A potent Java security vulnerability that first appeared earlier this week actually leverages two zero-day flaws. The revelation comes as it emerged Oracle knew about the holes as early as April. Windows, Mac OS X and Linux desktops running multiple browser platforms are all vulnerable to attacks. Exploit code already in …
"Write Once, Exploit Everywhere..."
And thats the reason I read the Reg!
Re: "Write Once, Exploit Everywhere..."
Good that Windows doesnt ship with Java....
> Mac OS X users who follow best practice and apply the latest version of software applications are more at risk of attack.
Actually Java 7 for OSX is only available as a developer preview directly from Oracle so it's installing it is neither best practise nor something many users will do.
Java 7 is available for the mac from oracle not as a developer preview just a normal release since java 7u4.
It is just not provided by apple or via software update, so unless you had a specific reason to download and install you will stay on java 6. Macs should thus be safe for almost all users.
This is the sound of a enormous ball being dropped
Unbreakable Larry? Where are you??
Re: This is the sound of a enormous ball being dropped
I think he's over there, balls deep in a mound of hundred dollar bills.
Chrome for Windows
Oddly enough there is a reported bug for Chrome on Windows that causes it it to treat the latest version of the Java plugin as out-of-date and will only enable it on demand. Serendipity, thy name is Google.
Oracles Official Response.
Security hole? Really, hold on.....
Sorry, just spoke to the team and they can't be arsed to look....have you tried turning it off and back on again?
Java is the gift that just keeps giving.. "Inb4" the humourless and misguided souls who will write long boring screeds about how home users should have java enabled in their browsers, based on a website that they saw ten years ago.
Maybe if I were Danish, it'd still be on my win7 machine, but restricted to certain sites, but otherwise, no thanks.
(People with god-awful corporate intranet things that need it and so forth are another matter, but I assume they make work pony up for the machine and manage it for them- so not their problem).
Use firefox and noscript
You can block the java plug-in (and other things) in firefox by using the noscript plugin then enable it on a temporary page-by-page or site-by-site basis if you really have to have java. You can even allow it on whitelisted sites if you feel brave.
Not that it is that important for me ... I just checked my setup and discovered that as well as being blocked my java is at 1.6 anyway. Ho hum.
Damn you Oracle...
Oracle has been the major force which made me seriously consider ditching Java. I already replaced MySQL with Postgres on all (2) office servers (internet servers running customer websites obviously can't be migrated "just like that") and I want to have as little to do with Oracle as possible.
And here we are... I recently 'upgraded' to version 7 to get to know it better. Put differently; even though I keep both JDK SE6 and SE7 on my Win7 PC I recently changed the path so that SE7 would come first. even though the SE6 JDK is favoured on my commandline (even on Windows with NetBeans available I like to play on the commandline too from time to time, backed up by Metapad).
Although I am using NoScript I'm seriously considering to 'switch' back to SE6 as the primary JDK and ignore SE7 for quite some time to come.
IMO Oracle, as always, does an excellent job in ruining the whole thing.
Bye Bye Java
I'm really not sure when I last visited a site that used Java. So I've just uninstalled Java completely and I'll find out if any sites I frequently visit require it. If they do I'll think about re-installing it, but hopefully I've just had my last dealings with it.
Re: Bye Bye Java
Yep, I did that about eighteen months ago- so far so good, and no Java updater constantly polling the network, yet weirdly failing to keep the install up to date, either :)
oracle seem determined to destroy every bit of IP they got from sun
In big sweeps or by attrition. They paid $7.4 billion, says wiki.
Stop clicking on links that promise you cheap Viagra, free coupons and gift cards.
This solution is so simple your nanna can use it.
HTF do you kill the auto-updater zombie thing?
in Windows 7 (its a work machine) I have tried the control-panel, java, updates, automatically check for updates - but it ignores you. Revisiting the updates tab shows the automatic updates as enabled, again. OK they don't install, but every time i reconnect the machine, java is there.
doesn't this seriously nix the entire concept of a sandbox? - i know they're supposed to work, but this lot are the first and foremost, and its never worked, and never will.
Re: HTF do you kill the auto-updater zombie thing?
Run the MSCONFIG utility and look at the startup processes....
An update available?
CERT is now pointing to "This issue is addressed in Java 7 Update 7."
"Java 7 Update 07 is ready to install. Installing Java 7 Update 07 will uninstall the latest Java 6 from your system."
Strangely, I didn't have a Java 7 installed at all previously. Troglodyte that I am, by installing the update, aren't I regressing more?
Patch is out
Version 7 Update 7 is out. Oracle: "Problem? What problem?"
Ha! You deserve it!
And you laughed at me when I posted instructions to permanently delete Java off your home computer.
*engage smug mode*
A security "adviser", eh?
Sean Sullivan, a security adviser
who has never heard of reducing the attack surface, applying the principle of least privilege, or other basic concepts in security theory
at F-Secure, commented: "... There being no latest patch against this, the only solution is to totally disable Java."
Yes, there's no middle ground between "patch it" and "disable it entirely". Oh, except perhaps "don't let attackers run it automatically" - say with Firefox and NoScript, as has been mentioned approximately one million times in the forums here, and is no doubt well known to any "security adviser" worth his salt.
Really, why does the Reg feel the need to publish people like this? You couldn't find a comment from someone who was at least minimally competent?
Even if Sullivan were correct, his comment doesn't add anything to the article anyway. People who are capable of understanding updating and disabling Java are capable of figuring out that those are two of the ways the problem might be addressed. The Reg already publishes plenty of Java-bashing. Let's try to keep it to just the mildly interesting stuff, shall we?