back to article Oracle rushes out patch for critical 0-day Java exploit

In an uncommon break with its thrice-annual security update schedule, Oracle has released a patch for three Java 7 security flaws that have recently been targeted by web-based exploits. "Due to the high severity of these vulnerabilities, Oracle recommends that customers apply this Security Alert as soon as possible," Eric …

COMMENTS

This topic is closed for new posts.
  1. nuked
    Thumb Up

    Credit where credit is due...

    ... I suppose. Nice to see them break the schedule.

    1. Ilgaz

      Re: Credit where credit is due...

      They seem to understand the degree of vulnerability finally.

      A USA government backed organisation, CERT could not get a word from them just 24 hours ago and (I suppose) had to suggest removing Java functionality from desktop browser. Instructions (thanks to win) were way complex so a lot of people ended up removing Java for good.

      If they are serious, they should hire a real win developer that will code a real installer. Ask any win admin, they are using MSI in most basic and stupid way possible, ignoring built in win scheduler that can even automate security updates (for all users, not just admin) and ignore patching possibilities.

      Apple actually works with such people and does all above with their "software update" on win.

      1. Anonymous Coward
        Anonymous Coward

        Re: Credit where credit is due...

        There is no 64 biy autoupdate function on Windows yet. AFAIK a bug about it was filed in 2006 and never fixed.

    2. Dan 55 Silver badge
      Thumb Down

      Re: Credit where credit is due...

      It's not a realistic schedule. You can't have security updates once every four months when the software includes a browser plug-in and therefore under constant attack.

  2. vic 4

    Does this leave java 6 intact?

    Don't have access to a windows machine (on holiday!), does this update insist on removing java 6 as part of the update on windows like the last update that went out?

    1. Destroy All Monsters Silver badge

      Re: Does this leave java 6 intact?

      Dunno but at the download page you can get JRE or JDK 7.7 or 6.35. The choice be yours!

    2. Notas Badoff
      Terminator

      Re: Does this leave java 6 intact?

      "Java 7 Update 07 is ready to install. Installing Java 7 Update 07 will uninstall the latest Java 6 from your system."

    3. This post has been deleted by its author

      1. Anonymous Coward
        Anonymous Coward

        Re: Does this leave java 6 intact?

        > Why would Java 6 count as secure just because it doesn't have a single zero day vulnerability?

        Why do people assume that every piece of legacy software you use will work with the latest version?

        I'm not the OP but various tools I have to use require Java 6, so like the OP I want to know whether this will remove Java 6 and thus break those legacy tools or leave it intact. I do not believe that Java 6 is more secure, in fact I believe Java 6 is probably more insecure, but since I must use it for a couple of tools, I do.

        1. Ilgaz

          Re: Does this leave java 6 intact?

          I took my time to explain him and others how to keep Java 6 or any virtual machine self contained in app directory so nothing can touch it.

          Mistake. Post removed.

  3. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: looking forward

      Oracle has taken over providing the VM for Mac OS so the update is already available

      1. Dan 55 Silver badge
        FAIL

        Re: looking forward

        Only for Java 7 which is for Lion and above. Those of us on Java 6 on previous operating systems can go and whistle (to Apple).

        Still, at least it's easier to disable Java in the browser on the Mac, the option is staring you in the face as soon as you open the Java options.

  4. Destroy All Monsters Silver badge
    Paris Hilton

    At the blog, we read:

    "Vulnerabilities CVE-2012-4681, CVE-2012-1682, and CVE-2012-3136 have each received a CVSS Base Score of 10.0. This score assumes that the affected users have administrative privileges, as is typical in Windows XP. Vulnerability CVE-20120-0547 has received a CVSS Base Score of 0.0 because this vulnerability is not directly exploitable in typical user deployments---"

    Doesn't this mean that the remote exploit would only sometimes effective?

    1. Ilgaz

      They assume user actually listened to OS vendor& sane people and...

      1) doesn't run as administrator

      2) at least have UAC turned on

      3) at least reads what UAC says before a web page visit results in password prompt!

      They are overly optimistic about person between screen and chair.

  5. Richard Boyce
    FAIL

    Abuse of browser

    I need Java for applications, but I don't need it for browsing the web and therefore, for security, disable it in my browsers. However, Oracle has other ideas and enables Java in your browser again (at least with Firefox and Internet Explorer) when you do an update, without asking for permission. When it comes to security, it can be hard to tell the good guys from the bad guys sometimes.

    A while back, Mozilla put in some defences against this kind of abuse, at least with ordinary add-ons, but they clearly did not go far enough. We need the ability to remove all add-ons and plug-ins without having to edit the registry etc, and Mozilla should entirely prevent the activation of add-ons and plug-ins without explicit permission.

    1. Anonymous Coward
      Anonymous Coward

      Re: Abuse of browser

      > When it comes to security, it can be hard to tell the good guys from the bad guys sometimes.

      Bundling ask.com crapware into the installer makes them look even dodgier. It's easy to deselect, but it still looks massively unprofessional.

  6. Shannon Jacobs
    Big Brother

    Not accessible from the browser? (Firefox)

    Usually the Java updates announce themselves, but so far this one hasn't. Sometimes I have triggered it manually by using the plugin updates from my browser (usually Firefox). So far neither of those update paths seems to be working, and I don't trust the Oracle website enough for a more manual approach...

    When I run the update check for the plugins, it shows three Java-related plugins. However, there is no option to update any of them. Instead, the only option it is current offering is to disable them. If I do that, I suspect my computer will be at least partially crippled, even more than it currently is (partly by my security software).

    Should I wait for the update to appear? Should I disable? If I disable, will that also disable the update when it does appear?

    In conclusion, I always hated Oracle, and now I hate them more and with better reason. If I knew that a website or company was using Oracle products, I would count that as a strong reason to avoid that website or to avoid doing ANY business with that company.

    Way to go, Oracle. How's that purchase of Sun working out for you? It's certainly screwing with the rest of us.

    1. Test Man
      FAIL

      Re: Not accessible from the browser? (Firefox)

      On Windows? Just use the Control Panel applet.

      On any OS? Just download the update from Oracle's website (http://www.oracle.com/technetwork/java/javase/downloads/jre7u7-downloads-1836441.html).

      It really isn't hard.

  7. Christian Berger

    Didn't they already claim that Java was dead?

    Pardon me, how else do you interpret "Java is not the new Cobol"?

    http://www.theregister.co.uk/2012/03/07/oracle_java_9_10_roadmap/

    Nobody writes new Java applets for websites as Java-Script can do the same now without the obvious disadvantages. And that "Java is not the new Cobol" statement probably held off quite a few new deployments in the server/backend area where Java was considered as a replacement for aging Cobol code.

    1. Anonymous Coward
      Anonymous Coward

      @Christian Berger

      'Pardon me, how else do you interpret "Java is not the new Cobol"?'

      As a meaningless piece of self-advertisement and/or pseudo-punditry. Its meaninglessness is triumphantly multidimensional.

      1. ByeLaw101
        Happy

        Re: @Christian Berger

        Wow.. you took the words straight out of my mouth... except I would be lucky to get above one syllable! ;)

  8. xyz Silver badge
    Devil

    It's off...

    ...any of my machines and it's staying off. End of.

  9. Anonymous Coward
    Anonymous Coward

    Who uses Java in the browser anyway?

    I've had Java disabled in the browser for years and haven't encountered any problems.

    I still use it desktop side for apps like Adwords Editor.

    Why do we need it in the browser at all?

    1. Dan 55 Silver badge

      Re: Who uses Java in the browser anyway?

      Are you sure you've had it disabled for years in the browser(s)?

      See the comment above about it being re-enabled on every update.

    2. Anonymous Coward
      Anonymous Coward

      Re: Who uses Java in the browser anyway?

      Anyone whose agency requires it for critical applications including all financial transactions.

      Yeah, sucks to be me, and I'm only the helpdesk person.

  10. Kevin McMurtrie Silver badge

    Not servers?

    One feature of Enterprise Edition Java web servers is multiple contexts. This is where multiple applications can run on a single server and JVM process but in complete isolation. The advantage of this is greatly increased memory efficiency and simplified management. The disadvantage is increased complexity and the need for a Java Security Manager. From what I've read in the exploit sample code, servers running multiple contexts are vulnerable. Specifically, the big Enterprise Edition servers that big companies pay Oracle support for. A JSP file should be able to execute code outside of its context the same way an applet would. Distributed/Cloud computing servers that execute sandboxed tasks from JAR file may be at risk as well.

  11. david 12 Silver badge

    Does anyone use Java 7?

    Last time I looked around our office, everybody using Java (for banking or network stuff) only had Java 6. Is this changing? Is it different for you?

    1. Anonymous Coward
      Anonymous Coward

      Re: Does anyone use Java 7?

      Same here.

      Actually, we're counting ourselves lucky to have been advanced to Java 6 in the last couple of months. For the whole three years I've been working here, one of the most critical financial apps was dependent on an unsupported version of Java 5. With the Sun site gone, I can no longer find the web link, but I think Sun had stopped supporting the specific version about 6 months before I started work.

      Same AC as the previous 'sucks to be be" AC.

  12. Drew 11
    FAIL

    "Java 7 requires an Intel-based Mac running Mac OS X 10.7.3 (Lion) or later''

    So I'll leave it switched off, then, until Apple gets around to updating Java 6.

    If they don't, then that's the end of Java for me.

  13. Anonymous Coward
    Anonymous Coward

    3 times a year!? Java update seems to have something new every week or so!

This topic is closed for new posts.

Other stories you might like