXT MORNING 10:00.
Apparently the fix is clear - validate the input to the web start *.jar downloading mechanism. They could have added a config file that allows you to enable the old mechanism for selected source hosts, to be 100% sure end users can re-enable legacy apps.
As Oracle apparently has much more important priorites, I suggest they just throw away all the client-side java stuff. Users will disable it anyhow, now. Or not install Java after being hacked and having had to reinstall their PC.
I just removed Java for good from my machine.
Another job for noscript, or if possible, just not having f'king Java installed.
"The vulnerability has existed since April 2008, when Sun introduced the Java Web Start feature in Java 6, update 10."
They introduced Web Start in Java 1.4, they updated it in 6u10. The question becomes, does this mean users of Java 5 are safe?
Re: Research fail
"They introduced Web Start in Java 1.4, they updated it in 6u10. The question becomes, does this mean users of Java 5 are safe?"
Correct about initial release of JWS. The issue with 6u10, which introduced this "vulnerability by design" was that they made JWS more directly accessible, via the "Deployment Toolkit" ActiveX control (for IE) and the equivalent NPAPI plugin for (most) other browsers. This current exploit depends on the 6u10+ "improvement" in JWS functionality.
Maybe they could outsource...
Adobe are perfect, and will sue anyone who says they aren't!
Disable Java and JDT
Disabling Java _and_ the Java Deployment Toolkit plugin should work for Firefox.
Java isn't magic - Firefox can't handle JNLP without a plugin any more than it can handle Flash by itself.
"Short of uninstalling Java altogether, it's not easy to prevent"
really? FF+NoScript wouldn't prevent it?
What are oracle doing?
The security sandbox of Java is supposed to be one of its main selling points...
Pull your finger out and fix it, you bellends.
Why all the fuss ?
It's fixed and released. JRE 6u20 is out.
@Why all the fuss ?
First Oracle did not display a determination to fix the bug immediately. And according to some reports, it does NOT fix the issue:
"Das Java-Update führt offenbar nicht in allen Fällen dazu, dass der bekannte Exploit nicht mehr funktioniert. Die Ursache ist derzeit unklar. Alternativ hilft es weiterhin, beim Internet Explorer das Killbit für das verantwortliche ActiveX-Control zu setzen, beispielsweise indem man folgenden Text in der Datei kill.reg speichert und die Datei dann doppelklickt:"
English: ..Apparently the fix does not always work...disable plugin with killbit....
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Analysis Pity the poor Windows developer: The tools for desktop development are in disarray
- Chromecast video on UK, Euro TVs hertz so badly it makes us judder – but Google 'won't fix'
- Analysis BlackBerry's turnaround relies on a secret weapon: Its own network
- Hire and hold IT staff in 2015: The Reg's how-to guide