Credit where credit is due...
... I suppose. Nice to see them break the schedule.
In an uncommon break with its thrice-annual security update schedule, Oracle has released a patch for three Java 7 security flaws that have recently been targeted by web-based exploits. "Due to the high severity of these vulnerabilities, Oracle recommends that customers apply this Security Alert as soon as possible," Eric …
... I suppose. Nice to see them break the schedule.
They seem to understand the degree of vulnerability finally.
A USA government backed organisation, CERT could not get a word from them just 24 hours ago and (I suppose) had to suggest removing Java functionality from desktop browser. Instructions (thanks to win) were way complex so a lot of people ended up removing Java for good.
If they are serious, they should hire a real win developer that will code a real installer. Ask any win admin, they are using MSI in most basic and stupid way possible, ignoring built in win scheduler that can even automate security updates (for all users, not just admin) and ignore patching possibilities.
Apple actually works with such people and does all above with their "software update" on win.
It's not a realistic schedule. You can't have security updates once every four months when the software includes a browser plug-in and therefore under constant attack.
There is no 64 biy autoupdate function on Windows yet. AFAIK a bug about it was filed in 2006 and never fixed.
Don't have access to a windows machine (on holiday!), does this update insist on removing java 6 as part of the update on windows like the last update that went out?
Dunno but at the download page you can get JRE or JDK 7.7 or 6.35. The choice be yours!
"Java 7 Update 07 is ready to install. Installing Java 7 Update 07 will uninstall the latest Java 6 from your system."
> Why would Java 6 count as secure just because it doesn't have a single zero day vulnerability?
Why do people assume that every piece of legacy software you use will work with the latest version?
I'm not the OP but various tools I have to use require Java 6, so like the OP I want to know whether this will remove Java 6 and thus break those legacy tools or leave it intact. I do not believe that Java 6 is more secure, in fact I believe Java 6 is probably more insecure, but since I must use it for a couple of tools, I do.
I took my time to explain him and others how to keep Java 6 or any virtual machine self contained in app directory so nothing can touch it.
Mistake. Post removed.
Oracle has taken over providing the VM for Mac OS so the update is already available
Only for Java 7 which is for Lion and above. Those of us on Java 6 on previous operating systems can go and whistle (to Apple).
Still, at least it's easier to disable Java in the browser on the Mac, the option is staring you in the face as soon as you open the Java options.
At the blog, we read:
"Vulnerabilities CVE-2012-4681, CVE-2012-1682, and CVE-2012-3136 have each received a CVSS Base Score of 10.0. This score assumes that the affected users have administrative privileges, as is typical in Windows XP. Vulnerability CVE-20120-0547 has received a CVSS Base Score of 0.0 because this vulnerability is not directly exploitable in typical user deployments---"
Doesn't this mean that the remote exploit would only sometimes effective?
They assume user actually listened to OS vendor& sane people and...
1) doesn't run as administrator
2) at least have UAC turned on
3) at least reads what UAC says before a web page visit results in password prompt!
They are overly optimistic about person between screen and chair.
I need Java for applications, but I don't need it for browsing the web and therefore, for security, disable it in my browsers. However, Oracle has other ideas and enables Java in your browser again (at least with Firefox and Internet Explorer) when you do an update, without asking for permission. When it comes to security, it can be hard to tell the good guys from the bad guys sometimes.
A while back, Mozilla put in some defences against this kind of abuse, at least with ordinary add-ons, but they clearly did not go far enough. We need the ability to remove all add-ons and plug-ins without having to edit the registry etc, and Mozilla should entirely prevent the activation of add-ons and plug-ins without explicit permission.
> When it comes to security, it can be hard to tell the good guys from the bad guys sometimes.
Bundling ask.com crapware into the installer makes them look even dodgier. It's easy to deselect, but it still looks massively unprofessional.
Usually the Java updates announce themselves, but so far this one hasn't. Sometimes I have triggered it manually by using the plugin updates from my browser (usually Firefox). So far neither of those update paths seems to be working, and I don't trust the Oracle website enough for a more manual approach...
When I run the update check for the plugins, it shows three Java-related plugins. However, there is no option to update any of them. Instead, the only option it is current offering is to disable them. If I do that, I suspect my computer will be at least partially crippled, even more than it currently is (partly by my security software).
Should I wait for the update to appear? Should I disable? If I disable, will that also disable the update when it does appear?
In conclusion, I always hated Oracle, and now I hate them more and with better reason. If I knew that a website or company was using Oracle products, I would count that as a strong reason to avoid that website or to avoid doing ANY business with that company.
Way to go, Oracle. How's that purchase of Sun working out for you? It's certainly screwing with the rest of us.
On Windows? Just use the Control Panel applet.
On any OS? Just download the update from Oracle's website (http://www.oracle.com/technetwork/java/javase/downloads/jre7u7-downloads-1836441.html).
It really isn't hard.
Pardon me, how else do you interpret "Java is not the new Cobol"?
Nobody writes new Java applets for websites as Java-Script can do the same now without the obvious disadvantages. And that "Java is not the new Cobol" statement probably held off quite a few new deployments in the server/backend area where Java was considered as a replacement for aging Cobol code.
'Pardon me, how else do you interpret "Java is not the new Cobol"?'
As a meaningless piece of self-advertisement and/or pseudo-punditry. Its meaninglessness is triumphantly multidimensional.
Wow.. you took the words straight out of my mouth... except I would be lucky to get above one syllable! ;)
...any of my machines and it's staying off. End of.
I've had Java disabled in the browser for years and haven't encountered any problems.
I still use it desktop side for apps like Adwords Editor.
Why do we need it in the browser at all?
Are you sure you've had it disabled for years in the browser(s)?
See the comment above about it being re-enabled on every update.
Anyone whose agency requires it for critical applications including all financial transactions.
Yeah, sucks to be me, and I'm only the helpdesk person.
One feature of Enterprise Edition Java web servers is multiple contexts. This is where multiple applications can run on a single server and JVM process but in complete isolation. The advantage of this is greatly increased memory efficiency and simplified management. The disadvantage is increased complexity and the need for a Java Security Manager. From what I've read in the exploit sample code, servers running multiple contexts are vulnerable. Specifically, the big Enterprise Edition servers that big companies pay Oracle support for. A JSP file should be able to execute code outside of its context the same way an applet would. Distributed/Cloud computing servers that execute sandboxed tasks from JAR file may be at risk as well.
Last time I looked around our office, everybody using Java (for banking or network stuff) only had Java 6. Is this changing? Is it different for you?
Actually, we're counting ourselves lucky to have been advanced to Java 6 in the last couple of months. For the whole three years I've been working here, one of the most critical financial apps was dependent on an unsupported version of Java 5. With the Sun site gone, I can no longer find the web link, but I think Sun had stopped supporting the specific version about 6 months before I started work.
Same AC as the previous 'sucks to be be" AC.
"Java 7 requires an Intel-based Mac running Mac OS X 10.7.3 (Lion) or later''
So I'll leave it switched off, then, until Apple gets around to updating Java 6.
If they don't, then that's the end of Java for me.
3 times a year!? Java update seems to have something new every week or so!