back to article Super-critical Java zero-day exploits TWO bugs

A potent Java security vulnerability that first appeared earlier this week actually leverages two zero-day flaws. The revelation comes as it emerged Oracle knew about the holes as early as April. Windows, Mac OS X and Linux desktops running multiple browser platforms are all vulnerable to attacks. Exploit code already in …

COMMENTS

This topic is closed for new posts.
  1. 6 inches long, handle.
    Happy

    "Write Once, Exploit Everywhere..."

    LOL!

    And thats the reason I read the Reg!

    1. RICHTO
      Mushroom

      Re: "Write Once, Exploit Everywhere..."

      Good that Windows doesnt ship with Java....

  2. Anonymous Coward
    Anonymous Coward

    > Mac OS X users who follow best practice and apply the latest version of software applications are more at risk of attack.

    Actually Java 7 for OSX is only available as a developer preview directly from Oracle so it's installing it is neither best practise nor something many users will do.

    1. WilfredS
      FAIL

      lousy checking...

      Java 7 is available for the mac from oracle not as a developer preview just a normal release since java 7u4.

      It is just not provided by apple or via software update, so unless you had a specific reason to download and install you will stay on java 6. Macs should thus be safe for almost all users.

  3. Destroy All Monsters Silver badge
    FAIL

    This is the sound of a enormous ball being dropped

    Unbreakable Larry? Where are you??

    1. Anonymous Coward
      Anonymous Coward

      Re: This is the sound of a enormous ball being dropped

      I think he's over there, balls deep in a mound of hundred dollar bills.

  4. Gerard Krupa
    Happy

    Chrome for Windows

    Oddly enough there is a reported bug for Chrome on Windows that causes it it to treat the latest version of the Java plugin as out-of-date and will only enable it on demand. Serendipity, thy name is Google.

  5. Anonymous Coward
    Anonymous Coward

    Oracles Official Response.

    Security hole? Really, hold on.....

    Sorry, just spoke to the team and they can't be arsed to look....have you tried turning it off and back on again?

  6. Anonymous Coward
    Anonymous Coward

    giggle

    Java is the gift that just keeps giving.. "Inb4" the humourless and misguided souls who will write long boring screeds about how home users should have java enabled in their browsers, based on a website that they saw ten years ago.

    Maybe if I were Danish, it'd still be on my win7 machine, but restricted to certain sites, but otherwise, no thanks.

    (People with god-awful corporate intranet things that need it and so forth are another matter, but I assume they make work pony up for the machine and manage it for them- so not their problem).

  7. Len Goddard
    Devil

    Use firefox and noscript

    You can block the java plug-in (and other things) in firefox by using the noscript plugin then enable it on a temporary page-by-page or site-by-site basis if you really have to have java. You can even allow it on whitelisted sites if you feel brave.

    Not that it is that important for me ... I just checked my setup and discovered that as well as being blocked my java is at 1.6 anyway. Ho hum.

  8. Anonymous Coward
    Unhappy

    Damn you Oracle...

    Oracle has been the major force which made me seriously consider ditching Java. I already replaced MySQL with Postgres on all (2) office servers (internet servers running customer websites obviously can't be migrated "just like that") and I want to have as little to do with Oracle as possible.

    And here we are... I recently 'upgraded' to version 7 to get to know it better. Put differently; even though I keep both JDK SE6 and SE7 on my Win7 PC I recently changed the path so that SE7 would come first. even though the SE6 JDK is favoured on my commandline (even on Windows with NetBeans available I like to play on the commandline too from time to time, backed up by Metapad).

    Although I am using NoScript I'm seriously considering to 'switch' back to SE6 as the primary JDK and ignore SE7 for quite some time to come.

    IMO Oracle, as always, does an excellent job in ruining the whole thing.

  9. Slartybardfast

    Bye Bye Java

    I'm really not sure when I last visited a site that used Java. So I've just uninstalled Java completely and I'll find out if any sites I frequently visit require it. If they do I'll think about re-installing it, but hopefully I've just had my last dealings with it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bye Bye Java

      Yep, I did that about eighteen months ago- so far so good, and no Java updater constantly polling the network, yet weirdly failing to keep the install up to date, either :)

  10. BlueGreen

    oracle seem determined to destroy every bit of IP they got from sun

    In big sweeps or by attrition. They paid $7.4 billion, says wiki.

  11. Anonymous Coward
    Anonymous Coward

    Stop clicking on links that promise you cheap Viagra, free coupons and gift cards.

    This solution is so simple your nanna can use it.

  12. bonkers
    Thumb Down

    HTF do you kill the auto-updater zombie thing?

    in Windows 7 (its a work machine) I have tried the control-panel, java, updates, automatically check for updates - but it ignores you. Revisiting the updates tab shows the automatic updates as enabled, again. OK they don't install, but every time i reconnect the machine, java is there.

    doesn't this seriously nix the entire concept of a sandbox? - i know they're supposed to work, but this lot are the first and foremost, and its never worked, and never will.

    1. RICHTO
      Mushroom

      Re: HTF do you kill the auto-updater zombie thing?

      Run the MSCONFIG utility and look at the startup processes....

  13. Notas Badoff
    Meh

    An update available?

    CERT is now pointing to "This issue is addressed in Java 7 Update 7."

    http://www.oracle.com/technetwork/java/javase/downloads/jre7u7-downloads-1836441.html

    Tra-la...

    "Java 7 Update 07 is ready to install. Installing Java 7 Update 07 will uninstall the latest Java 6 from your system."

    Strangely, I didn't have a Java 7 installed at all previously. Troglodyte that I am, by installing the update, aren't I regressing more?

  14. EJ

    Patch is out

    Version 7 Update 7 is out. Oracle: "Problem? What problem?"

  15. Rod Ramrod

    Ha! You deserve it!

    And you laughed at me when I posted instructions to permanently delete Java off your home computer.

    *engage smug mode*

  16. Michael Wojcik Silver badge

    A security "adviser", eh?

    Sean Sullivan, a security adviser

    who has never heard of reducing the attack surface, applying the principle of least privilege, or other basic concepts in security theory

    at F-Secure, commented: "... There being no latest patch against this, the only solution is to totally disable Java."

    Yes, there's no middle ground between "patch it" and "disable it entirely". Oh, except perhaps "don't let attackers run it automatically" - say with Firefox and NoScript, as has been mentioned approximately one million times in the forums here, and is no doubt well known to any "security adviser" worth his salt.

    Really, why does the Reg feel the need to publish people like this? You couldn't find a comment from someone who was at least minimally competent?

    Even if Sullivan were correct, his comment doesn't add anything to the article anyway. People who are capable of understanding updating and disabling Java are capable of figuring out that those are two of the ways the problem might be addressed. The Reg already publishes plenty of Java-bashing. Let's try to keep it to just the mildly interesting stuff, shall we?

This topic is closed for new posts.

Other stories you might like