Feeds

back to article Disable Java NOW, users told, as 0-day exploit hits web

A new browser-based exploit for a Java vulnerability that allows attackers to execute arbitrary code on client systems has been spotted in the wild – and because of Oracle's Java patch schedule, it may be some time before a fix becomes widely available. The vulnerability is present in the Java Runtime Environment (JRE) version 1 …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge
FAIL

wow

First rule of desktop security is to remove Adobe Flash, Reader and all Java runtimes. As long as those malware portals are on your system if you ever connect to the internet you might as well assume your box is pwned.

11
33
Silver badge
Meh

@asdf - Re: wow

True.

Unfortunately, you will also lose half the web removing those.

34
1
Bronze badge

Re: wow

2nd rule is to then buy an APple tablet.

Take away all of the stuff that does anything outside of the walled garden and you are in the same territory..

2
33
Silver badge

Re: @asdf - wow

Well if you use Chrome you get flash sand boxed which is a decent compromise assuming you don't mind Google collecting data. Damned if you do somewhat. As for Java as mentioned virtually no non corporate desktop will notice its gone. Java has largely been a fail on the consumer desktop.

7
4
Bronze badge
Linux

apparmor

Can't you just enable the firefox apparmor profile? Yes for this you need to be running GNU/Linux with AppArmor installed.

3
3
Anonymous Coward

Re: wow

I would be lovely to remove Java, but unfortuantly, I'd have to quit my job as a lot of the hardware (and webstes) I use require it.

So nice in theory, useless in practice.

5
1
Anonymous Coward

assuming you don't mind Google collecting data.....

Then use Iron instead of Chrome. Can't belive technical people use Chrome over Iron

5
5
Anonymous Coward

Re: @asdf - wow

That's not really true any more. You lose a little bit from Flash, but not as much as you'd think. You can use an alternative PDF reader, too. Just keep it up to date (Secunia PSI is useful for some folks in this respect).

As for Java, since being exposed to twelve year-old minecraft bores on my Mumble server, I have never felt an urge to play it, and thus never missed Java on my desktop machines.

3
1
Linux

Re: wow

You forgot -> remove windows

7
18
JDX
Gold badge

Re: wow

Not going on the internet is also a wise move. I suggest asdf takes this precaution immediately.

9
1
Anonymous Coward

Re: wow

Very soon, no person in Denmark will be able to interact with a financial institution or the government via the internet without the use of Java. It is already more or less 100% true, but there are a few holes left.

Here in this little duck pond, JAVA is the ONLY GAME IN TOWN.

I think we are not the only ones on the planet having this shoved down our throats.

0
0
Anonymous Coward

Re: wow

Yes, I seem to have it installed to run Navisphere and various other management tools provided by hardware suppliers.

0
0

This post has been deleted by its author

Silver badge
FAIL

Re: wow

thus why I said on consumer desktops/laptops. The corporate world is the main place it found its niche. Its not a bad language necessarily (although managed code in general is a joke imho) but the Snoracle VM implementation has always been sh_t. Java's biggest problem has always been its steward.

0
0
Silver badge
Trollface

Re: wow

Sounds like another parochial java programmer hoping to make it to retirement before Larry ruins the ecosystem.

0
1
FAIL

Re: wow

yeah that will make for an interesting experience online....

0
0
Happy

Re: 2nd rule is to then buy an APple tablet.

Marvellous trollage, Alan!

1
0
Meh

Re: You forgot -> remove windows

hehe... hehe... hehe... pfft.

Twat.

0
1
Bronze badge
Holmes

Let's be realistic, eh?

Or was that just a troll post? People want to do the things that are enabled by your so-called "malware portals".

I think the first rule of security ought to be that companies have some liability for their security failures. Not so bad as to bankrupt them, but at least a significant fraction coming from somewhere near the top. Since I really doubt that most companies could afford to pay for the damage their security incompetence causes, I think the best compromise would probably be to take a fraction of their after-tax profits to be distributed to their victims, where the fraction would go up or down mostly in response to the trends. In other words, delivering more secure software should have an impact on the bottom line.

Just to use the most extreme example of the most extreme abuse, I have to point at Microsoft. They have led the way in disavowing ANY financial liability for the SEVERE consequences of their LOW priority on security. Yes, they have improved in recent years, but other companies like Oracle have picked up the torch for security LAST. My own belief is that if Microsoft had paid for all the damage caused by flaws in their software, they would have gone bankrupt long ago, but their lawyers shucked all those costs on the victims.

Of course the punchline is that most of the victims never even got to choose Microsoft because Microsoft had deliberately destroyed the alternatives and because Microsoft was mostly selling to the computer makers, not the end users. You just use Microsoft because it was already there on your computer--and ditto the bugs and the suffering.

5
0

This post has been deleted by its author

Silver badge

WTF? Java stopped being malware?

It's disturbing that however hard I try to disable Java updates or Java browser plugins they just keep coming back like zombies. Java behaves like malware before malware tries to use it as a malware vector ;(

18
3

Re: WTF? Java stopped being malware?

Indeed, I distinctly remember disabling JRE in Firefox a few months back when it caused some issues. Just checked and it's been re-enabled, wonder when that happened.

3
1
Happy

Re: they just keep coming back like zombies

Dude, don't disable it - uninstall it! It only takes, what, two minutes to re-install once the panic is over. tbh I'd not bother re-installing, but that's just me.

0
0

Re: WTF? Java stopped being malware?

i use nothing java (maybe pingtest.net but that's only for the packet loss part, do not really need pingtest.net to tell me my Virgin-media connection is dropping packets), i just unintsalled it my self

for Chrome users if you have Click to play ticked Plugins will not load unless you click on them to start them (Java, flash PDF files or Anything that is not native to chrome)

0
0
HMB
Bronze badge

You can at least make a case for Adobe Flash on a computer, but Java? Only the most annoying websites want you to have Java installed.

6
13
Anonymous Coward

Depends on your definition of annoying

I have yet to see an online collaboration and conferencing tool which does not use java.

Microsoft netmeeting, WebEx, etc all are 100% java based.

On the positive side these are corporate gimmicks and can be whitelisted leaving the rest of the web javaless.

7
1
Anonymous Coward

Re: Depends on your definition of annoying

Wasn't NetMeeting last used in Windows 95...? You could enable it in XP, but even all those years ago it was deprecated and hidden...

3
2
HMB
Bronze badge

Wow

I really wasn't expecting to upset anyone! You guys are sensitive!

I haven't installed Java for the web for over 7 years.

I grant you that in a corporate environment it may well be required and an asset for maybe one or two apps, but in a domestic setting or a business environment where there is an alternative support method I just haven't seen a useful Java app for web. Clunky old IRC clients and Rich Text Editors don't count.

3
6
Anonymous Coward

"Most Annoying" - Like the Tax Office?!

NemID - Common login for @everyting in Denmark is based on Java, obfuscated Java hidden in Gif-files & other Haxor-secrity techniques are used too. ... All of your eggs R belong to Our Basket!

1
0
JDX
Gold badge

Only the most annoying websites want you to have Java installed.

And about a zillion web-based games.

0
0

Re: Wow

Anyone using web based applications such as Jira with screenshot paste capabilities etc. relies on the JRE for those features to work.

(just to share a real, current example)

1
0
Gold badge

Re: Depends on your definition of annoying

I think it's called Live Meeting now. If you go to any Microsoft presentation on the web about new stuff you tend to use it. Plenty of businesses use it too for video conferencing.

0
0

Real life

These days, if you have Java, you have it because you absolutely need it.

1
0
Anonymous Coward

Live Meeting and Java

There's a "native" Live Meeting client, and a "web-access" client. The native client isn't java based, but you need a) Windows, and b) rights to install an application. The web-access client is java based and works for Mac and Linux clients.

1
0
Silver badge
Alert

Re: Real life

Hmmm. I just turned off Javascript on this browser and suddenly El Reg looks a bit different....

0
3
Anonymous Coward

Re: Real life

Java != Javascript. 1/10, must try harder.

2
0
Anonymous Coward

I agree

There is no place for Java on my PC and I also really hope that it will just go away one day as a development runtime for desktop OSs. I don't mind it running on mobile devices, but the way it behaves on desktop PCs is just annoying. That's not to mention that it's very slow, and that original idea of providing a truly cross platform solution didn't quite work out. Unfortunately too many universities still have programming classes that teach Java as introductory courses. Does anyone actually develop applets these days? Come on people, it is time to switch to either Flash or Silverlight. You can already take advantage of the microphone and web camera on Google Chrome using just HTML5. We need to keep supporting innovative promising technologies, not a 20 year old workaround.

0
2

Re: I agree

Can you point me to the latest silverlight for Linux and Android? Official one, same features and support as win one.

2
1
Anonymous Coward

Re: I agree

I don't think Android can run Java Applets either. Linux? I haven't had a chance to run Silverlight on that OS, but I bet you can still use Flash for pretty much anything applets are capable of. In my recent experience, development of plugin applications is only needed if I have to access hardware (i.e. webcam), which is soon going to unnecessary with extensive HTML5 support. HTML5 and JavaScript backed by, say, Node.js, are more powerful than you probably think.

0
0

Unfortunately many things require java runtime. Many things. I certainly hope Oracle will see their way clear to temporarily ignore their policy at being against the world, and release a patch asap. You just can't hold the keys to something like java and take a few months to patch an existing exploit.

17
1
Unhappy

Unfortunately - as I guess you know - they can, and they do.

12
1
Silver badge

Such as?

What high profile websites require Java to be enabled? When I last reinstalled my laptop I forgot to install Java and it was over a month before I noticed. I have never noticed Java's absence on my iPhone. Never. Not once.

Flash is going away too. While there are still plenty of videos that require flash on the web, sites that require it for navigation are becoming quite rare, and the videos are less numerous than they used to be. Now that Android can't run flash in the future, that abomination should quickly disappear from the web entirely, at least from any sites that ever hope to attract any mobile users at all.

It's a good thing cross platform stuff like Java and flash are going away, too, because anything that potentially provides a single attack that works against pretty much everything out there is a disaster waiting to happen. Java code has run in a sandbox since version 1.0, and it still isn't safe even now, so it's quite obvious it never will be. Good riddance.

Maybe someone will try again in the future, running the cross platform managed code in a VM, since they obviously can't be trusted to program a secure sandbox.

7
14
Anonymous Coward

What high profile websites require Java to be enabled?

All the ones required to do my job. Not high profie, but crictical.

14
3
Anonymous Coward

Re: Such as?

Flash may be going away, but, it is still extensively used, and not just for video or navigation. I've no idea what html5 is capable of, but, can it do what car manufacturers use Flash for? Go to most major manufacturers sites and Flash is there, and is very useful. Choose your model, paint colour, interior trim, wheels, and see a picture of your chosen car, in a 360 degree rotational model.

I don't know idea what those sites look like to those poor unfortunate souls who bought inferior devices incapable of running Flash, but, some of them look pretty damn good in all their Flash goodness.

1
9
Anonymous Coward

Re: in all their Flash goodness?

If I want an all-round view of my new car I turn up at the local motor auction a bit early.

1
1

Re: "It's a good thing cross platform stuff ..."

"It's a good thing cross platform stuff like Java and flash are going away, too, because anything that potentially provides a single attack that works against pretty much everything"

How the picture will be better when cross-platform HTML 5 and HTML 5 Video are the standard?

1
0
Anonymous Coward

Re: in all their Flash goodness?

"If I want an all-round view of my new car I turn up at the local motor auction a bit early."

Do you find their address using the paper copy of the yellow pages and a road atlas?

Well, if you don't like using technology...

1
3

This post has been deleted by its author

Anonymous Coward

Re: Such as?

Well, every damn one of the financial apps at the outfit where I'm working requires it. And it's a damn big shop. Takes months to get things changed. In fact, you might say it practically takes an Act of Congress to do so.

0
0

Re: Such as?

@AC 08:21

The Land Rover website used to have a Flash car configurator like you describe, but just the other week they replaced it with a non-Flash version. Same end user experience, but now also works on non-Flash devices. So it shouldn't be an issue for any car manufacturer

4
0

Page:

This topic is closed for new posts.