back to article Super-critical Java zero-day exploits TWO bugs

A potent Java security vulnerability that first appeared earlier this week actually leverages two zero-day flaws. The revelation comes as it emerged Oracle knew about the holes as early as April. Windows, Mac OS X and Linux desktops running multiple browser platforms are all vulnerable to attacks. Exploit code already in …

COMMENTS

This topic is closed for new posts.
Happy

"Write Once, Exploit Everywhere..."

LOL!

And thats the reason I read the Reg!

7
2
Bronze badge
Mushroom

Re: "Write Once, Exploit Everywhere..."

Good that Windows doesnt ship with Java....

0
2
Anonymous Coward

> Mac OS X users who follow best practice and apply the latest version of software applications are more at risk of attack.

Actually Java 7 for OSX is only available as a developer preview directly from Oracle so it's installing it is neither best practise nor something many users will do.

3
1
FAIL

lousy checking...

Java 7 is available for the mac from oracle not as a developer preview just a normal release since java 7u4.

It is just not provided by apple or via software update, so unless you had a specific reason to download and install you will stay on java 6. Macs should thus be safe for almost all users.

0
0
Silver badge
FAIL

This is the sound of a enormous ball being dropped

Unbreakable Larry? Where are you??

6
0
Anonymous Coward

Re: This is the sound of a enormous ball being dropped

I think he's over there, balls deep in a mound of hundred dollar bills.

4
0
Happy

Chrome for Windows

Oddly enough there is a reported bug for Chrome on Windows that causes it it to treat the latest version of the Java plugin as out-of-date and will only enable it on demand. Serendipity, thy name is Google.

4
0
Anonymous Coward

Oracles Official Response.

Security hole? Really, hold on.....

Sorry, just spoke to the team and they can't be arsed to look....have you tried turning it off and back on again?

8
2
Anonymous Coward

giggle

Java is the gift that just keeps giving.. "Inb4" the humourless and misguided souls who will write long boring screeds about how home users should have java enabled in their browsers, based on a website that they saw ten years ago.

Maybe if I were Danish, it'd still be on my win7 machine, but restricted to certain sites, but otherwise, no thanks.

(People with god-awful corporate intranet things that need it and so forth are another matter, but I assume they make work pony up for the machine and manage it for them- so not their problem).

3
4
Devil

Use firefox and noscript

You can block the java plug-in (and other things) in firefox by using the noscript plugin then enable it on a temporary page-by-page or site-by-site basis if you really have to have java. You can even allow it on whitelisted sites if you feel brave.

Not that it is that important for me ... I just checked my setup and discovered that as well as being blocked my java is at 1.6 anyway. Ho hum.

9
1
Silver badge
Unhappy

Damn you Oracle...

Oracle has been the major force which made me seriously consider ditching Java. I already replaced MySQL with Postgres on all (2) office servers (internet servers running customer websites obviously can't be migrated "just like that") and I want to have as little to do with Oracle as possible.

And here we are... I recently 'upgraded' to version 7 to get to know it better. Put differently; even though I keep both JDK SE6 and SE7 on my Win7 PC I recently changed the path so that SE7 would come first. even though the SE6 JDK is favoured on my commandline (even on Windows with NetBeans available I like to play on the commandline too from time to time, backed up by Metapad).

Although I am using NoScript I'm seriously considering to 'switch' back to SE6 as the primary JDK and ignore SE7 for quite some time to come.

IMO Oracle, as always, does an excellent job in ruining the whole thing.

1
0

Bye Bye Java

I'm really not sure when I last visited a site that used Java. So I've just uninstalled Java completely and I'll find out if any sites I frequently visit require it. If they do I'll think about re-installing it, but hopefully I've just had my last dealings with it.

3
1
Anonymous Coward

Re: Bye Bye Java

Yep, I did that about eighteen months ago- so far so good, and no Java updater constantly polling the network, yet weirdly failing to keep the install up to date, either :)

2
2
Silver badge

oracle seem determined to destroy every bit of IP they got from sun

In big sweeps or by attrition. They paid $7.4 billion, says wiki.

2
0
Anonymous Coward

Stop clicking on links that promise you cheap Viagra, free coupons and gift cards.

This solution is so simple your nanna can use it.

0
4
Thumb Down

HTF do you kill the auto-updater zombie thing?

in Windows 7 (its a work machine) I have tried the control-panel, java, updates, automatically check for updates - but it ignores you. Revisiting the updates tab shows the automatic updates as enabled, again. OK they don't install, but every time i reconnect the machine, java is there.

doesn't this seriously nix the entire concept of a sandbox? - i know they're supposed to work, but this lot are the first and foremost, and its never worked, and never will.

0
0
Bronze badge
Mushroom

Re: HTF do you kill the auto-updater zombie thing?

Run the MSCONFIG utility and look at the startup processes....

1
0
Meh

An update available?

CERT is now pointing to "This issue is addressed in Java 7 Update 7."

http://www.oracle.com/technetwork/java/javase/downloads/jre7u7-downloads-1836441.html

Tra-la...

"Java 7 Update 07 is ready to install. Installing Java 7 Update 07 will uninstall the latest Java 6 from your system."

Strangely, I didn't have a Java 7 installed at all previously. Troglodyte that I am, by installing the update, aren't I regressing more?

0
0
EJ

Patch is out

Version 7 Update 7 is out. Oracle: "Problem? What problem?"

0
0

Ha! You deserve it!

And you laughed at me when I posted instructions to permanently delete Java off your home computer.

*engage smug mode*

0
1
Silver badge

A security "adviser", eh?

Sean Sullivan, a security adviser

who has never heard of reducing the attack surface, applying the principle of least privilege, or other basic concepts in security theory

at F-Secure, commented: "... There being no latest patch against this, the only solution is to totally disable Java."

Yes, there's no middle ground between "patch it" and "disable it entirely". Oh, except perhaps "don't let attackers run it automatically" - say with Firefox and NoScript, as has been mentioned approximately one million times in the forums here, and is no doubt well known to any "security adviser" worth his salt.

Really, why does the Reg feel the need to publish people like this? You couldn't find a comment from someone who was at least minimally competent?

Even if Sullivan were correct, his comment doesn't add anything to the article anyway. People who are capable of understanding updating and disabling Java are capable of figuring out that those are two of the ways the problem might be addressed. The Reg already publishes plenty of Java-bashing. Let's try to keep it to just the mildly interesting stuff, shall we?

0
0
This topic is closed for new posts.

Forums